Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen: Monday Security Brief (3/3/2024)

    Netizen: Monday Security Brief (3/3/2024)

    Today’s Topics:

    • Microsoft Uncovers Cybercriminal Network Behind AI Abuse Scheme
    • Chinese APT Exploits VPN Vulnerability to Infiltrate Global OT Organizations
    • How can Netizen help?

    Microsoft Uncovers Cybercriminal Network Behind AI Abuse Scheme

    Microsoft has identified and exposed a cybercrime network responsible for illicitly accessing and manipulating Azure OpenAI services to generate harmful content. The operation, dubbed LLMjacking, involves cybercriminals who hijacked API keys and exploited stolen credentials to bypass AI safety mechanisms, ultimately selling unauthorized access to malicious actors.

    Microsoft has been tracking this cybercrime operation under the name Storm-2139, revealing that the group accessed AI services through compromised credentials scraped from public sources. The actors modified the capabilities of Microsoft’s Azure OpenAI services and resold access, providing customers with tools and instructions to generate illicit content, including non-consensual intimate images and other harmful synthetic media.

    This discovery comes as part of an ongoing legal battle against AI abuse, with Microsoft securing a court order to take down aitism[.]net, a website central to the group’s operations. The company is pursuing legal action against multiple individuals involved in the scheme.

    Microsoft named four individuals linked to Storm-2139, spanning multiple countries:

    • Arian Yadegarnia (“Fiz”) – Iran
    • Alan Krysiak (“Drago”) – United Kingdom
    • Ricky Yuen (“cg-dot”) – Hong Kong, China
    • Phát Phùng Tấn (“Asakuri”) – Vietnam

    Additionally, Microsoft has identified two individuals based in the U.S., withholding their identities due to ongoing criminal investigations. The network consists of creators who develop AI abuse tools, providers who distribute and modify them, and end users who exploit AI for malicious purposes.

    Several other unnamed individuals across the U.S., Europe, Russia, Turkey, and Latin America have also been linked to the operation.

    Microsoft’s Digital Crimes Unit (DCU) continues to collaborate with law enforcement and regulatory bodies to combat AI abuse. The exposure of Storm-2139 serves as a warning to cybercriminals attempting to weaponize AI for illegal purposes.

    As AI technology evolves, organizations must prioritize security measures to prevent unauthorized access, ensure compliance with usage policies, and mitigate the risks associated with AI-driven cybercrime.

    Chinese APT Exploits VPN Vulnerability to Infiltrate Global OT Organizations

    A hacker infiltrates a remote network on a laptop

    A Chinese state-sponsored hacking group has been exploiting a vulnerability in Check Point’s security gateways to breach operational technology (OT) organizations worldwide. The cyber espionage campaign, attributed with low confidence to APT41 (also known as Winnti), has primarily targeted supply chain manufacturers in the aerospace and aviation sectors.

    The attackers leveraged CVE-2024-24919, a high-severity path traversal vulnerability in Check Point security gateways. This flaw, disclosed and patched in May 2024, allows unauthenticated attackers to access restricted files and extract password hashes. Once decrypted, these credentials enable full control over affected systems, allowing the threat actors to move laterally across networks and escalate privileges.

    Check Point researchers observed that the hackers installed the modular ShadowPad backdoor after gaining access. While there was no evidence of disruptive activity, the primary goal appears to be exfiltrating intellectual property from high-value OT organizations.

    The campaign has impacted dozens of organizations across the U.S., Latin America, Europe, the Middle East, and Africa. Notably, 20% of identified victims were based in Mexico. Many of the targeted companies supply critical aerospace and aviation manufacturers, making them attractive targets for espionage.

    However, the attackers did not limit themselves to a single industry. Utilities, finance companies in Africa, and smaller OT organizations were also compromised. Some of these may have been secondary targets, exploited as stepping stones to gain access to more valuable networks.

    While large manufacturers are often assumed to be primary targets, Check Point researchers found that many victims were small businesses with limited cybersecurity resources. These companies often lack dedicated security personnel and may rely on a single IT employee to handle security, infrastructure, and other responsibilities.

    As a result, many small OT organizations fail to apply patches promptly, making them easy targets for advanced persistent threats (APTs). The attackers capitalize on these weaknesses, gaining footholds in supply chains that connect to larger, more secure entities.

    The breach highlights the urgent need for better cybersecurity measures within OT environments, particularly among smaller manufacturers. Organizations using Check Point security gateways should ensure they have applied the latest patches and monitor for indicators of compromise (IoCs).

    Additionally, OT organizations must adopt proactive security practices, including network segmentation, regular vulnerability assessments, and endpoint detection and response (EDR) solutions to detect and prevent lateral movement within compromised networks.

    As advanced threat actors continue to exploit known vulnerabilities, organizations—large and small—must prioritize security hygiene to mitigate the risk of cyber espionage.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: February 2025 Vulnerability Review

    Netizen: February 2025 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from February that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2025-21391

    CVE-2025-21391 is a high-severity elevation of privilege vulnerability affecting Windows Storage. This flaw was disclosed as part of Microsoft’s February 2025 Patch Tuesday update, which addressed 55 CVEs, including three critical vulnerabilities and four zero-days—two of which were actively exploited in the wild. Attackers who successfully exploit this vulnerability could gain elevated privileges, potentially allowing them to execute arbitrary code with higher system access.

