Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen: Monday Security Brief (10/28/2024)

    Netizen: Monday Security Brief (10/28/2024)

    Today’s Topics:

    • Apple Launches $1 Million Bounty for Private Cloud Compute Security Vulnerabilities
    • Delta Seeks $500M in Damages, Blames CrowdStrike for July Flight Outage
    • How can Netizen help?

    Apple Launches $1 Million Bounty for Private Cloud Compute Security Vulnerabilities

    Apple is offering a significant expansion to its security bounty program, providing up to $1 million for researchers who can identify and report critical vulnerabilities within its new Private Cloud Compute (PCC) infrastructure. This AI-powered private cloud system is designed to extend Apple’s on-device AI capabilities—under the brand “Apple Intelligence”—to the cloud while preserving stringent privacy protections. Ahead of its launch next week, Apple has also published extensive resources to support independent security assessments, including a comprehensive security guide and a Virtual Research Environment (VRE) for hands-on testing.

    Apple’s security blog details the bounty incentives, specifying that the top payout of $1 million is available for vulnerabilities that allow remote code execution on PCC servers. A secondary bounty tier offers up to $250,000 for exploits that could leak sensitive user data, such as AI prompts or private information. Other high-impact vulnerabilities affecting data integrity from a network-level perspective are eligible for awards up to $150,000. These bounties reflect Apple’s commitment to safeguarding user data by encouraging rigorous external testing of its cloud infrastructure.

    A key feature of Apple’s expanded approach to transparency is the Virtual Research Environment. The VRE provides researchers a virtualized platform to interact with PCC software nearly identically to how it operates on Apple’s cloud servers. This environment includes a virtual Secure Enclave Processor (SEP) and allows researchers to inspect PCC software, validate software releases, and analyze the system’s transparency log. The VRE’s inclusion of macOS’s paravirtualized graphics support enables efficient testing of Apple’s AI model operations, allowing researchers to verify privacy claims directly.

    Apple has additionally released the Private Cloud Compute Security Guide, which outlines the robust architecture and privacy mechanisms built into PCC. It explains how components such as hardware-based attestations and authenticated routing help maintain non-targetability and data security in various threat scenarios. This resource enables researchers to gain a deep technical understanding of PCC’s layered defenses, while the VRE allows them to actively probe and validate those defenses.

    With PCC, Apple aims to set a new standard for privacy within cloud-based AI services, blending the secure ecosystem of its devices with cloud-level scalability. The bounty program and VRE are unique in their level of access, inviting the broader security community to hold Apple accountable to its privacy promises through transparent and thorough verification methods.

    To read more about this article, click here.

    Delta Seeks $500M in Damages, Blames CrowdStrike for July Flight Outage

    Delta Air Lines has filed a lawsuit against cybersecurity provider CrowdStrike, alleging that the company’s negligence during a software update caused a severe technology outage that disrupted thousands of Delta flights in July. Delta claims that CrowdStrike’s failure to thoroughly test a global update before deployment led to widespread system failures across the airline’s network, ultimately resulting in over 7,000 canceled flights and financial losses exceeding $500 million.

    The disruption reportedly originated from a flawed update that impacted millions of Microsoft systems globally, with airlines, banks, hospitals, and other critical infrastructure among those affected. Delta’s complaint, filed in Fulton County Superior Court, accuses CrowdStrike of prioritizing profits over security by bypassing essential testing and verification protocols—a move the airline says caused significant damage during peak travel season.

    CrowdStrike has pushed back on Delta’s allegations, stating that the airline’s claims reflect “misinformation” and a lack of understanding of cybersecurity practices. A company spokesperson further suggested that Delta’s prolonged recovery was likely due to its own outdated IT infrastructure, rather than a failure on CrowdStrike’s part.

    The U.S. Department of Transportation is currently investigating Delta’s extended recovery time compared to other impacted organizations, alongside complaints about inadequate customer service during the outage. Transportation Secretary Pete Buttigieg stated that this review will include examining reports of delayed responses and unaccompanied minors stranded in airports.

    In response to the suit, CrowdStrike has indicated its intent to resolve the matter, maintaining that its liability in the incident is well below Delta’s claimed losses. The case brings further attention to the crucial role of rigorous testing and infrastructure modernization in preventing and managing large-scale cybersecurity incidents.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: October 2024 Vulnerability Review

    Netizen: October 2024 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from October that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2024-30088

    CVE-2024-30088 is a high-severity vulnerability in the Windows Kernel that allows for privilege escalation. Specifically, it can enable attackers with local access to elevate their privileges to gain higher-level access within the Windows environment. The vulnerability’s exploitation relies on a local attack vector, requiring attackers to already have some level of access to the targeted system. However, its impact on confidentiality, integrity, and availability is substantial, as successful exploitation could grant control over critical system components.

    This vulnerability has drawn attention due to its use by advanced persistent threat (APT) groups, such as Iran’s APT34, also known as OilRig, who have reportedly leveraged it in targeted espionage campaigns against governmental and other sensitive entities. The issue has a CVSS v3 base score of 7.0 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its potential to significantly impact systems despite the higher complexity of exploitation.

    Microsoft addressed this vulnerability in the June 2024 Patch Tuesday release. Organizations using Windows are strongly encouraged to ensure these updates are applied promptly to prevent exploitation by both APTs and other potential attackers. Further information on mitigating this threat can be found through Microsoft’s security update guide and other cybersecurity advisories.

    CVE-2024-47575

    CVE-2024-47575 is a critical vulnerability in Fortinet’s FortiManager, affecting versions across multiple releases: FortiManager 7.6.0, 7.4.0 to 7.4.4, 7.2.0 to 7.2.7, 7.0.0 to 7.0.12, and 6.4.0 to 6.4.14, as well as FortiManager Cloud versions 7.4.1 to 7.4.4, 7.2.1 to 7.2.7, 7.0.1 to 7.0.13, and 6.4.1 to 6.4.7. The vulnerability stems from missing authentication for a critical function, allowing attackers to execute arbitrary commands or code by sending specially crafted requests to affected systems.

    This issue has a CVSS v3 base score of 9.8, reflecting the severity of the potential impact. Exploitation does not require user interaction or elevated privileges, meaning attackers can remotely compromise systems with ease, which makes it particularly dangerous. The vulnerability has been actively exploited in zero-day attacks since June 2024, with reports indicating its use by nation-state actors for espionage purposes. Threat actors are leveraging this flaw to target managed service providers (MSPs) and other critical infrastructure, seeking unauthorized access and control over FortiManager systems.

    Fortinet has confirmed the existence of the vulnerability and released a security advisory urging all affected users to apply the latest patches to safeguard against potential exploitation. Security experts strongly recommend immediate updates to FortiManager deployments to mitigate risk, as well as monitoring for any unusual activity indicative of ongoing exploitation attempts.

    CVE-2024-20481

    CVE-2024-20481 affects the Remote Access VPN (RAVPN) service in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, allowing a remote, unauthenticated attacker to perform a denial of service (DoS) attack on vulnerable systems. This vulnerability results from resource exhaustion due to excessive VPN authentication requests sent to the affected devices. The consequence of a successful attack is a service disruption to the RAVPN service, potentially requiring a system restart to restore functionality.

    This vulnerability has a CVSS v3 base score of 5.8, classifying it as medium severity. While other device functions outside of VPN services remain unaffected, the attack can still disrupt remote access capabilities, which are essential for many organizations. Cisco has advised that attackers leveraging password spray techniques in brute-force campaigns have targeted this vulnerability, as outlined by Cisco Talos and other security researchers.

    To protect against this issue, Cisco recommends applying available patches and monitoring for unusual login attempts that may signal an attack. Network administrators are encouraged to deploy rate-limiting measures where possible and ensure VPN services are not exposed unnecessarily to the internet.

    CVE-2024-43532

    CVE-2024-43532 affects the Windows Remote Registry Service and is classified as a high-severity elevation of privilege vulnerability. The flaw allows a remote attacker with limited privileges to escalate access, potentially enabling actions such as modifying system configurations and accessing sensitive data.

    With a CVSS v3 score of 8.8, this vulnerability arises from improper handling of permissions in the Remote Registry Service, which can lead to privilege escalation when exploited. Attackers leveraging this vulnerability can perform unauthorized registry edits, impacting system security and stability. This issue does not require user interaction, increasing the risk in environments where the Remote Registry Service is enabled.

    To mitigate this risk, Microsoft recommends applying the available patch. Disabling the Remote Registry Service where it is not essential and monitoring for unusual access requests to the registry can also help reduce exposure. For organizations with strict security requirements, enhanced network segmentation and access controls are advised to limit potential exploitation pathways.

    CVE-2024-38812

    CVE-2024-38812 is a critical vulnerability affecting VMware’s vCenter Server. This flaw, related to a heap-overflow vulnerability in the implementation of the Distributed Computing Environment / Remote Procedure Calls (DCERPC) protocol, could allow a malicious actor with network access to vCenter Server to execute arbitrary code remotely. Exploitation is possible through a specially crafted network packet sent to the vCenter Server, potentially resulting in a complete system compromise.

    This vulnerability has been assigned a CVSS v3 score of 9.8 due to its ease of exploitation, requiring no prior authentication, and its significant impact, including data exposure, system control, and service disruptions.

    To address this issue, VMware has released patches to secure affected vCenter Server versions. However, the vulnerability’s critical nature and recent reports about difficulties in properly fixing the flaw underscore the need for organizations to verify patch applications and monitor for unusual network traffic targeting vCenter Servers. For environments where patching may be delayed, restricting network access to vCenter and implementing segmentation controls can help mitigate potential attacks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (October 24th, 2024)

    Netizen Cybersecurity Bulletin (October 24th, 2024)

    Overview:

    • Phish Tale of the Week
    • SEC Fines Four Companies for Misleading Disclosures in SolarWinds Hack
    • CMMC 2.0 Program: Key Timeline for Defense Contractors
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as a university professor: Professor Johan H Enslin. The message tells us that they are seeking a research assistant to support our project, and that no previous experience is required. It seems both urgent and genuine, so why shouldn’t we send them our information? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to fall for this phish:

    1. The first warning sign for this email is the sender’s email address. While the messaging tells you they are a professor, the sender tells a different story: “profjohanhenslin@gmail.com” is very clearly not a professor from a university like they want you to believe. Professors sending email in this way will almost always use their .edu email address.
    2. The second warning signs in this email is the messaging. The email seems almost too good to be true: remote work, a healthy weekly stipend, flexibility, everything a college student could want. If you’re seeing an email, and it seems to good to be true, it probably is. Scams like this targeting college students will commonly ask for your cell phone number/other personal information in this way in an attempt to gain PII from you.
    3. The final warning we have, and probably the easiest way to clock this as 100% a phishing email, is the signature. If we weren’t already convinced that the sender isn’t Professor Henslin, the signature tells us itself. Uygar Abaci, also without a .edu email, is now the one sending this to us. Perhaps the cybercriminal thought that adding two professors in the email would add credibility. In all seriousness, inconsistencies like this are by far the easiest way to detect a phishing email, and this final clue puts the nail in the coffin for this poor phishing attempt.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    SEC Fines Four Companies for Misleading Disclosures in SolarWinds Hack

    The U.S. Securities and Exchange Commission (SEC) has imposed hefty fines on four major companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited—for failing to accurately disclose the impact of breaches linked to the notorious SolarWinds Orion cyberattack. The SEC’s actions highlight the growing regulatory scrutiny over how organizations handle cybersecurity disclosures, particularly in incidents involving widespread and damaging cyberattacks like SolarWinds.

    The SolarWinds hack, first revealed in late 2020, was a large-scale supply chain attack that compromised the networks of numerous government agencies and private companies worldwide. A vulnerability in SolarWinds’ Orion software allowed sophisticated hackers—widely attributed to Russian state-sponsored groups— to infiltrate systems and steal sensitive data. The ramifications of the breach rippled through the technology and security industries, raising concerns about the effectiveness of supply chain security and organizational transparency in reporting cybersecurity incidents.

    In this case, the SEC determined that Unisys, Avaya, Check Point, and Mimecast had downplayed the true extent of the breaches they experienced. According to the SEC, these companies misled shareholders and the public by minimizing the severity of the incidents, even though they knew attackers had accessed their systems via the SolarWinds vulnerability.