    Given its high risk, organizations should prioritize patching affected Windows systems to prevent potential exploitation. Unpatched systems could be leveraged by attackers to escalate privileges, bypass security measures, and gain deeper access to networks. Security teams should review Microsoft’s official guidance and deploy the necessary updates immediately to mitigate any threats associated with this vulnerability.

    CVE-2025-21418

    CVE-2025-21418 is a high-severity elevation of privilege vulnerability affecting the Windows Ancillary Function Driver for WinSock. CVE-2025-21418 has a CVSS v3 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it is a local privilege escalation (LPE) vulnerability with a high impact on confidentiality, integrity, and availability.

    Exploiting this vulnerability could allow an attacker to escalate privileges on a compromised system, potentially leading to unauthorized access or system control. This makes it a significant concern for organizations, particularly those running unpatched Windows systems.

    Security teams should prioritize applying the relevant security patches provided by Microsoft to mitigate the risk. Organizations are also advised to review Microsoft’s official security guidance and consider implementing additional endpoint protection measures to detect and prevent privilege escalation attempts.

    CVE-2025-21376

    CVE-2025-21376 is a high-severity vulnerability in Windows’ Lightweight Directory Access Protocol (LDAP) service, which could allow remote code execution. The vulnerability is rated with a CVSS v3 base score of 8.1, indicating its high impact on affected systems.

    An attacker exploiting this vulnerability could remotely execute arbitrary code on a vulnerable system, potentially leading to a compromise. This would require no user interaction, making it particularly dangerous in environments where systems are exposed to untrusted networks. Given the severity of the issue, organizations are urged to apply the necessary patches promptly to mitigate the risk.

    Microsoft’s advisory provides further technical details on how to address the issue, and the vulnerability has been added to the CISA’s Known Exploited Vulnerabilities Catalog. Security teams should prioritize patching vulnerable LDAP services and consider implementing additional security measures to detect and block exploitation attempts.

    CVE-2025-21377

    CVE-2025-21377 is a medium-severity vulnerability in Windows that involves NTLM hash disclosure through spoofing. This issue, which was addressed in Microsoft’s February 2025 Patch Tuesday update, can potentially allow attackers to retrieve NTLM hashes under specific conditions. However, the attack requires user interaction, making it less critical compared to vulnerabilities that do not need user involvement.

    The vulnerability has a CVSS v3 base score of 6.5, which indicates that while the risk is notable, it is not as high as other severe vulnerabilities. The CVSS v2 base score is higher at 7.8, reflecting the potential impact on systems, though the requirement for user interaction reduces the overall exploitability of the flaw.

    The flaw could allow an attacker to spoof certain network traffic and extract NTLM hashes, which could then be used in offline attacks to compromise the system. While the severity is considered medium, organizations should still apply the necessary patches to prevent possible exploitation, especially if they have a large number of users with access to sensitive systems or credentials.

    CVE-2025-21381

    CVE-2025-21381 is a high-severity vulnerability in Microsoft Excel that could lead to remote code execution (RCE). This issue, disclosed as part of Microsoft’s February 2025 Patch Tuesday, arises from a flaw in Excel’s handling of files. If exploited, an attacker could craft a specially designed Excel file that, when opened by the user, could allow the attacker to execute arbitrary code on the victim’s machine.

    The vulnerability has a CVSS v3 base score of 7.8, indicating a high level of risk, with the potential for significant damage if successfully exploited. The attack requires user interaction, as the victim must open the malicious file, but once opened, the attacker could gain the same privileges as the user running the application, potentially compromising sensitive data and system integrity. The CVSS v2 score is 7.2, suggesting a medium-high risk but less severe than the v3 score.

    Given the ease of exploitation through social engineering (such as convincing the victim to open a malicious Excel document), it is important for organizations to deploy patches as soon as possible to mitigate the risk associated with this vulnerability.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (February 27th, 2025)

    Netizen Cybersecurity Bulletin (February 27th, 2025)

    Overview:

    • Phish Tale of the Week
    • Bybit Suffers $1.5 Billion Cryptocurrency Heist, Linked to North Korean Lazarus Group
    • DISA Data Breach Exposes Personal Information of 3.3 Million Individuals
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, asking us if we’re looking for a remote job, and that it’s imperative that we click the link below. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to fall for this phish:

    1. The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I did not recently inquire anywhere about any remote work; Real companies looking to recruit qualified employees would not reach out to numbers in this way. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “potential role opportunity” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
    3. The final warning sign for this email is the wording; in our case the smisher misspelled the word “opportunity.” All of these factors point to the above being a smishing text, and a very unsophisticated one at that.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    Bybit Suffers $1.5 Billion Cryptocurrency Heist, Linked to North Korean Lazarus Group

    Bybit, a major cryptocurrency exchange, has fallen victim to what is being described as the largest cryptocurrency heist in history, with hackers stealing approximately 400,000 Ethereum (ETH and stETH), valued at nearly $1.5 billion. Security experts have linked the attack to North Korea’s notorious Lazarus Group, a state-sponsored cybercrime syndicate known for targeting financial institutions and cryptocurrency platforms.