    Unisys, for example, suffered two breaches involving the exfiltration of gigabytes of data, yet continued to describe its cybersecurity risks as purely theoretical. This lack of transparency violated SEC regulations that require companies to provide accurate, timely disclosures about material events that could affect their business operations. As a result, Unisys faces the largest fine of $4 million.

    The SEC’s findings also revealed that Avaya misrepresented the scope of the breach it experienced, initially reporting that hackers had accessed only a limited number of email messages. In reality, the attackers had also accessed a much larger set of files stored in Avaya’s cloud environment.

    Check Point and Mimecast similarly issued vague and incomplete disclosures. Check Point was aware of the intrusion but did not clearly explain the nature or scope of the breach in its public statements. Mimecast, which had encrypted credentials stolen by the attackers, failed to disclose the full extent of the stolen data.

    The penalties issued by the SEC were as follows:

    • Unisys Corp.: $4 million
    • Avaya Holdings Corp.: $1 million
    • Check Point Software Technologies Ltd.: $995,000
    • Mimecast Limited: $990,000

    These fines reflect the SEC’s broader push to hold companies accountable for how they report cybersecurity incidents. As cyberattacks become more frequent and damaging, regulators are increasing pressure on businesses to ensure they are transparent about the risks and incidents they face. The SolarWinds hack, one of the most significant breaches in recent history, serves as a case study of how critical accurate and timely cybersecurity disclosures have become. The SEC’s actions in this case emphasize the importance of cybersecurity governance and the need for companies to maintain strong internal controls for managing and reporting cyber risks.

    To read more about this article, click here.

    CMMC 2.0 Program: Key Timeline for Defense Contractors

    On October 15, 2024, the U.S. Department of Defense (DOD) unveiled the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program. This pivotal update sets forth the guidelines for establishing cybersecurity standards aimed at safeguarding federal contract information (FCI) and controlled unclassified information (CUI). As the DOD prepares to implement this framework, understanding the timeline is crucial for defense contractors looking to remain competitive.

    The CMMC implementation will unfold in four distinct phases, starting after the related DFARS Acquisition rule takes effect. Each phase builds on the previous one, establishing escalating requirements for contractors:

    • Phase 1 (1 Year): This initial phase commences after the DFARS Acquisition rule takes effect. The DOD plans to require CMMC Status Level 1 (Self) or Level 2 (Self) in all applicable DOD solicitations and contracts as a condition of award. Contracting officers will also have the discretion to require CMMC Status Level 2 (C3PAO) for specific contracts. This phase provides contractors with a year to prepare for the initial compliance requirements.
    • Phase 2 (1 Year): Following Phase 1, the second phase will also last one year. During this period, the DOD will extend the CMMC requirements to include Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO) in relevant solicitations and contracts. Contracting officers may choose to delay the requirement for CMMC Status Level 2 (C3PAO) to an option period. This allows additional time for contractors to adapt to the growing security expectations.
    • Phase 3 (1 Year): The third phase will mirror the previous two, lasting one year. In this phase, the DOD will mandate CMMC Status Level 1 and Level 2 (Self and C3PAO) for all applicable solicitations and contracts. Additionally, CMMC Status Level 3 (DIBCAC) may also be included as a requirement for certain contracts. As contractors prepare for this stage, they must ensure their cybersecurity practices align with the elevated standards.
    • Phase 4 (Full Implementation): Beginning three years from the effective date of the CMMC Acquisition rule, CMMC 2.0 will be fully implemented. At this point, all DOD contracts will require adherence to the appropriate CMMC levels, effectively reinforcing a culture of cybersecurity across the defense industrial base.

    The structured timeline allows contractors to progressively align their cybersecurity practices with the DOD’s requirements, emphasizing the necessity of preparation and compliance. As the phased approach unfolds, contractors will need to actively assess their cybersecurity measures, ensuring they meet the specified CMMC levels to be eligible for contract awards.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Fortinet Warns of Critical FortiManager Flaw Exploited in Zero-Day Attacks

    Fortinet Warns of Critical FortiManager Flaw Exploited in Zero-Day Attacks

    Fortinet, a prominent cybersecurity company, has disclosed a critical vulnerability in its FortiManager API, tracked as CVE-2024-47575, which has been exploited in ongoing zero-day attacks. The flaw allows attackers to steal sensitive data, including configuration files, IP addresses, and credentials of managed devices.

    Fortinet began warning FortiManager customers privately about the issue on October 13th through emails outlining mitigation steps. However, news of the vulnerability started spreading online as customers shared their experiences on Reddit, and cybersecurity researcher Kevin Beaumont discussed it on Mastodon. Beaumont dubbed the vulnerability “FortiJump” after the attack method used by threat actors.

    Zero-Day Vulnerability in FortiManager

    This critical flaw has been rated 9.8 out of 10 in severity. According to Fortinet’s security advisory (FG-IR-24-423), the vulnerability stems from a missing authentication process in a critical function within the FortiManager fgfmd daemon. This flaw can allow an unauthenticated attacker to execute arbitrary code by sending specially crafted requests.

    The exploitation of this flaw requires attackers to first extract a valid certificate from a Fortinet device, such as a FortiManager VM. Once they have this certificate, they can exploit the vulnerability to gain access to sensitive systems.

    Affected Versions and Patches

    FortiManager versions affected by the vulnerability include:

    • FortiManager 7.6.0 and earlier (upgrade to 7.6.1 or later)
    • FortiManager 7.4.0 – 7.4.4 (upgrade to 7.4.5 or later)
    • FortiManager 7.2.0 – 7.2.7 (upgrade to 7.2.8 or later)
    • FortiManager 7.0.0 – 7.0.12 (upgrade to 7.0.13 or later)
    • FortiManager 6.4.0 – 6.4.14 (upgrade to 6.4.15 or later)
    • FortiManager 6.2.0 – 6.2.12 (upgrade to 6.2.13 or later)
    • FortiManager Cloud versions 7.0.0 to 7.4.4 are also affected.

    At the time of disclosure, only patches for FortiManager versions 7.2.8 and 7.4.5 had been released, with patches for other versions expected in the coming days.

    Attack Method: Exploiting the FortiGate to FortiManager Protocol

    The vulnerability revolves around the FortiGate to FortiManager Protocol (FGFM), which allows FortiGate firewall devices to register with FortiManager servers for centralized management. FGFM is commonly used in setups where network address translation (NAT) is employed, allowing FortiGate units to communicate securely with FortiManager over public and private networks.

    As noted by Beaumont, attackers can exploit this protocol by using a stolen certificate to establish an SSL tunnel between a compromised FortiGate device and an exposed FortiManager server. Once connected, attackers can execute code remotely, access configurations, and potentially escalate their privileges across managed devices.

    Early Exploitation and Delayed Notification

    Fortinet customers have reported that their systems were breached even before the company issued private warnings. A now-deleted Reddit post mentioned that one customer had been attacked weeks before receiving the notification email from Fortinet, indicating that the vulnerability had been actively exploited for some time.

    Fortinet’s delayed public disclosure and the absence of a clear, timely advisory have left many administrators scrambling to secure their systems. As more customers report similar attacks, there is growing frustration within the community over the lack of transparency and prompt action by Fortinet.

    Protecting Your Systems

    Fortinet advises all customers to upgrade their FortiManager installations to the latest patched versions as soon as possible. With the vulnerability actively being exploited in the wild, these updates are critical to safeguarding networks from further attacks. Customers should also review their systems for any unauthorized devices or unusual activity, particularly related to SSL tunnel connections.

    Fortinet’s response to the CVE-2024-47575 vulnerability highlights the importance of staying vigilant and promptly applying security updates, especially in critical network management tools like FortiManager.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • gRPC/h2c Protocol Abuse Enables XRP Cryptomining via Docker Servers

    gRPC/h2c Protocol Abuse Enables XRP Cryptomining via Docker Servers

    Threat actors are exploiting Docker remote API servers for cryptomining, with a particular focus on mining XRP, a cryptocurrency designed for quick, low-cost international transfers. As the native token of the Ripple network, XRP supports a blockchain-based payment protocol that enables real-time, cross-border transactions for financial institutions, making it an attractive target for malicious actors seeking to profit from its value.

    The attackers in this case are taking advantage of gRPC over h2c (clear-text HTTP/2), which allows them to bypass common security defenses. gRPC, designed for efficient communication between services, is leveraged here for malicious purposes.

    Breakdown of Attack Steps

    1. Initial Access and API Probing:
      • The attacker begins by pinging the Docker server to check its availability. Once they confirm access, they send a version check request (Figure 3) to identify the Docker version in use. This step is crucial because it helps the attacker understand whether the server is running a version susceptible to their method of exploitation. A version with known vulnerabilities or misconfigurations is highly advantageous for the attacker.
    2. Exploiting gRPC/h2c for Command Execution:
      • After verifying that the target is vulnerable, the attacker initiates a gRPC protocol upgrade (Figure 4), upgrading the connection to HTTP/2 over clear text (h2c). This upgrade evades many security tools that primarily monitor traditional HTTP traffic and do not account for protocol changes. gRPC’s support for high-performance, bi-directional communication becomes an asset to the attacker, allowing them to communicate with the Docker server covertly.
    3. Advanced gRPC Methods for Full Control:
      • The attacker then makes use of several gRPC methods, which are part of Docker’s API, to manage the server. These include:
        • Health checks (/grpc.health.v1.Health/Check and /grpc.health.v1.Health/Watch), which ensure that the attacker’s actions do not disrupt the Docker environment in a way that would raise suspicion. These methods allow continuous monitoring of the health status of Docker containers.
        • File Synchronization (/moby.filesync.v1.FileSync/DiffCopy and /moby.filesync.v1.FileSync/TarStream), used to transfer and synchronize files between the attacker’s server and the Docker host. This enables efficient deployment of malicious software, with minimal data transfer.
        • Authentication Management (/moby.filesync.v1.Auth/Credentials and /moby.filesync.v1.Auth/FetchToken), allowing the attacker to manipulate authentication tokens. By gaining control of these tokens, they ensure persistent access to the Docker environment.
    4. Cryptominer Deployment:
      • With the Docker server fully compromised, the attacker downloads the SRBMiner cryptominer from GitHub. SRBMiner is specifically designed for mining various cryptocurrencies, including XRP, using system resources for illicit purposes. Once installed, the miner is connected to the attacker’s cryptocurrency wallet and public IP address, effectively hijacking the server’s computational power to generate XRP for the attacker.

    Impact of the Attack

    This cryptomining operation places significant strain on compromised Docker environments. Cryptomining activities classically consume large amounts of CPU and GPU resources, resulting in degraded performance for legitimate applications running on the same server. This can lead to operational inefficiencies, increased cloud hosting costs, and potentially raise suspicion if the degradation in service is noticed by users or administrators.

    Furthermore, the attack demonstrates a growing trend of targeting cloud infrastructures. Docker, widely used for its flexibility in building and deploying containerized applications, has become an attractive target for cybercriminals due to the increasing number of misconfigured and exposed Docker APIs. By exploiting gRPC/h2c in this attack, the adversaries also highlight a gap in many organizations’ security postures, particularly regarding modern communication protocols.

    Detecting the Docker Attack

    Detecting an attack on Docker remote API servers, like the SRBMiner cryptominer deployment, involves monitoring for several key indicators. First, network traffic analysis should be conducted to detect unusual or unauthorized requests to the Docker API, particularly attempts to upgrade to gRPC/h2c protocols. Since this is not a default method for Docker communication, such requests can be flagged as suspicious. Additionally, regular auditing of CPU, memory, and disk usage can reveal abnormal resource consumption patterns typical of cryptomining activity. Any unexpected spikes in system performance, especially related to Docker containers, should trigger further investigation. Intrusion detection systems (IDS) or endpoint detection and response (EDR) solutions can also be configured to identify unusual API calls, such as those related to file synchronization, health checks, or unauthorized authentication token management. Finally, implementing access controls and logging API activity can help detect and trace any unauthorized access attempts or malicious changes in real-time.

    Further Security Considerations

    The use of clear text HTTP/2 (h2c) in this attack underscores the need for organizations to implement encrypted communication channels like TLS for all remote API access. This would prevent attackers from upgrading to insecure protocols without detection.