    The attack, which came to light over the weekend, exploited a vulnerability during the transfer of ETH from Bybit’s cold wallet to a warm wallet. The hackers manipulated the user interface, making it appear as though the transaction was legitimate while secretly altering the smart contract logic. This allowed them to take control of the cold wallet and reroute assets to addresses they controlled.

    Cybersecurity firm Check Point suggests that the attackers likely identified and compromised multisig signers—individuals responsible for approving transactions—by deploying malware, phishing, or a supply chain attack to gain unauthorized access.

    Bybit has been actively working to recover the stolen assets, with nearly $43 million already retrieved thanks to various cryptocurrency services freezing flagged funds. The company has launched a “recovery bug bounty program,” offering rewards of up to 10% of the recovered funds to those who assist in the retrieval process. Bybit has reassured users that all assets remain backed and that the company remains financially stable, even if the full amount is not recovered.

    Blockchain security analysts, including ZachXBT, were among the first to identify links between the Bybit hack and the Lazarus Group. Investigators from TRM Labs confirmed this assessment “with high confidence,” citing strong overlaps between the wallets used in this attack and those involved in previous North Korean crypto heists.

    Elliptic, another leading blockchain intelligence firm, also attributed the attack to Lazarus based on the laundering techniques used by the hackers. Within two hours of the breach, the stolen Ethereum was split into 50 different wallets and gradually emptied through centralized and decentralized exchanges, as well as cross-chain bridges. The attackers have been steadily converting the stolen ETH into Bitcoin, a tactic previously observed in Lazarus-linked operations.

    The Bybit heist is the latest in a series of large-scale cryptocurrency thefts attributed to North Korea. In 2024, the FBI officially accused North Korean hackers of stealing $308 million from Bitcoin.DMM.com, while the infamous $600 million Ronin bridge hack was also linked to Lazarus.

    Recent estimates from the US, Japan, and South Korea indicate that North Korean hackers stole approximately $660 million in cryptocurrency in 2024 alone, further cementing the regime’s reliance on cybercrime to fund its illicit activities.

    To read more about this article, click here.

    DISA Data Breach Exposes Personal Information of 3.3 Million Individuals

    DISA Global Solutions, a Texas-based provider of background screening and drug testing services, has disclosed a major data breach affecting over 3.3 million individuals. The breach, which occurred in early 2024, exposed sensitive personal information, including Social Security numbers, driver’s license details, and financial account data.

    According to DISA, the intrusion was detected on April 22, 2024, but forensic investigations determined that hackers had gained access to a portion of its network as early as February 9, 2024. The company has since undertaken a comprehensive review of the stolen files to identify affected individuals and assess the scope of the breach.

    A public notice posted on DISA’s website confirms that impacted individuals will receive notifications and be offered one year of free credit monitoring and identity restoration services. However, DISA has not observed any confirmed misuse of the stolen data at this time.

    While the exact nature of the cyberattack remains unclear, no known ransomware group has claimed responsibility for the incident. DISA, which serves more than 55,000 businesses and conducts millions of screenings annually, has not disclosed whether the breach was the result of a ransomware attack or another form of cyber intrusion.

    DISA has assured stakeholders that it is working to strengthen its security posture to prevent future incidents.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Orange Group Data Breach Exposes 380,000 Emails, Contracts, and Payment Details

    Orange Group Data Breach Exposes 380,000 Emails, Contracts, and Payment Details

    French telecommunications giant Orange Group has confirmed a security breach after a hacker leaked company documents online, revealing sensitive user and employee data. The hacker, known as “Rey” and affiliated with the HellCat ransomware group, attempted to extort the company before making the stolen data public.

    Details of the Breach

    According to the hacker’s claims on a cybercriminal forum, the breach primarily affected Orange’s Romanian division. The stolen data reportedly includes:

    • 380,000 unique email addresses
    • Source code
    • Invoices and contracts
    • Customer and employee information
    • Partial payment card details from Romanian customers

    Rey stated that the attack was not a ransomware operation and that they had access to Orange’s internal systems for over a month. They exfiltrated nearly 12,000 files, amounting to approximately 6.5GB of data, in a three-hour window without being detected.

    The breach was allegedly carried out by exploiting compromised credentials and vulnerabilities in Orange’s Jira software and internal portals. The hacker claims to have left a ransom note in the compromised system, but the company did not engage in negotiations.

    Orange Group’s Response

    In a statement to BleepingComputer, Orange confirmed the breach but emphasized that it impacted a “non-critical back-office application” and did not disrupt customer operations.

    “Orange can confirm that our operations in Romania have been the target of a cyberattack. We took immediate action, and our top priority remains protecting the data and interests of our employees, customers, and partners. There has been no impact on customers’ operations, and the breach was found to occur on a non-critical back-office application.”