    In addition, intrusion detection systems (IDS) should be configured to detect protocol upgrades, particularly from HTTP to gRPC or h2c, as this can often indicate an attempt to bypass standard security filters. Network segmentation is another key defense in this situation—limiting access to critical infrastructure like Docker APIs to trusted IPs or internal networks can significantly reduce exposure.

    Lastly, organizations should regularly audit Docker API configurations and monitor for unusual network traffic or system resource usage spikes. Detecting cryptomining activity early is key to minimizing damage and preventing attackers from gaining a foothold.

    By targeting poorly secured Docker APIs and using advanced techniques like gRPC/h2c, attackers can gain control of cloud resources and deploy cryptominers with relative ease. Strengthening Docker security through proper API configurations, TLS, access controls, and proactive monitoring is essential in defending against these threats.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (10/21/2024)

    Netizen: Monday Security Brief (10/21/2024)

    Today’s Topics:

    • Microsoft Issues Urgent Warning to Apple Users: Critical Update Required to Address “HM Surf” Vulnerability
    • Chinese Nation-State Hackers APT41 Target Gambling Sector for Financial Gain
    • How can Netizen help?

    Microsoft Issues Urgent Warning to Apple Users: Critical Update Required to Address “HM Surf” Vulnerability

    In a recent announcement, Microsoft has alerted millions of Apple users about a serious security threat dubbed “HM Surf.” This vulnerability poses significant risks, particularly for those using macOS devices managed through a Mobile Device Management (MDM) setup, primarily targeting enterprise environments rather than individual home users./

    The HM Surf vulnerability exploits a bypass in the Transparency, Consent, and Control (TCC) framework within Safari. TCC is designed to protect user data, including sensitive information accessed via the device’s camera, microphone, and location services. However, the flaw allows attackers to gain unauthorized access to this data without the user’s consent, effectively circumventing the protective measures intended to safeguard user privacy.

    Microsoft discovered that this exploit could enable malicious actors to covertly:

    • Capture continuous video from the device’s camera.
    • Record audio through the microphone and transmit it to remote servers.
    • Retrieve sensitive information about the device’s location.
    • Manipulate Safari’s interface to operate discreetly without drawing attention.

    Microsoft has advised all macOS users to promptly update their devices to protect against this vulnerability. The flaw has been identified as CVE-2024-44133, and Apple has addressed it as part of its security updates for macOS Sequoia, released on September 16, 2024. Users are urged to apply these updates immediately to mitigate potential risks.

    In their statement, Microsoft emphasized the urgency: “We encourage macOS users to apply these security updates as soon as possible.” The update not only fortifies Safari against this specific vulnerability but also strengthens overall privacy controls within macOS.

    According to Microsoft, the vulnerability arises because Apple retains certain private entitlements for its applications, including Safari. These entitlements grant Safari extensive permissions that allow it to bypass standard TCC checks, unlike third-party browsers such as Google Chrome or Mozilla Firefox, which are required to request user permissions explicitly for accessing sensitive features.

    The implications of this are profound; if Safari is exploited, it can operate with elevated access that other browsers do not possess. Consequently, this creates a potential threat landscape for macOS users, particularly in enterprise settings where sensitive data is routinely handled.

    In response to this vulnerability, Apple has taken steps to harden Safari’s security, including restrictions on modifying configuration files that could enable such exploits. Microsoft has also announced its collaboration with other major browser vendors to enhance the security of their local configuration files. While efforts are underway for browsers based on Chromium and Firefox to adopt improved security measures, Safari users must prioritize applying the latest updates to their devices.

    For users who may have questions or require further assistance, it is advisable to consult the official Apple support channels or cybersecurity experts to ensure comprehensive protection against emerging threats.

    To read more about this article, click here.

    Chinese Nation-State Hackers APT41 Target Gambling Sector for Financial Gain

    A sophisticated cyber attack attributed to the Chinese nation-state actor APT41 has recently targeted the gambling and gaming industry, leading to significant concerns about data security and financial implications. The hacking campaign, which spanned approximately six months, involved stealthily gathering sensitive information such as network configurations, user passwords, and critical secrets from the LSASS (Local Security Authority Subsystem Service) process.

    Ido Naor, co-founder and CEO of Security Joes, emphasized the attackers’ adaptability during the intrusion. They continuously updated their tools based on the security team’s responses, demonstrating a high level of skill and methodical planning. The attack, which lasted nearly nine months, aligns with previous intrusions identified by cybersecurity vendor Sophos as part of Operation Crimson Palace.

    Naor noted that these attacks are often influenced by state-sponsored agendas, with a high degree of confidence that APT41 was motivated by financial gain this time. The attackers employed a multi-faceted approach, utilizing a custom toolset designed to bypass existing security measures while harvesting critical information and establishing covert channels for persistent remote access.

    The initial access vector for this attack remains unidentified, but evidence suggests it may have involved spear-phishing emails, given the lack of active vulnerabilities in publicly accessible web applications. Once inside the target’s network, the attackers executed a DCSync attack aimed at harvesting password hashes from service and admin accounts, allowing them to expand their access and maintain control over the network.

    APT41’s techniques included:

    • Phantom DLL Hijacking: A method that allows attackers to manipulate DLLs (Dynamic Link Libraries) to execute malicious payloads.
    • Use of wmic.exe: The legitimate Windows Management Instrumentation Command-line utility was abused to execute commands indirectly, facilitating the download of additional malware.

    The next stage of the attack involved retrieving a malicious DLL file named TSVIPSrv.dll over the SMB protocol, which then established contact with a hard-coded command-and-control (C2) server. If the connection failed, the implant would scrape GitHub for user information to update its C2 details, showcasing a unique technique to maintain operational flexibility.

    After being detected, the threat actors remained silent for several weeks before returning with a revised strategy. They executed heavily obfuscated JavaScript code within a modified XSL file (texttable.xsl), utilizing the wmic.exe command to load and execute malicious code. This JavaScript served as a downloader, contacting a secondary C2 server to retrieve more malware while fingerprinting the infected system.