    The company has launched an internal investigation and is working to assess the extent of the breach while implementing measures to mitigate its impact. Additionally, Orange is complying with all legal obligations and cooperating with relevant authorities to address the situation.

    Connection to HellCat Ransomware Group

    Although Rey claims to have breached Orange independently, they are affiliated with the HellCat ransomware group, which has previously targeted major corporations, including Schneider Electric and Spanish telecommunications firm Telefónica. In both cases, the attackers leveraged Jira server vulnerabilities to steal corporate data.

    Potential Impact

    Some of the leaked email addresses belong to former employees, contractors, and partners, with records dating back more than five years. Additionally, much of the exposed payment card information appears to have expired. However, the presence of customer and employee data still raises concerns over potential identity theft, phishing campaigns, and further cyberattacks.

    Ongoing Investigation

    Orange Group continues to investigate the breach, with its cybersecurity teams working to secure affected systems and prevent future attacks. The company has pledged to provide updates as more details emerge.

    This incident highlights the growing threat of cybercriminals exploiting vulnerabilities in enterprise software to gain unauthorized access to corporate networks. Organizations must remain vigilant in securing their systems, regularly updating software, and enforcing strong authentication measures to prevent similar attacks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (2/24/2024)

    Netizen: Monday Security Brief (2/24/2024)

    Today’s Topics:

    • Google Cloud Introduces Quantum-Safe Digital Signatures to Strengthen Encryption
    • Microsoft’s Majorana 1 Chip and the Implications for Quantum Decryption
    • How can Netizen help?

    Google Cloud Introduces Quantum-Safe Digital Signatures to Strengthen Encryption

    Google Cloud has announced the introduction of quantum-safe digital signatures in its Cloud Key Management Service (Cloud KMS), marking a significant step toward post-quantum cryptographic security. Currently available in preview, this update aligns with the National Institute of Standards and Technology’s (NIST) post-quantum cryptography (PQC) standards, addressing concerns over future quantum computing threats.

    Cloud KMS is a widely used encryption key management tool designed for securely generating, storing, and managing cryptographic keys for data encryption and digital signatures. Until now, it has relied on conventional public-key cryptography methods such as RSA and ECC, which remain vulnerable to potential quantum computing attacks.

    A growing concern in the cybersecurity world is the “harvest now, decrypt later” (HNDL) strategy, where attackers collect encrypted data today, anticipating future quantum computers capable of breaking classical encryption. With Microsoft’s recent breakthrough in Majorana qubits—a key development toward scalable quantum computing—organizations must begin adopting quantum-resistant security measures.

    To mitigate these risks, Google Cloud has now integrated two quantum-resistant digital signature algorithms into Cloud KMS and its Cloud HSM (Hardware Security Modules):

    • ML-DSA-65 (FIPS 204) – A lattice-based digital signature algorithm.
    • SLH-DSA-SHA2-128S (FIPS 205) – A stateless hash-based digital signature algorithm.

    These new cryptographic mechanisms are designed to future-proof digital security, allowing customers to sign and verify signatures with quantum-resistant algorithms in the same way they would with traditional cryptography.

    In addition, Google is ensuring transparency by making these cryptographic implementations open-source via the BoringCrypto and Tink libraries, allowing independent audits and security reviews.

    Google Cloud’s quantum-safe encryption initiative is particularly critical for industries handling sensitive data, including financial institutions, government agencies, and critical infrastructure operators. The introduction of PQC in Cloud KMS will help organizations prepare for the post-quantum era while maintaining secure data encryption and integrity.

    Google is inviting businesses and security teams to begin testing and integrating these algorithms into their existing security infrastructure and provide feedback to refine the technology before its full rollout. With quantum computing advancing rapidly, early adoption of PQC solutions is becoming an essential part of long-term cybersecurity strategies.

    Microsoft’s Majorana 1 Chip and the Implications for Quantum Decryption

    Post Quantum Cryptography and Quantum Resistant Cryptography – PQC – New Cryptographic Algorithms That Are Secure Against Quantum Computers – Conceptual Illustration

    Microsoft has unveiled the Majorana 1, the world’s first quantum processing unit utilizing topological qubits, which it claims can scale to one million qubits on a single chip. While this represents a significant technical breakthrough, security experts are now questioning whether it accelerates the timeline for quantum computing—bringing us closer to the moment when quantum machines will be powerful enough to break public-key encryption (PKE).

    Quantum computing has the potential to revolutionize industries by solving complex problems beyond the reach of classical computers. It could lead to breakthroughs in medicine, agriculture, material science, and artificial intelligence. However, before these innovations materialize, the first and most immediate concern for cybersecurity professionals is the threat to encryption.

    Current cryptographic standards rely on PKE, which is mathematically difficult to break using classical computers. Quantum computers, however, could use Shor’s algorithm to quickly factor large numbers and decrypt data that was once considered secure. This is why security researchers have been warning of a “harvest now, decrypt later” (HNDL) approach, where adversaries collect encrypted data today in anticipation of breaking it once a cryptanalytically relevant quantum computer (CRQC) becomes available.

    Most quantum computing research has focused on superconducting or trapped ion qubits, but these approaches suffer from high error rates due to environmental noise. Topological qubits, like those used in Majorana 1, offer a more stable and error-resistant alternative by encoding information in the topology of a physical system rather than in individual particles.

    This increased stability means fewer error-correcting qubits are required, potentially paving the way for more scalable quantum computers. Microsoft has described the Majorana 1 as a “topoconductor”, effectively a transistor for the quantum computing era, and claims that it can fit a million qubits on a single, palm-sized chip.

    The key question is whether this breakthrough accelerates the development of a cryptanalytically relevant quantum computer—one capable of breaking classical encryption.

    Troy Nelson, CTO at Lastwall, suggests that the technology could rival the silicon transistor, which transformed modern computing. However, he warns that scalability and economic viability remain significant challenges.

    Rebecca Krauthamer, CEO of QuSecure, acknowledges that error correction and infrastructure development still need to be addressed. However, she believes that if Microsoft can demonstrate a path to scalability, it could significantly shorten the timeline for quantum decryption.

    Carl Froggett, CISO at Deep Instinct, notes that Microsoft’s announcement accelerates the collision between quantum computing and AI, which could disrupt traditional cybersecurity practices.

    However, some experts remain skeptical. Scott Aaronson, a quantum computing researcher at the University of Texas, argues that topological qubits are only now reaching the stage where traditional qubits were 20–30 years ago. Unless they prove vastly superior in reliability, they may struggle to leapfrog existing approaches.

    While the timeline for quantum decryption remains uncertain, one thing is clear: organizations need to start migrating to quantum-resistant encryption now.

    Phil Venables, Google Cloud’s CISO, warns that even if quantum computing is still seven to ten years away, organizations should not delay migration to post-quantum cryptography (PQC). The transition will be complex, and waiting too long could leave critical data exposed.

    Marc Manzano, General Manager for Cybersecurity at SandboxAQ, echoes this urgency: “As we approach the ‘quantum cliff’, organizations must identify and secure cryptographic assets before scalable quantum machines break today’s encryption. The window for migration is shrinking, and a reactive approach is not an option.”

    Microsoft’s Majorana 1 chip represents a major technical milestone in quantum computing, but its direct impact on the timeline for quantum decryption remains uncertain. While the technology shows promise in stabilizing qubits, whether it will outpace existing quantum approaches is still unclear.

    However, one fact remains unchanged—the need for organizations to prepare for quantum threats today. The migration to quantum-safe cryptographic standards is already critical, and businesses that fail to act now risk being caught unprepared when quantum computing reaches a breakthrough.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • UK Government Forces Apple to Disable Advanced Data Protection

    UK Government Forces Apple to Disable Advanced Data Protection

    Apple has confirmed that it will no longer offer its Advanced Data Protection (ADP) feature for iCloud in the United Kingdom, following a secret government order demanding backdoor access to encrypted cloud data.

    ADP, an optional feature introduced in December 2022, provides end-to-end encryption for iCloud backups, ensuring that only the user can decrypt their data on trusted devices. However, as of today, new users in the UK will no longer be able to enable this security feature.

    Apple’s Response to the UK’s Encryption Request

    Apple expressed disappointment over the restriction, emphasizing the growing need for stronger data security amid rising cyber threats. In a statement to BleepingComputer, the company reaffirmed its stance against backdoors:

    “We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.”

    Apple maintains that it has never provided governments with direct access to its servers or created master keys for encrypted data, and it has no intention of doing so. The company continues to advocate for user privacy and secure cloud storage.

    What This Means for UK iCloud Users

    Existing ADP users in the UK will still have access to the feature for now, but Apple has indicated that they will eventually need to disable it to continue using their iCloud accounts. The company plans to provide further guidance to affected users in the coming weeks.

    Despite this restriction, iMessage, FaceTime, Health data, and iCloud Keychain will remain end-to-end encrypted, even in the UK. Meanwhile, ADP will continue to be available in other countries where Apple users can enable it for additional data security.

    A Growing Battle Over Encryption

    Apple’s decision highlights the ongoing tensions between privacy advocates and government surveillance initiatives. The UK government has previously pushed for access to encrypted communications under laws like the Investigatory Powers Act, often referred to as the “Snooper’s Charter.”

    This move raises concerns about digital privacy, surveillance, and potential global implications, as other governments may follow suit in requesting similar access to encrypted data.

    For now, UK Apple users should stay informed about potential changes and consider alternative security measures to safeguard their data.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • SIPRNet and NIPRNet: Key Differences Explained

    SIPRNet and NIPRNet: Key Differences Explained

    The United States Department of Defense (DoD) relies on specialized communication networks to manage the flow of information across various security levels. Two primary networks in this infrastructure are the Secret Internet Protocol Router Network (SIPRNet) and the Non-classified Internet Protocol Router Network (NIPRNet). Each serves distinct purposes and operates under different security protocols.

    Overview of SIPRNet and NIPRNet

    Both SIPRNet and NIPRNet are integral to the DoD’s communication strategy, facilitating the exchange of information among military and defense entities. The key distinction lies in the classification levels of the data they handle and the security measures in place to protect that data.

    SIPRNet: Secure Communication for Classified Information

    SIPRNet is the DoD’s secure network designed for transmitting classified information up to the Secret level. Established in 1991, it connects various agencies, including the DoD, Department of Homeland Security (DHS), and Department of State (DoS), providing a secure channel for military operations and classified communications. Access to SIPRNet is highly restricted, requiring personnel to have appropriate security clearances and a validated need-to-know. This stringent access control ensures that sensitive information remains protected from unauthorized access.

    NIPRNet: Facilitating Unclassified Communication

    In contrast, NIPRNet is a global network that connects Non-Secure Internet Protocol Router Networks worldwide. It primarily supports the exchange of unclassified data, including emails, documents, and other non-sensitive information, among DoD agencies and related organizations. While NIPRNet is not classified, it is still protected through various security measures to prevent unauthorized access and cyber threats. Access to NIPRNet is less restrictive compared to SIPRNet, typically requiring a Common Access Card (CAC) for authentication.

    Key Differences Between SIPRNet and NIPRNet

    • Security Level: SIPRNet is designed for classified information up to the Secret level, employing robust security protocols to safeguard sensitive data. NIPRNet handles unclassified information, with security measures in place to protect against unauthorized access.
    • Data Types: SIPRNet transmits highly sensitive information such as classified military operations, intelligence reports, and diplomatic communications. NIPRNet supports the exchange of unclassified data, including routine emails and administrative documents.
    • Access Control: Access to SIPRNet is restricted to authorized personnel with the necessary security clearances and a validated need-to-know. NIPRNet access is generally available to all DoD users with a CAC, though certain areas may have additional access controls.
    • Infrastructure: SIPRNet operates on a separate and secure infrastructure to ensure the confidentiality of classified information. NIPRNet, while separate from the public internet, provides users with access to the internet, facilitating broader communication needs.

    Conclusion

    Understanding the distinctions between SIPRNet and NIPRNet is crucial for comprehending the DoD’s approach to secure communication. SIPRNet ensures the protection of classified information through stringent security measures and access controls, while NIPRNet facilitates the exchange of unclassified data with appropriate safeguards. Both networks are essential for maintaining operational security and effective communication within the Department of Defense.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • New FrigidStealer Campaign Targeting macOS Users: What SOC Teams Need to Know

    New FrigidStealer Campaign Targeting macOS Users: What SOC Teams Need to Know

    A newly discovered malware campaign is using fake browser update prompts to distribute FrigidStealer, an infostealer designed to target macOS users. The attack is part of a broader cybercriminal operation that also delivers malware to Windows and Android users. Cybersecurity researchers at Proofpoint have identified two threat groups—TA2726 and TA2727—working together to spread this malware through compromised websites.

    How the Attack Works

    The attackers inject malicious JavaScript into breached websites, which then display fake update alerts that mimic Google Chrome or Safari notifications. These pop-ups instruct users to download and install a required browser update, but instead of a legitimate update, the user unknowingly installs malware.

    Multi-Platform Targeting

    • macOS: Users receive a DMG file that installs FrigidStealer.
    • Windows: Victims download an MSI installer that loads Lumma Stealer or DeerStealer.
    • Android: Users are tricked into downloading an APK file that installs the Marcher banking trojan.

    Unlike traditional drive-by downloads, this attack requires user interaction. On macOS, the victim must right-click the downloaded file and select “Open”, followed by entering their password to bypass macOS Gatekeeper protections.

    What FrigidStealer Does

    FrigidStealer is built using the Go-based WailsIO framework, which enables the installer to closely mimic the look and feel of a legitimate browser update. Once installed, the malware operates covertly in the background. It is designed to extract sensitive information from the affected Mac, including saved cookies, login credentials, and various password files stored in browsers like Safari and Chrome. The malware also scans local directories for crypto wallet credentials and retrieves content from Apple Notes that may contain passwords, financial data, or other personal information. Additionally, FrigidStealer collects documents, spreadsheets, and text files from the user’s home directory.

    The stolen data is compressed into a hidden folder and transmitted to a command and control (C2) server at askforupdate[.]org.

    Why This Attack Is Significant

    Fake update campaigns are a growing trend in cybercrime. The use of JavaScript-based injects allows attackers to dynamically profile victims and tailor payloads based on operating system, browser type, and device location. While Windows and Android users have long been targeted by similar attacks, the emergence of advanced macOS-specific malware like FrigidStealer represents a concerning shift.

    What SOC Teams Need to Know

    Security Operations Centers (SOCs) must take proactive steps to detect and mitigate threats like FrigidStealer before they lead to data breaches. Here’s what security teams should focus on:

    Detection and Threat Intelligence

    • Monitor web traffic logs for connections to suspicious domains like askforupdate[.]org.
    • Analyze downloaded DMG files for unexpected permissions requests or credential access.
    • Track unusual browser update prompts appearing on legitimate corporate websites.

    Endpoint Protection

    • Ensure macOS security settings are configured to block unverified apps from executing.
    • Deploy endpoint detection and response (EDR) solutions to identify anomalies in application behavior.
    • Implement strong user access controls to prevent unauthorized software installations.

    User Awareness & Training

    • Educate employees on the dangers of fake update prompts.
    • Reinforce policies that restrict downloading software from untrusted sources.
    • Encourage users to manually check for browser updates via official vendor websites.

    How to Stay Protected

    To avoid falling victim to infostealers like FrigidStealer:

    • Never click on update prompts from websites. Always update browsers directly from their official settings menu.
    • Use trusted security software that can detect and block malicious downloads.
    • Regularly review account security and change passwords if suspicious activity is detected.

    Final Thoughts

    With multiple cybercrime groups leveraging fake browser updates as an infection vector, organizations must stay vigilant and implement layered security measures to mitigate these risks. By combining user awareness, strong endpoint security, and proactive threat monitoring, security teams can better defend against these evolving threats.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • OpenSSH Security Updates: What SOC Teams Need to Know

    OpenSSH Security Updates: What SOC Teams Need to Know

    OpenSSH has released security updates to address two newly discovered vulnerabilities, including a machine-in-the-middle (MiTM) attack and a pre-authentication denial-of-service (DoS) flaw. One of these vulnerabilities, CVE-2025-26465, had been present in OpenSSH for over a decade, exposing countless systems to potential exploitation.

    Two Critical Vulnerabilities in OpenSSH

    The MiTM vulnerability (CVE-2025-26465) affects OpenSSH clients when the VerifyHostKeyDNS option is enabled. This flaw allows attackers to intercept SSH connections and inject malicious keys, effectively hijacking sessions. An attacker can exploit improper error handling to trick a client into accepting a rogue server’s key by triggering an out-of-memory error during verification. Once compromised, the attacker can steal credentials, inject commands, and exfiltrate sensitive data.

    Although VerifyHostKeyDNS is disabled by default in OpenSSH, FreeBSD had it enabled by default from 2013 until 2023, leaving many systems unknowingly exposed.

    The second vulnerability, CVE-2025-26466, is a pre-authentication DoS flaw introduced in OpenSSH 9.5p1 (August 2023). The flaw allows attackers to send repeated small ping messages that force OpenSSH to buffer excessive responses, leading to uncontrolled memory allocation and potential system crashes. While not as severe as the MiTM flaw, this vulnerability still poses a high risk of service disruption, particularly for high-availability systems.

    OpenSSH Issues Security Fixes

    To mitigate these risks, OpenSSH has released version 9.9p2, which patches both vulnerabilities. Users and administrators are strongly urged to update their OpenSSH installations immediately to prevent potential exploitation.

    As an additional security measure, administrators should disable VerifyHostKeyDNS unless absolutely necessary and instead rely on manual SSH key fingerprint verification to ensure secure connections. For the DoS flaw, enforcing connection rate limits and monitoring SSH traffic for unusual patterns can help detect and prevent potential attacks before they cause serious disruption.

    Given OpenSSH’s widespread use across enterprise and cloud environments, delaying these updates leaves critical systems vulnerable to attacks that could compromise authentication, steal credentials, or disrupt operations.

    What SOC Teams Need to Know

    Here’s what SOC analysts and incident responders should focus on:

    • Prioritize Immediate Patching: OpenSSH 9.9p2 contains fixes for both CVE-2025-26465 and CVE-2025-26466. Ensure all affected systems are updated as soon as possible, particularly high-value assets and internet-facing SSH servers.
    • Audit SSH Configurations: Check for instances where VerifyHostKeyDNS is enabled. Since this setting can be exploited for MiTM attacks, disabling it across all systems is a necessary security measure unless there is a strict operational requirement.
    • Monitor for Exploitation Attempts: Deploy network monitoring rules to detect large SSH keys with excessive certificate extensions, which could indicate an attempt to exploit the MiTM flaw. Additionally, look for excessive SSH connection requests or unusually high memory usage on OpenSSH servers that could suggest an active DoS attack.
    • Apply Rate Limiting and Anomaly Detection: Implement SSH connection rate limits to mitigate potential DoS exploitation. Monitor logs for signs of resource exhaustion or unexpected service crashes that may indicate CVE-2025-26466 exploitation attempts.
    • Enhance Logging and Alerting: Ensure SSH authentication logs (/var/log/auth.log or /var/log/secure) are being forwarded to SIEM solutions for centralized monitoring. Set up alerts for anomalous SSH activity, such as repeated authentication failures, unexpected key exchanges, or changes to host keys.
    • Verify Key Integrity and Trust Models: Organizations relying on SSH for secure remote access should enforce strict key verification policies, such as manually validating SSH key fingerprints before accepting them, rather than relying on DNS-based verification.
    • Coordinate Incident Response Plans: If exploitation is detected, SOC teams should be prepared to isolate compromised hosts, rotate affected credentials, and conduct forensic analysis to determine if an attacker has gained persistence.

    With OpenSSH being a critical component in enterprise, cloud, and DevOps environments, SOC teams must take a proactive stance to prevent exploitation and ensure SSH connections remain secure.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (2/17/2024)

    Netizen: Monday Security Brief (2/17/2024)

    Today’s Topics:

    • SonicWall Firewall Vulnerability Exploited Following PoC Release
    • Chinese APT Exploits New Windows Zero-Day, Security Researchers Warn
    • How can Netizen help?

    SonicWall Firewall Vulnerability Exploited Following PoC Release

    Cybercriminals are actively exploiting a critical authentication bypass vulnerability in SonicWall firewalls (CVE-2024-53704) following the public release of proof-of-concept (PoC) exploit code. The flaw, which affects the SSLVPN authentication mechanism, enables remote attackers to hijack active VPN sessions and gain unauthorized access to corporate networks.

    The vulnerability impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, which are used across multiple SonicWall Gen 6 and Gen 7 firewall models, as well as SOHO series devices. If exploited, attackers can bypass multi-factor authentication (MFA), disclose sensitive information, and terminate active VPN sessions—posing a significant threat to enterprise security.

    SonicWall initially warned customers to update their firewall firmware before publicly disclosing the vulnerability on January 7. Despite this, cybersecurity firm Arctic Wolf has reported detecting exploitation attempts beginning shortly after the PoC exploit became available.

    According to Arctic Wolf, the exploit allows unauthenticated attackers to infiltrate corporate networks with minimal effort. “Given the ease of exploitation and available threat intelligence, Arctic Wolf strongly recommends upgrading to a fixed firmware to address this vulnerability,” the company stated.

    The PoC exploit was published by security researchers at Bishop Fox on February 10, approximately one month after SonicWall released security patches. Prior to the PoC’s release, internet scans conducted on February 7 revealed that nearly 4,500 unpatched SonicWall SSL VPN servers remained exposed online.

    Following the publication of the exploit code, SonicWall issued an urgent advisory reinforcing the importance of updating affected devices. “Proof-of-Concepts (PoCs) for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) are now publicly available. This significantly increases the risk of exploitation. Customers must immediately update all unpatched firewalls (7.1.x & 8.0.0). If applying the firmware update is not possible, disable SSLVPN,” SonicWall warned.

    This is not the first time SonicWall firewalls have been targeted by threat actors. Ransomware groups such as Akira and Fog have previously leveraged SonicWall VPN vulnerabilities to gain initial network access. In October 2024, Arctic Wolf reported at least 30 ransomware intrusions that began with compromised SonicWall VPN accounts.

    Given the increased risk following the release of the PoC, organizations using affected SonicWall devices are strongly urged to apply patches immediately or implement mitigation measures, such as restricting SSLVPN access, to prevent potential attacks.

    Chinese APT Exploits New Windows Zero-Day, Security Researchers Warn

    Israeli cybersecurity firm ClearSky has identified a previously unknown Windows zero-day vulnerability being actively exploited by the Chinese advanced persistent threat (APT) group Mustang Panda. The firm has yet to disclose full details but confirmed that the flaw remains unpatched and currently lacks a CVE identifier, suggesting it is an emerging security risk.

    ClearSky described the vulnerability as a user interface (UI) flaw that allows threat actors to manipulate file visibility when extracting compressed RAR files. According to their research, files extracted from a RAR archive may remain hidden from users when viewed in Windows Explorer, even though they are accessible via the command line.

    The attack operates as follows:

    • When a user extracts a RAR archive, the extracted files do not appear in Windows Explorer, making it seem as if the folder is empty.
    • However, these files remain accessible via the command prompt if their exact paths are known.
    • Attackers can execute these hidden files without the user realizing they exist.
    • Running the attrib -s -h command on system-protected files generates an ActiveX component classified as an “Unknown” file type, raising concerns about potential abuse in malware delivery.

    Microsoft has been informed of the issue but has reportedly classified it as low severity. Given that it enables stealthy file execution, security researchers warn that the vulnerability could be leveraged for espionage, persistence, and malware deployment.

    Mustang Panda, the China-linked APT, has a history of targeting government agencies, NGOs, and critical infrastructure worldwide. The group is known for using custom malware and spear-phishing campaigns to gain long-term access to victim networks.

    This latest discovery adds to the growing list of Windows vulnerabilities being leveraged by Chinese APTs for cyber espionage and covert operations. If the flaw remains unpatched, it could be used to execute malicious payloads without detection, making it an attractive tool for state-sponsored attacks.

    Microsoft’s February Patch Tuesday addressed over 50 vulnerabilities, including two other zero-day exploits:

    • CVE-2025-21391 – A Windows Storage privilege escalation flaw that allows attackers to delete system files.
    • CVE-2025-21418 – A Windows Ancillary Function driver flaw that permits privilege escalation to system-level access.

    While these vulnerabilities received immediate patches, the ClearSky-discovered zero-day remains unresolved, increasing the urgency for a fix.

    ClearSky has promised to release further details in an upcoming technical blog post. Meanwhile, security researchers and enterprises are urged to monitor Microsoft’s security advisories and implement workarounds where possible.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.