    Security Joes observed that the malware specifically targeted machines within certain subnets, indicating a focused approach to compromise only valuable devices. This was achieved through filtering mechanisms that ensured only specific targets were affected, particularly those connected to the organization’s VPN.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Case Study: 2023 Cyberattack on Lehigh Valley Health Network

    Case Study: 2023 Cyberattack on Lehigh Valley Health Network

    Overview

    In early February 2023, Lehigh Valley Health Network (LVHN) fell victim to a cyberattack orchestrated by the ransomware group BlackCat, which has been linked to Russian cybercriminals. The attack, which was detected on February 6, revealed a breach of sensitive data, specifically targeting the Lehigh Valley Physician Group-Delta Medix. This incident raised immediate concerns about the security of patient information and the effectiveness of the healthcare network’s cybersecurity measures.

    The breach was a sophisticated operation typical of BlackCat, which is known for its ability to exploit vulnerabilities in healthcare systems. Upon detection, LVHN initiated a multi-faceted response. This included engaging with cybersecurity experts to conduct a thorough investigation, containing the ransomware, and alerting law enforcement authorities. Despite these efforts, the incident highlighted systemic vulnerabilities within the organization, as it revealed the extent of compromised patient data.

    Ransomware attacks like this are becoming increasingly common, especially in healthcare, where patient information is critical. BlackCat employed a tactic called “triple extortion,” meaning they not only encrypted LVHN’s data but also threatened to leak sensitive information and launch denial-of-service (DoS) attacks to disrupt services. These tactics put immense pressure on organizations to consider paying the ransom. However, LVHN decided against it, which led to the release of sensitive photos online, raising serious ethical concerns and impacting the trust of their patients.

    Impact

    The breach impacted the personal information of numerous patients, with LVHN later disclosing that compromised data varied by individual. It potentially included names, addresses, phone numbers, medical record numbers, treatment details, and health insurance information. More alarmingly, the breach also involved sensitive clinical information, including current procedural terminology (CPT) codes, which can detail specific diagnoses and treatments.

    In some cases, the data theft extended to email addresses, banking information, Social Security numbers, and clinical images of patients undergoing treatment. The loss of clinical images is particularly concerning, as these records can reveal intimate details of a patient’s health status, treatment history, and personal identifiers.

    Following the breach, LVHN took immediate steps to notify affected individuals and offered a complimentary 24-month subscription to Experian’s IdentityWorks service to help monitor potential misuse of their personal information. The organization sent out notification letters that included instructions for activating this membership, acknowledging the stress and concern such an incident can cause.

    In its public statements, LVHN assured the community of its commitment to data protection. They expressed deep regret for any inconvenience caused by the incident, stating, “We are committed to data protection and deeply regret any concern or inconvenience this incident may have caused.” However, the organization faced a dual challenge: managing the technical fallout while maintaining public trust.

    Despite the cyberattack, LVHN reported that its core operations continued without disruption, indicating that its emergency response protocols were somewhat effective. However, the breach’s occurrence during a time of heightened digital health adoption highlighted the increased vulnerability of healthcare systems to cyber threats, especially as more patient data is managed electronically.

    The implications of the breach extended far beyond immediate operational concerns. LVHN faced significant financial repercussions as the incident’s fallout led to a series of lawsuits. By September 2024, LVHN reached a $65 million settlement with victims affected by the data breach, a figure that reflects not only the direct costs associated with managing the aftermath but also the long-term impacts on the organization’s reputation and trustworthiness.

    Healthcare organizations often grapple with the delicate balance between safeguarding sensitive data and maintaining operational efficiency. LVHN’s experience exemplifies how the costs associated with a cyber incident can escalate rapidly, leading to financial strain and potential losses in patient trust.

    What Can Be Learned From This?

    Several key lessons can be drawn from this incident, which may help other organizations strengthen their defenses against similar threats.

    End-user awareness remains the first line of defense against cyberattacks. As demonstrated by the tactics employed by BlackCat, human error often serves as an entry point for attackers. Regular training sessions—ideally quarterly—focused on cybersecurity best practices can empower employees to recognize phishing attempts, exercise caution with email attachments, and understand the significance of maintaining strong passwords. These proactive measures can dramatically reduce the risk of successful attacks.

    Given that attackers may obtain user credentials, deploying MFA is crucial for enhancing security. By requiring additional verification—such as a text message or a secondary authentication app—organizations can protect sensitive data even in the event of credential theft. This layer of security is relatively easy to implement and can significantly reduce the chances of unauthorized access.

    Proper network segmentation can limit the spread of malware within an organization. By isolating critical systems and restricting access based on necessity, healthcare providers can contain potential breaches more effectively. Additionally, adhering to the principle of least privilege ensures that users have only the access necessary for their roles, further reducing the potential attack surface.

    Organizations should leverage security monitoring tools, such as Wazuh, to enhance their threat detection capabilities. By continuously monitoring network traffic and system logs, these tools can identify suspicious activities in real-time, enabling swift incident response. Moreover, integrating threat intelligence feeds can provide valuable insights into emerging threats, allowing organizations to proactively adjust their defenses.

    While it is impossible to prevent all breaches, having a well-defined incident response plan can minimize the impact of an attack. This plan should outline roles and responsibilities, establish communication protocols, and include strategies for data recovery and mitigation. Regular testing and updates to the plan ensure that all personnel are prepared to act decisively in the event of a cybersecurity incident.

    Healthcare organizations must prioritize the protection of patient data by implementing robust encryption, regular audits, and compliance with relevant regulations. This commitment not only safeguards sensitive information but also helps to maintain patient trust in the organization.

    Conclusion

    As cyber threats continue to evolve, the lessons learned from LVHN’s experience can help shape future strategies for protecting sensitive patient information and ensuring the resilience of healthcare systems. By fostering a culture of cybersecurity awareness, investing in the right technologies, and implementing robust incident response plans, healthcare organizations can better safeguard against the pervasive threat of cyberattacks.

    In a landscape where patient data security is paramount, taking proactive steps is not just advisable; it is essential for maintaining the trust and safety of patients and the integrity of the healthcare system as a whole.

  • Pokémon’s ‘Teraleak’: 25 Years of Secrets Unveiled in Massive Game Freak Hack

    Pokémon’s ‘Teraleak’: 25 Years of Secrets Unveiled in Massive Game Freak Hack

    In a major security breach, Pokémon developer Game Freak has reportedly suffered what’s being referred to as a “teraleak,” releasing more than 25 years of never-before-seen Pokémon art, assets, and confidential documents. First reported by Nintendo Life, this massive leak includes a treasure trove of concept art, internal development materials, and even plans for canceled movies. The breach, which Game Freak confirmed occurred in August 2024, has left employee names and contact information compromised, though the scope of stolen intellectual property appears to go far beyond that.

    What Was Stolen?

    According to reports circulating on social media, including the PokeLeaks subreddit and posts from Pokémon leak aggregator CentroLeaks, the stolen material includes:

    • Work-in-progress sprites from Generation 3, 4, and 5 Pokémon games
    • Concept art for the 1997 Pokémon anime
    • Detailed background lore on the Pokémon universe
    • Meeting minutes from a discussion on Ash Ketchum’s final story arc
    • Early development pitches for Detective Pikachu 2 and a mystery project titled “Game Boy”
    • Codenames for future hardware, including “Ounce,” thought to be associated with the next Nintendo console, the Switch 2

    This information flood mirrors the 2020 “gigaleak” suffered by Nintendo, which exposed significant amounts of legacy data. The volume and range of content, dubbed the “teraleak,” have sparked extensive discussion and speculation across multiple platforms.

    PII and Design Materials Compromised

    A significant amount of personally identifiable information (PII) was exposed in the Game Freak breach. According to Game Freak’s October 10th statement, the names and company email addresses of 2,606 current and former employees, as well as external contractors, were compromised. This includes personal information related to both employees and individuals working with the company, although there’s no mention of more sensitive data like social security numbers or home addresses being involved.

    Game Freak has confirmed that it is contacting those affected by the breach, and there is speculation that phishing might have played a role in enabling the attack. However, beyond this employee-related information, much of the focus of the leak has been on the stolen Pokémon design materials and internal development documents. However, the company has yet to officially confirm that any Pokémon design materials were part of the stolen data. Given the nature of the breach, some suspect that Game Freak may be refraining from acknowledging the leaked creative assets to avoid further legitimizing the stolen material.

    Was Phishing Involved?

    Online speculation has pointed to phishing as a possible method of access. Many users believe that one of Game Freak’s employees may have been tricked by a phishing scam, which granted the attacker entry into the company’s servers. This theory is gaining traction, especially given the gap between the August breach and the October leak of massive amounts of confidential data.

    What’s Next?

    While Game Freak has taken steps to rebuild its server infrastructure, the implications of the leak are still unfolding. Many speculate that the August breach may have been a precursor to the larger-scale leak now dominating headlines. The long-term effects of this “teraleak” on Game Freak’s projects, along with potential legal actions against those sharing the stolen information, remain to be seen.

    Game Freak now joins the ranks of major game companies like Nintendo and Rockstar, which have both suffered high-profile security breaches in recent years. As more data continues to surface, it’s clear that the ramifications of this breach will resonate throughout the Pokémon community (and beyond) for quite some time.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (10/14/2024)

    Netizen: Monday Security Brief (10/14/2024)

    Today’s Topics:

    • DoD Finalizes CMMC 2.0 Rule: What Contractors Need to Know for 2025 Compliance
    • 77,000 Customers Impacted in Fidelity Investments Data Breach
    • How can Netizen help?

    DoD Finalizes CMMC 2.0 Rule: What Contractors Need to Know for 2025 Compliance

    The Department of Defense (DoD) has taken a significant step toward rolling out its updated Cybersecurity Maturity Model Certification (CMMC) 2.0 by releasing the final rule. The rule is now available for public review on the Federal Register, with the official publication expected on October 15. This move sets the stage for full implementation of CMMC 2.0 by mid-2025, according to the DoD’s recent announcement.

    CMMC 2.0 is designed to help safeguard sensitive government information—like controlled unclassified information (CUI) or federal contract information (FCI)—on contractor systems. The model introduces tiered levels of cybersecurity compliance based on the nature of the data a contractor handles. The goal is to protect DoD data from being exploited by adversaries while streamlining the process, especially for smaller contractors. CMMC 2.0 reduces the compliance levels from five to three to make it easier for companies to meet these new standards.

    This effort is the culmination of several years of work. It began during the previous administration when the initial framework was developed. In December 2023, the DoD kickstarted the federal rulemaking process for CMMC 2.0 by publishing a proposed rule. This was followed in August 2024 by another proposal to update the Defense Federal Acquisition Regulation Supplement (DFARS), which will make cybersecurity a key factor in future Pentagon contracts.

    The plan is for these DFARS updates to be finalized and implemented by mid-2025. At that point, CMMC compliance will be a requirement in DoD contracts. Contractors that handle CUI or FCI must meet the appropriate cybersecurity level to secure contract awards.

    For companies dealing with less sensitive data, the DoD has built in flexibility, allowing them to conduct self-assessments of their cybersecurity practices. However, those handling more critical information will be required to undergo third-party assessments or assessments led by the Defense Industrial Base Cybersecurity Assessment Center to verify their compliance.

    The CMMC initiative hasn’t been without criticism. Many in the defense industry, particularly small businesses, have expressed concerns over the cost and complexity of meeting these new requirements. In response, the DoD has committed to providing resources to help contractors navigate the process.

    One important feature of CMMC 2.0 is the introduction of “Plans of Action and Milestones” (POA&Ms). This allows contractors who haven’t yet met all the required cybersecurity standards to receive a provisional certification for 180 days, giving them time to reach full compliance without losing out on contract opportunities.

    The DoD recognizes that meeting these new cybersecurity requirements will take time and effort, but it’s urging businesses in the defense sector to begin assessing their current security practices and start preparing for the upcoming CMMC assessments.

    To read more about this article, click here.

    77,000 Customers Impacted in Fidelity Investments Data Breach

    Fidelity Investments is alerting tens of thousands of individuals that their personal information was compromised in a recent data breach. The financial services company reported that unauthorized activity occurred between August 17 and 19, leading to the exposure of sensitive customer information.

    According to reports filed with attorney generals in various states, the attacker created two fraudulent customer accounts. These accounts were then used to access and retrieve images of documents containing personal details from an internal Fidelity database. The breach was identified and contained on August 19, after which Fidelity acted quickly to shut down the unauthorized access.

    While Fidelity has indicated that the breach impacted only a “small subset” of customers, it reported to Maine’s Attorney General that over 77,000 individuals were affected. Compromised information includes names, Social Security numbers, financial account details, and driver’s license data. However, the company assured that no customer accounts or funds were jeopardized.

    In response, Fidelity is offering those impacted two years of free credit monitoring and identity restoration services. This breach marks the second significant security incident the company has disclosed in 2024. Earlier this year, roughly 30,000 individuals were notified of a separate data breach involving a third-party service provider, Infosys McCamish System (IMS).

    Fidelity Investments, which manages $14 trillion in assets and serves over 51 million individual investors, continues to take steps to address these security challenges and safeguard customer information.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • What Is Persistence in Cybersecurity and How Do You Stop an Advanced Persistent Threat (APT)?

    What Is Persistence in Cybersecurity and How Do You Stop an Advanced Persistent Threat (APT)?

    An advanced persistent threat (APT), also known as persistence, is a type of cyberattack where an attacker gains long-term, undetected access to a system. Unlike short-term attacks like phishing or malware campaigns, APTs are designed to remain hidden for extended periods, often months or years, allowing the attacker to maintain control without disruption, even after system reboots, credential changes, or other security measures.

    This blog will discuss the impacts of APTs, how persistence methods work, and the various ways attackers achieve and maintain access within a network.

    ATA vs. APT: What’s the Difference?

    The terms Advanced Targeted Attack (ATA) and Advanced Persistent Threat (APT) are sometimes used interchangeably, but they refer to different aspects of an attack. ATAs are specific methodologies used by APT groups—such as “Fancy Bear” or “Lazarus”—to gain Advanced Persistent Access. While the tactics may vary across different APT groups, the goal is consistent: establishing a long-term presence within a target’s environment. ATAs are the toolset, while APTs describe the sustained control attackers maintain.

    How Do APTs Remain Hidden for So Long?

    One of the most significant challenges in addressing APTs is their ability to remain undetected. Many organizations, especially SMBs, lack the monitoring and detection capabilities needed to identify APTs in their networks. According to the FBI and the IBM 2022 Data Breach Investigation Report, persistence attackers often go unnoticed for an average of 200 days. During this time, attackers can establish multiple user accounts, gain remote access to key systems, and even control servers—all without triggering security alerts.

    Additionally, threat actors may create diversionary tactics, such as launching a DDoS attack, to mislead security professionals, while their primary attack, the APT, continues undetected. Such tactics allow them to focus on higher-value targets while the organization scrambles to address the decoy attack.

    Key Risks Posed by Advanced Persistent Threats

    APTs pose a wide array of risks, as attackers can exploit their access for multiple malicious purposes. These include:

    • Infiltrating the victim’s supply chain, targeting partners, vendors, or customers.
    • Cyber espionage, often driven by nation-states looking to compromise government agencies or critical infrastructure.
    • Cybersecurity reconnaissance, allowing attackers to observe weaknesses in an organization’s defenses or identify users susceptible to phishing.
    • Initiating watering-hole attacks, in which attackers compromise websites frequently visited by their targets.
    • Exfiltrating data without detection, leveraging the long-term access to avoid raising red flags.
    • Intellectual property theft, particularly sensitive in industries like technology, defense, or pharmaceuticals.
    • Slowly leaking sensitive data, evading detection by blending in with normal network activity.

    How Does the Persistence Method Work?

    Hackers use a variety of techniques to maintain their foothold within a compromised network, including:

    • Windows Services: Manipulating legitimate services to avoid detection.
    • Misconfigurations: Exploiting improperly configured security settings.
    • Custom Malware: Developing undetectable malware or leveraging zero-day exploits to bypass security.
    • Domain-based Persistence: Attackers may compromise a domain controller or other key servers within a network, giving them persistent access to all connected systems.

    Attackers also take advantage of multi-stage operations to establish a foothold. After initial access—often through phishing, social engineering, or exploiting known vulnerabilities—they install malware like backdoors or rootkits. These tools allow them to maintain access while remaining hidden from most monitoring systems.

    They also use privilege escalation techniques, gradually gaining more control over the system by exploiting software vulnerabilities or using stolen credentials. By obtaining administrative privileges, attackers can move laterally through a network, exfiltrating data or preparing the system for larger attacks without detection.

    Case Studies: Learning from Real-World APT Incidents

    Examining real-world case studies of Advanced Persistent Threat incidents can provide invaluable insights into the tactics and strategies used by attackers. For instance, the SolarWinds breach, where attackers exploited vulnerabilities in software updates to infiltrate thousands of organizations, serves as a cautionary tale about the risks associated with third-party vendors. By studying such incidents, organizations can identify gaps in their security posture and develop targeted strategies to address them. Analyzing the timeline of an attack, the methods of exploitation, and the subsequent response can offer lessons on improving detection capabilities and refining incident response protocols, ultimately leading to a stronger defense against future APTs.

    Countermeasures Against APTs

    Stopping an APT requires a combination of proactive defense strategies and comprehensive detection systems. To protect against these threats, organizations should focus on the following measures:

    • Advanced Threat Detection: Implementing sophisticated detection systems like Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) tools, and endpoint detection and response (EDR) platforms. These solutions help monitor for unusual activity, such as unauthorized access attempts or irregular data transfers.
    • Network Segmentation: Limiting access across different areas of your network can reduce the potential damage of an APT. If an attacker gains access to one segment, network segmentation ensures they cannot move freely across the entire infrastructure.
    • Regular Patching: Keeping software and systems up-to-date by applying security patches as soon as vulnerabilities are disclosed. Attackers often exploit known vulnerabilities, so staying current on updates is one of the simplest but most effective defenses.
    • User Awareness Training: Educating employees about phishing attacks and other social engineering methods can significantly reduce the chances of attackers gaining an initial foothold in the network.
    • Multi-Factor Authentication (MFA): Requiring MFA for all critical systems can make it more difficult for attackers to use stolen credentials to gain access.
    • Incident Response Planning: Having a well-defined incident response plan ensures that if an APT is detected, your organization can act quickly to contain and eliminate the threat. Regularly testing and updating this plan is crucial.
    • Continuous Monitoring: Automated tools that provide continuous system scanning and monitoring, like Netizen’s offerings, are essential for detecting APTs early. By continuously assessing the network for vulnerabilities, misconfigurations, and suspicious activity, businesses can catch attacks before they escalate.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact