Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Why SMBs Can’t Afford to Ignore the Growing Threat of Initial Access Brokers

    Why SMBs Can’t Afford to Ignore the Growing Threat of Initial Access Brokers

    Initial Access Brokers (IABs) have become a cornerstone of the modern cybercrime economy. Instead of carrying out attacks themselves, these actors specialize in breaking into corporate networks and then selling that access to other criminals. By outsourcing the hardest part of the intrusion, getting inside, they allow ransomware operators, data thieves, and other malicious groups to move straight to exploitation. This division of labor lowers risk for IABs while fueling the speed and scale of attacks across industries.

    Why IABs Are Rising

    The growth of Ransomware-as-a-Service (RaaS) has created a perfect market for IABs. Affiliates can launch attacks almost immediately once they purchase valid access, cutting down the time it takes to deploy ransomware. In many cases, IABs now work directly with RaaS affiliates rather than advertising on dark web forums, which reduces visibility to law enforcement. This tighter collaboration benefits both sides: ransomware operators scale their operations more quickly, and IABs secure steady demand for their services.

    Shifting Targets

    The targeting patterns of IABs show how flexible and opportunistic this market has become. In 2023, business services dominated the victim pool, accounting for nearly a third of all observed compromises. By 2024, that dominance shrank to about 13 percent as brokers broadened their focus. Industries across the board are now at risk, with the United States continuing to be the top target due to its economic weight, followed by Brazil and France. The trend indicates that smaller and mid-sized organizations are no longer overlooked; they are now prime targets thanks to the volume-based sales strategy of IABs.

    The Economics of Access

    Pricing illustrates the strategic change. In 2023, access listings ranged from $500 to $3,000, with an average of around $1,979 but a median closer to $1,000. By 2024, most listings, roughly 58 percent, fell under $1,000. Only a small fraction (7 percent) were high-value sales, though those skewed the overall average upward to about $2,047. The drop in price for most access points signals a pivot toward selling more accounts in bulk, trading individual high-ticket sales for volume. The result is that cybercriminals can launch more attacks for less, increasing both the number of victims and the potential damage.

    What’s Next

    IABs are expected to remain a key player in cybercrime. Their ability to provide pre-packaged access lowers barriers for less skilled attackers and accelerates timelines for ransomware groups. With prices trending downward and more industries falling into scope, the threat surface is expanding quickly.

    Organizations that once assumed they were too small or too obscure to be targeted should reconsider that assumption. As access becomes cheaper and more plentiful, even modest businesses are at greater risk.

    What SOC Teams Need to Know

    Security teams should treat IAB-driven intrusions as a high-likelihood precursor to ransomware. Early detection of credential misuse, unusual remote access activity, and privilege escalation attempts is critical. SOC analysts should focus on:

    • Monitoring for abnormal VPN, RDP, and Citrix activity, particularly logins from unexpected geographies or at odd times.
    • Expanding visibility into cloud and SaaS platforms, since stolen access is often resold for these environments.
    • Using threat intelligence to track IAB offerings, which often surface on closed forums before access is sold to ransomware affiliates.
    • Ensuring credential hygiene, MFA enforcement, and rapid offboarding of stale accounts to shrink the attack surface available to brokers.

    By aligning detection and response efforts around the tactics IABs use, SOC teams can catch compromises earlier in the kill chain, before ransomware or data theft occurs.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Why SNMPv1 and v2c Put Your Network at Risk (and Why You Should Upgrade)

    Why SNMPv1 and v2c Put Your Network at Risk (and Why You Should Upgrade)

    The Simple Network Management Protocol (SNMP) has long been the backbone of network monitoring. Routers, switches, servers, and even printers rely on SNMP to relay information about performance, status, and availability to a central monitoring system. This setup makes life easier for administrators, allowing for automated discovery, mapping, and alerts across the network.

    However, the protocol was designed in a time when perimeter defenses were considered sufficient. That assumption no longer holds true. Today, SNMP, particularly in its earlier versions, is a potential entry point for attackers. Understanding the weaknesses of SNMP, how it can be exploited, and what steps can be taken to mitigate risk is essential for modern network security.

    How SNMP Works and Where the Risks Begin

    SNMP relies on an agent embedded in each device and a manager that issues requests. The manager sends Get requests that contain a community string, which serves as an identifier or password. These requests allow the agent to pull data from the device and send it back to the manager for monitoring.

    The problem arises because in SNMPv1 and SNMPv2c, community strings are transmitted in plain text. Attackers can intercept them with a packet sniffer, steal credentials, and then either eavesdrop or make unauthorized changes to devices. From there, they can escalate into denial-of-service attacks or even command injection on vulnerable systems.

    Versions of SNMP: Strengths and Weaknesses

    • SNMPv1: The original version, simple to deploy but protected only by a community string that is visible in plain text.
    • SNMPv2c: Added 64-bit counters and improved error handling but still left community strings exposed without encryption.
    • SNMPv3: Introduced authentication, encryption, and better access control. This version significantly improves security, although it is more complex to configure and maintain.

    Documented Vulnerabilities and Exploits

    The risks of older SNMP versions are well documented in the CVE database. A few examples include:

    • CVE-2002-0012 and CVE-2002-0013: Exploitable flaws in SNMPv1 that allow attackers to flood targets with requests, leading to denial-of-service or privilege escalation.
    • Command Injection Attacks: Certain GE Industrial Solutions UPS adapters and older Symantec Web Gateway versions with outdated firmware allow remote command execution through SNMP-enabled services.

    Even SNMPv3 has known issues. Researchers have demonstrated that its discovery mechanism can be manipulated to weaken encryption and authentication if not properly configured.

    How Attackers Exploit SNMP

    Attackers often scan for SNMP services, particularly on UDP ports 161 and 162. Tools like Nmap can brute-force community strings and quickly identify weakly configured devices. Once inside, attackers can flood networks with requests, change configurations, or passively intercept communications to extract sensitive information.

    Best Practices to Secure SNMP

    Securing SNMP does not mean abandoning it. It means configuring it carefully and minimizing exposure. Some best practices include:

    1. Disable SNMP on hosts where it is not required.
    2. Replace default community strings like “public” and “private” with strong, unique values.
    3. Restrict access using Access Control Lists (ACLs).
    4. Block or monitor ports 161 and 162 at the firewall.
    5. Use read-only mode whenever possible.
    6. Regularly update firmware and software.
    7. Adopt SNMPv3 and configure it with encryption and authentication.
    8. Avoid using NoAuthNoPriv mode, which does not encrypt transmissions.
    9. Limit access to specific OIDs and performance data using SNMP views.

    Are SNMP Vulnerabilities Still a Threat?

    Yes. Even though ransomware and phishing dominate the headlines, SNMP misconfigurations can still lead to serious data leaks or costly downtime. Attackers continue to exploit legacy systems and overlooked services. Given that downtime can cost thousands of dollars per minute, it is risky to ignore SNMP security.

    Conclusion: Choose SNMPv3, Harden Configurations

    SNMP remains an indispensable tool for administrators. Versions 1 and 2c are outdated and insecure, and should no longer be used. SNMPv3 is the most secure option available, but it requires careful setup. With proper configuration, authentication, and encryption, organizations can significantly reduce the risk of SNMP-based attacks while still benefiting from its monitoring capabilities.

    How Netizen Can Help

    Netizen specializes in helping organizations address vulnerabilities like those found in SNMP environments. Our team performs detailed security assessments and pre-assessments to identify gaps in network security configurations and highlight misconfigurations before attackers exploit them. By aligning your SNMP setup with industry best practices, we help you reduce the risk of downtime, unauthorized access, and data exposure.

    Netizen is a Service-Disabled Veteran-Owned Small Business with ISO 27001, ISO 20000-1, ISO 9001, and CMMI Level III certifications. We operate a 24×7 Security Operations Center and provide advisory services to organizations across defense, government, and commercial sectors. If your business relies on network monitoring tools, our experts can help ensure they are properly secured, updated, and configured to withstand today’s threats.

    Looking to strengthen your defenses and prevent overlooked vulnerabilities from becoming serious problems? Start the conversation with Netizen today.

  • Building Strong Compliance Management Systems with ISO 37301

    Building Strong Compliance Management Systems with ISO 37301

    ISO 37301 is an international Type A management system standard that sets requirements and provides guidance for establishing, implementing, and improving a compliance management system (CMS). A CMS gives organizations a structured approach to meeting both mandatory obligations such as laws, regulations, and licenses, as well as voluntary commitments including internal policies, codes of conduct, and industry standards.

    The standard applies to organizations of all sizes and sectors. It is built on principles of integrity, good governance, transparency, accountability, proportionality, and sustainability. Since ISO 37301 follows the ISO High-Level Structure (HLS), it can operate as a standalone framework or integrate smoothly with other standards such as ISO 27001 for information security or ISO 9001 for quality management.

    How It Differs from ISO 19600

    In 2014, ISO released ISO 19600, a guideline for compliance management systems. ISO 37301 builds on that foundation by adding the option of third-party certification. This makes compliance efforts auditable and verifiable, providing stronger credibility. Organizations that previously followed ISO 19600 already have a head start toward alignment with ISO 37301.

    Why It Matters for Organizations

    Adhering to compliance obligations is no longer a choice but a necessity for organizations that want sustainable growth and resilience. ISO 37301 equips leadership with policies, processes, and controls that help detect, prevent, and respond to noncompliance. By adopting it, organizations demonstrate diligence to regulators and business partners, protect their reputation, and reduce exposure to legal and financial penalties.

    Key Features

    ISO 37301 emphasizes leadership commitment, requiring governing bodies and executives to set the tone for compliance through clear policies, resource allocation, and visible support. It is risk-based, meaning organizations must identify and manage compliance risks as part of normal business planning. The standard also requires competence and awareness at all levels so that compliance is not just a function of policy but part of organizational culture. Continuous evaluation and improvement are built in, ensuring the CMS evolves as regulations and operations change.

    Training and Certification

    Individuals can pursue training to strengthen their role in compliance management. Options include foundation courses for entry-level staff, lead implementer training for professionals responsible for designing and rolling out a CMS, and lead auditor training for those conducting independent assessments. Specialized courses also exist for those transitioning from ISO 19600 or seeking introductory knowledge.

    Benefits of Implementation

    Organizations adopting ISO 37301 gain the ability to undergo independent certification, build a compliance culture that demonstrates accountability, and strengthen relationships with regulators and partners. They are better positioned to prevent legal violations, protect customer trust, and maintain long-term sustainability. By documenting compliance policies and ensuring staff understand their roles, organizations create a strong framework that can withstand scrutiny and adapt to change.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Turning Human Error Into Human Defense

    Turning Human Error Into Human Defense

    Phishing remains the single most persistent attack vector in cybersecurity. Despite two decades of progress in technical defenses, attackers continue to bypass firewalls, endpoint protections, and advanced monitoring tools by exploiting the one constant across every organization: people.

    Recent research, including Verizon’s Data Breach Investigations Report, shows that roughly 60% of breaches involve human factors such as clicking a malicious link or opening an infected attachment. Add to this another 20% to 30% linked to credential reuse, and the picture becomes clear: the vast majority of intrusions succeed because of human behavior, not because of unpatched software alone.

    The Human Element at the Core of Cyber Risk

    Phishing is no longer confined to crude “Nigerian prince” scams. Threat actors today are highly skilled at exploiting trust, urgency, and authority. Especially with the advent of AI, their lures are hyper-personalized, drawing on data scraped from social media, corporate directories, or past breaches. They extend far beyond email, with SMS-based smishing and phone-based vishing becoming increasingly common. Attackers also time campaigns to coincide with global events, financial anxieties, or even corporate announcements, amplifying the chances of success.

    At the higher end of the spectrum, Business Email Compromise (BEC) attacks now use detailed impersonation of executives, vendors, or partners. These schemes often bypass technical controls because they appear entirely legitimate until the financial loss is already complete.

    Industry-Specific Exposure

    Attackers adjust their tactics depending on the industry. In healthcare and education, the combination of diverse users and high-pressure environments makes organizations particularly prone to mistakes. In finance and professional services, attackers mimic legitimate client requests to trigger unauthorized fund transfers. In critical infrastructure and manufacturing, phishing campaigns are tailored to disrupt operations or steal valuable intellectual property.

    No sector is immune, but industries with high-value data or complex supply chains present especially tempting targets.

    Building a Human-Centric Defense

    Addressing human risk does not mean blaming employees. Instead, it requires creating conditions that make secure behavior easier and second nature. Organizations can build resilience through:

    • Security awareness training that is frequent, relevant, and interactive. Outdated annual training must be replaced by micro-learning, simulations, and role-specific content that evolves alongside threat tactics.
    • Phishing simulations that provide real-world practice. These tests should be designed as educational opportunities, giving immediate feedback rather than punishing mistakes.
    • Encouraging reporting by building a culture where employees feel comfortable flagging suspicious emails or messages without fear of retribution. Every reported phishing attempt is one less chance for attackers to succeed.
    • Layered technical defenses including AI-driven email security, multifactor authentication, zero trust architectures, password managers, and web filtering. While people remain the target, these technologies act as critical safeguards when mistakes happen.
    • Visible leadership support where executives not only mandate security initiatives but also model good behavior and reinforce that cybersecurity is a business priority, not just an IT concern.

    From Weakness to Strength

    A strong security culture depends on both people and technology working together, and that is where Netizen can help. Our team specializes in building environments where employees are supported by clear policies, meaningful training, and advanced monitoring solutions that reduce the chances of human mistakes becoming costly breaches.

    From our 24x7x365 Security Operations Center to services like CISO-as-a-Service, penetration testing, and compliance support, Netizen provides organizations with the tools, expertise, and guidance to make people part of the defense, not the weakness. For agencies and businesses in highly regulated industries, we bring proven experience in strengthening resilience and aligning with frameworks that emphasize human factors as much as technical safeguards.

    Your employees are already your first line of defense, Netizen helps ensure they are also your strongest. Start the conversation with us today and see how we can help turn your human error into human defense.

  • Netizen: Monday Security Brief (10/20/2025)

    Netizen: Monday Security Brief (10/20/2025)

    Today’s Topics:

    • CISA Flags Five New Actively Exploited Vulnerabilities Across Oracle, Microsoft, and More
    • Microsoft Halts Rhysida Ransomware Campaign Exploiting Azure Certificates
    • How can Netizen help?

    CISA Flags Five New Actively Exploited Vulnerabilities Across Oracle, Microsoft, and More

    The Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that attackers are targeting unpatched systems from Oracle, Microsoft, and other vendors.

    One of the most significant flaws is CVE-2025-61884 (CVSS 7.5), a server-side request forgery (SSRF) issue found in the Runtime component of Oracle E-Business Suite (EBS). The bug allows unauthenticated remote attackers to access sensitive data through crafted network requests. It follows the discovery of another serious Oracle EBS vulnerability, CVE-2025-61882 (CVSS 9.8), which enabled arbitrary code execution on exposed systems. Both flaws have been linked to real-world exploitation campaigns impacting dozens of organizations, with some activity tentatively associated with Cl0p-related extortion groups.

    CISA also added four other vulnerabilities to the catalog. CVE-2025-33073 (CVSS 8.8) affects the Microsoft Windows SMB Client and allows privilege escalation through improper access control. Microsoft addressed the flaw in its June 2025 patch release.

    Two vulnerabilities in Kentico Xperience CMS, CVE-2025-2746 and CVE-2025-2747 (both CVSS 9.8), involve authentication bypasses in the Staging Sync Server component that mishandled password validation for certain configurations. These issues were corrected in updates released in March 2025.

    The final entry, CVE-2022-48503 (CVSS 8.8), is an older flaw in Apple’s JavaScriptCore engine that could lead to arbitrary code execution through malicious web content. Apple fixed it in 2022, but it has resurfaced in active exploitation reports.

    CISA has directed all Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by November 10, 2025, to safeguard networks against known threats. Although the agency confirmed exploitation for the Oracle EBS bug, it noted that details of attacks involving the other four remain limited.

    Microsoft Halts Rhysida Ransomware Campaign Exploiting Azure Certificates

    Microsoft has shut down an ongoing Rhysida ransomware operation that relied on fake Microsoft Teams installers digitally signed with stolen or misused Azure certificates. The company confirmed that it has revoked more than 200 compromised code-signing certificates that attackers used to make malicious files appear legitimate.

    In a post on X, Microsoft Threat Intelligence reported that a cybercriminal group known as Vanilla Tempest, also tracked as Vice Society, was behind the campaign. The attackers distributed fraudulent Teams setup files signed through Azure’s Trusted Signing service to deliver a custom backdoor called Oyster, which later deployed the Rhysida ransomware payload.

    Vanilla Tempest is known for targeting schools, hospitals, and other public sector organizations. In this campaign, the group used domains resembling legitimate Microsoft services, such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top, to trick users into downloading malicious installers. These fake sites were reportedly promoted using SEO poisoning, pushing them higher in search results for unsuspecting victims.

    When users executed the bogus MSTeamsSetup.exe, it ran a downloader instead of the real collaboration tool. This downloader installed the Oyster backdoor, which Microsoft said has been in circulation since at least June. While Vanilla Tempest has used multiple ransomware strains in the past, including BlackCat (ALPHV), the group appears to have shifted its focus primarily to Rhysida.

    The attackers didn’t rely solely on Microsoft’s infrastructure. They also obtained code-signing certificates from SSL.com, DigiCert, and GlobalSign to authenticate their fake binaries. Signed malware poses a particular challenge for defenders, since many security systems inherently trust executables with valid digital signatures.

    It remains unclear how the threat actors gained access to Azure’s Trusted Signing service. The platform allows verified developers with a Microsoft Entra tenant ID and an Azure subscription to sign their applications, with current availability limited to U.S. and European regions. Documentation for the service notes that only organizations with at least three years of verifiable operational history are eligible.

    In response to the campaign, Microsoft revoked all known certificates linked to the malicious activity. The company declined to provide further comment beyond its public statement.

    DigiCert and GlobalSign, both named in Microsoft’s report, said they had not been asked to revoke any certificates related to the incident but were monitoring for misuse. GlobalSign CISO Arvid Vermote noted that the company investigates all reports of certificate abuse and revokes compromised credentials when verified, while DigiCert stated that it would act immediately upon receipt of credible intelligence.

    The incident highlights how attackers continue to exploit digital trust mechanisms to bypass enterprise defenses. Code-signing certificates, once intended to guarantee software authenticity, are increasingly being repurposed as tools for deception, allowing malicious software to masquerade as legitimate applications until its true purpose becomes clear.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Understanding ISO 20000-1: The Standard for IT Service Management

    Understanding ISO 20000-1: The Standard for IT Service Management

    Organizations depend on IT services to keep their operations running, and as these environments expand across cloud, on-premises, and hybrid platforms, the complexity of managing them has increased. ISO/IEC 20000-1 provides a structured framework for IT Service Management (ITSM) that allows organizations to deliver consistent, high-quality IT services while staying aligned with business priorities.

    What is ISO 20000-1?

    ISO/IEC 20000-1 is the international standard for IT Service Management Systems. It was first introduced in 2005 and has gone through revisions in 2011 and 2018 to keep up with modern practices. The standard defines how an organization can establish, implement, maintain, and continually improve an IT Service Management System, making it possible to demonstrate maturity in service delivery through certification.

    The standard has close ties to ITIL, which many organizations already use as a framework for service management best practices. The difference is that ISO 20000-1 is an auditable and certifiable standard, giving organizations the ability to formally prove their capabilities to customers, regulators, and partners. It addresses all areas of service management, from governance and accountability, to planning and designing services, to managing incidents, changes, and continuity. It also requires organizations to measure performance, conduct evaluations, and continuously improve service delivery.

    Why ISO 20000-1 Matters

    For IT service providers, ISO 20000-1 certification is a mark of credibility that is often required in government, defense, and other regulated sectors. For internal IT departments, it signals that operations are reliable and designed to meet business needs. Beyond compliance, the framework helps organizations improve the quality of their services. Consistency is gained by moving away from ad-hoc practices. Service reliability is strengthened through structured incident and problem management processes. Cost efficiency improves when resources are better utilized under well-defined workflows. Most importantly, the certification builds trust with customers who expect IT services to meet strict performance and availability requirements.

    How Certification Works

    The path to certification begins with defining the scope of the services that will be covered under the Service Management System. Organizations then put processes in place that meet the requirements of ISO 20000-1. Internal audits are carried out to assess readiness, followed by an external audit performed by an accredited certification body. Certification is valid for three years, but organizations must go through surveillance audits each year to confirm compliance, as well as a full recertification at the end of the cycle.

    ISO 20000-1 in Modern IT Operations

    As IT continues to shift toward cloud, DevOps, and hybrid approaches, ISO 20000-1 has remained relevant by adapting its structure. The 2018 revision adopted the Annex SL framework that is common across ISO standards, which makes it easier to integrate with others such as ISO 27001 for information security, ISO 22301 for business continuity, and ISO 9001 for quality management. This alignment means ISO 20000-1 can serve as a foundation for organizations adopting Zero Trust architectures or digital transformation initiatives. By applying ISO 20000-1, businesses can demonstrate that their IT services are reliable, efficient, and prepared for growth.

    Relationship with ISO 27001

    ISO 20000-1 and ISO 27001 often work together in practice. While ISO 20000-1 focuses on the quality and consistency of IT services, ISO 27001 ensures the security of information handled by those services. For example, change management under ISO 20000-1 keeps systems stable when updates are made, while ISO 27001 adds the requirement that changes meet security standards. Service continuity planning under ISO 20000-1 ensures that operations can recover from disruptions, while ISO 27001 guarantees that sensitive data remains protected during recovery.

    Why Organizations Adopt ISO 20000-1

    Companies pursue ISO 20000-1 certification for many reasons. Managed service providers see it as a way to stand out in competitive markets and often find that certification is a prerequisite for winning contracts. Internal IT teams use the standard to reduce risk, improve efficiency, and show executives that IT supports the business effectively. Organizations that already use ITIL often move to ISO 20000-1 to formalize those practices and gain the external validation that comes with certification.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • TikTok’s U.S. Deal: Less Data in Beijing, Same Risks for Enterprises

    TikTok’s U.S. Deal: Less Data in Beijing, Same Risks for Enterprises

    Negotiations over TikTok’s future in the United States are moving forward, but for CISOs and enterprise security teams, the risks tied to the platform remain stubbornly familiar. Even if ownership shifts to a U.S.-controlled entity, TikTok’s appetite for data and influence over user behavior will keep it high on the watchlist.

    Why the Deal Matters

    TikTok’s parent company, ByteDance, is subject to Chinese national security laws that can compel access to user data—a fact that has fueled years of concern in Washington, Brussels, and Ottawa. The proposed solution is the creation of a new U.S.-based entity where American investors hold an 80% stake. Oracle would manage TikTok’s U.S. data from Texas, joined by backers Andreessen Horowitz and Silver Lake. A majority U.S. board, including a government-appointed director, would oversee the operation.

    This arrangement addresses the most obvious issue: the possibility of direct state access from Beijing. But security professionals caution that restructuring on paper is not the same as securing the platform in practice.

    What Regulators Already Know

    Global regulators have already taken action against TikTok, making clear that concerns about its practices are not confined to the United States. The Irish Data Protection Commission fined the company €530 million for GDPR violations. The European Commission and Council of the EU banned TikTok from government devices, citing security fears. Canada went further, ordering a nationwide ban on government devices and directing the platform’s Canadian subsidiary to be shuttered.

    The message is consistent: reshuffling ownership does not erase the risks embedded in TikTok’s design.

    Data Controls vs. Reality

    For many experts, the question isn’t where TikTok stores its data, it’s how much data the platform continues to collect. Adam Marrè, CISO at Arctic Wolf, notes that while a U.S. ownership structure would reduce the likelihood of direct Chinese government access, it doesn’t change the fact that TikTok is built to harvest massive amounts of user information. “Ownership and geography alone are not enough to make a platform safe,” he says. “Transparency, accountability, and oversight matter just as much.”

    That point is echoed by Lily Li, founder of Metaverse Law, who highlights the need for operational safeguards. Storing U.S. data in Oracle facilities may shield it from Chinese security laws, but, she argues, it won’t prevent insider risk unless controls are strict. “To prevent enterprise data leaks or espionage, administrative access and encryption keys must remain in the hands of U.S.-based personnel who are accountable to U.S. management,” Li says.

    Together, their perspectives emphasize that even with new ownership, the data TikTok collects, and who can access it, remains a live concern for enterprises.

    The Algorithm Problem

    Infrastructure is only one layer of the challenge. At the heart of TikTok’s influence is its recommendation engine, which will reportedly remain licensed from ByteDance for the U.S. market. Algorithms determine what users see, how narratives spread, and where public attention shifts. Without visibility into how those algorithms function, experts warn that the risks of hidden data collection and influence operations persist.

    Marrè frames this as a behavioral problem as much as a privacy one. “Security isn’t just about where the data sits,” he explains. “It’s about how the platform shapes behavior and influences users.”

    Satish Swargam, principal security consultant at Black Duck, takes the concern further. He warns that any non-U.S.-based software artifacts tied to TikTok’s algorithm need to be examined in depth. “There is potential for non-U.S.-based algorithms to extract data and fuel influence campaigns,” he says. “The TikTok deal calls for tighter security controls, comprehensive artifact analysis, and a deep-dive threat model.”

    What Enterprises Should Focus On

    Whether or not the restructuring closes, CISOs should continue treating TikTok as a high-risk application. At a minimum, that means:

    • Policy Enforcement: Restrict or prohibit TikTok use on corporate-owned devices and networks.
    • Awareness Training: Educate staff about the risks of oversharing, especially around geolocation and activity tracking.
    • Monitoring and Detection: Watch for data leakage through the TikTok pixel or other trackers embedded in business systems.
    • Sector-Specific Controls: For defense, healthcare, and government contractors, bans should remain firm given the sensitivity of the data involved.

    The Bottom Line

    The TikTok restructuring plan would change who manages U.S. data, but it does little to address the broader enterprise risks of social engineering, insider abuse, and algorithm-driven influence. As Marrè, Li, and Swargam all stress in different ways, the challenge is not just data sovereignty, it’s how TikTok’s infrastructure, code, and design continue to create openings for risk.

    For security teams, that means the burden does not disappear with new ownership. TikTok will remain a security concern, no matter whose name is on the servers.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Preparing for November 10th: What Businesses Need to Do Now for CMMC 2.0

    Preparing for November 10th: What Businesses Need to Do Now for CMMC 2.0

    On November 10, 2025, the Department of Defense’s new DFARS rule goes into effect, authorizing CMMC 2.0 requirements to appear in contracts for the first time. For small and mid-sized businesses (SMBs) in the defense industrial base, this is more than a policy milestone, it marks the beginning of a three-year rollout that will determine which companies remain eligible for defense work and which risk exclusion.

    Decision-makers can no longer treat CMMC as a distant requirement. The countdown has begun, and organizations that prepare early will be positioned to win new contracts, maintain strong relationships with prime contractors, and avoid costly last-minute remediation.

    What November 10 Means

    Beginning November 10, contracting officers may insert CMMC requirements directly into solicitations and awards. While not all contracts will include them immediately, coverage will expand steadily until nearly all defense contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) require compliance.

    This phased rollout mirrors past federal cybersecurity mandates: organizations that act early gain a competitive advantage, while those that delay find themselves scrambling under deadlines and at higher cost.

    Preparing Your Organization

    Determine Your Required Level

    CMMC 2.0 introduces a tiered model:

    • Level 1 (Foundational): For companies handling only FCI; requires basic practices and annual self-assessment.
    • Level 2 (Advanced): For companies handling CUI; aligns with all 110 NIST SP 800-171 controls. Some contracts will require a third-party certification, others will allow self-assessment.
    • Level 3 (Expert): For the most sensitive programs; requires audits by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

    Map Data Flows

    Documenting where FCI and CUI reside, how they move, and who has access is essential. Without accurate data mapping, compliance efforts risk being incomplete and audit-readiness compromised.

    Conduct a Pre-Assessment

    A structured pre-assessment against NIST SP 800-171 and CMMC requirements will identify gaps in both technical and procedural controls. Many organizations discover the largest deficiencies are in documentation and policy, not just technology.

    Build a Remediation Roadmap

    Translate findings into a prioritized plan that covers technology upgrades, policy development, training, and monitoring. Decision-makers should allocate resources beyond IT tools, effective compliance depends equally on governance and workforce awareness.

    Review Third-Party Dependencies

    Managed Service Providers (MSPs), cloud services, and IT partners that touch your sensitive data must also meet compliance expectations. Incorporate vendor oversight into your CMMC strategy.

    Elevate to the Executive Level

    CMMC is not an IT-only issue. Treating compliance as a board-level priority ensures adequate resources, accountability, and integration into long-term business planning.

    Why Early Action Matters

    Organizations that begin preparation now will be positioned to demonstrate readiness to primes and contracting officers, gain a competitive edge in contract bids, and avoid rushed and expensive remediation under deadline pressure. Waiting until CMMC appears in your first solicitation means you are already behind.

    How Netizen Can Help with CMMC Readiness

    Meeting CMMC 2.0 requirements can be daunting, particularly for SMBs without dedicated compliance teams. Netizen provides CMMC pre-assessments that deliver a clear picture of your current posture, identify gaps, and provide a prioritized roadmap for remediation.

    As an ISO 27001, ISO 20000-1, ISO 9001, and CMMI Level III certified Service-Disabled Veteran-Owned Small Business, Netizen has extensive experience guiding organizations in government, defense, and commercial sectors through complex regulatory requirements.

    With the November 10 milestone fast approaching, now is the time to act. Start the conversation with Netizen today and move toward CMMC compliance with confidence.

  • October 2025 Patch Tuesday: Microsoft Addresses Six Zero-Days and Ends Windows 10 Support

    October 2025 Patch Tuesday: Microsoft Addresses Six Zero-Days and Ends Windows 10 Support

    Microsoft’s October 2025 Patch Tuesday includes fixes for 172 vulnerabilities, with six zero-days: three publicly disclosed and three confirmed as exploited. Eight flaws are classified as critical, including five remote code execution vulnerabilities and three elevation of privilege flaws.

    Breakdown of Vulnerabilities

    • 80 Elevation of Privilege vulnerabilities
    • 31 Remote Code Execution vulnerabilities
    • 28 Information Disclosure vulnerabilities
    • 11 Security Feature Bypass vulnerabilities
    • 11 Denial of Service vulnerabilities
    • 10 Spoofing vulnerabilities

    These totals do not include vulnerabilities in Azure, Mariner, Microsoft Edge, and other components fixed earlier in the month. This month also marks the official end of free support for Windows 10. Organizations can continue receiving updates through Microsoft’s Extended Security Updates (ESU) program—one year for consumers and up to three years for enterprise customers.

    Zero-Day Vulnerability

    CVE-2025-24990 | Windows Agere Modem Driver Elevation of Privilege Vulnerability

    Microsoft removed the vulnerable Agere Modem driver (ltmdm64.sys) after it was found to allow attackers to gain administrative privileges. The removal impacts fax modem hardware relying on this driver. Discovered by Fabian Mosch and Jordan Jay.

    CVE-2025-59230 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability

    This flaw in the Remote Access Connection Manager component allows authorized attackers to gain SYSTEM privileges through improper access control. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified the issue, noting that exploitation requires moderate effort and preparation.

    CVE-2025-47827 | IGEL OS Secure Boot Bypass Vulnerability

    A Secure Boot bypass in IGEL OS allowed attackers to mount a crafted, unverified SquashFS image. The issue stemmed from improper signature verification in the igel-flash-driver module. The fix, discovered by Zack Didcott, was publicly disclosed on GitHub.

    CVE-2025-0033 | AMD RMP Corruption During SNP Initialization

    A vulnerability in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP) could allow a compromised hypervisor to manipulate Reverse Map Table (RMP) entries during initialization. Microsoft notes this issue affects Azure Confidential Computing environments and is being mitigated through isolation and integrity controls. Discovered by Benedict Schlueter, Supraja Sridhara, and Shweta Shinde from ETH Zurich.

    CVE-2025-24052 | Windows Agere Modem Driver Elevation of Privilege Vulnerability

    A second privilege escalation issue in the Agere Modem driver impacts all supported Windows versions. Exploitation does not require active modem use, making this vulnerability broadly relevant across installations.

    CVE-2025-2884 | TCG TPM 2.0 Out-of-Bounds Read Vulnerability

    An out-of-bounds read flaw in the TCG TPM 2.0 reference implementation’s CryptHmacSign function could lead to denial of service or information disclosure. Discovered by the Trusted Computing Group (TCG) and an anonymous researcher, with public disclosure through CERT/CC.

    Other Critical Vulnerabilities

    Beyond the zero-days, Microsoft patched additional remote code execution flaws across Office, SharePoint, and Windows components, along with high-severity information disclosure issues affecting enterprise environments.

    Adobe and Other Vendor Updates

    Other major vendors released security updates in October 2025:

    • Adobe: Issued patches for multiple products.
    • Cisco: Released updates for Cisco IOS, Unified Communications Manager, and Cyber Vision Center.
    • Draytek: Patched a pre-authentication RCE flaw in Vigor routers.
    • Gladinet: Warned of an actively exploited CentreStack zero-day used in server breaches.
    • Ivanti: Updated Endpoint Manager Mobile (EPMM) and Neurons for MDM.
    • Oracle: Released emergency patches for two actively exploited E-Business Suite zero-days.
    • Redis: Fixed a maximum severity RCE vulnerability.
    • SAP: Issued updates for multiple products, including a maximum severity command execution flaw in NetWeaver.
    • Synacor: Patched a Zimbra zero-day exploited for data theft.

    Recommendations for Users and Administrators

    Given the number of actively exploited and publicly disclosed vulnerabilities, organizations should prioritize patching systems affected by privilege escalation, Secure Boot, and TPM-related flaws. Systems running legacy hardware, such as those using Agere Modem drivers, should be monitored closely post-update for hardware functionality issues.

    Enterprises leveraging Azure Confidential Computing should track AMD’s SEV-SNP mitigation progress via Azure Service Health alerts. Administrators should also apply updates from third-party vendors like Cisco, SAP, and Redis to close potential exploitation paths in integrated environments.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (10/13/2025)

    Netizen: Monday Security Brief (10/13/2025)

    Today’s Topics:

    • Oracle Warns of New E-Business Suite Vulnerability Allowing Unauthorized Data Access
    • Widespread SonicWall VPN Compromise Impacts Over 100 Accounts, Experts Warn
    • How can Netizen help?

    Oracle Warns of New E-Business Suite Vulnerability Allowing Unauthorized Data Access

    Oracle has issued an emergency security alert addressing a newly discovered flaw in its E-Business Suite (EBS) that could allow attackers to access sensitive data without authentication.

    The vulnerability, identified as CVE-2025-61884, carries a CVSS v3 base score of 7.5 and affects Oracle E-Business Suite versions 12.2.3 through 12.2.14. According to the National Vulnerability Database (NVD), the issue lies in the Oracle Configurator component and can be exploited remotely over HTTP without valid credentials.

    “Easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator,” the NVD description notes. “Successful attacks can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”

    Oracle’s advisory confirms that the flaw does not currently appear to be under active exploitation, but the company urges immediate patching due to the potential impact on confidentiality and integrity. Chief Security Officer Rob Duhart stated that the vulnerability affects “some deployments” and could be weaponized to gain access to sensitive resources if left unpatched.

    This latest disclosure follows closely on the heels of CVE-2025-61882, another critical E-Business Suite flaw that has already been exploited in the wild. Research by Google Threat Intelligence Group (GTIG) and Mandiant revealed that threat actors, believed to have links to the Cl0p ransomware group, used the earlier bug in targeted attacks against multiple organizations. Those intrusions deployed various Java-based payloads including GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE, often chaining vulnerabilities for deeper access.

    Although no exploitation of CVE-2025-61884 has been reported, Oracle has made clear that it represents a serious exposure for enterprises still running outdated EBS installations. The company recommends applying the latest security update immediately and reviewing configurations for any anomalous activity in Oracle Configurator logs.

    Organizations using E-Business Suite should also validate that prior patches, particularly those addressing CVE-2025-61882, have been correctly implemented, as attackers have demonstrated a growing interest in chaining EBS vulnerabilities for data theft and persistence.

    Widespread SonicWall VPN Compromise Impacts Over 100 Accounts, Experts Warn

    Cybersecurity firm Huntress has issued an alert warning of a large-scale compromise affecting SonicWall SSL VPN devices, with more than 100 accounts breached across 16 customer environments. The company reports that attackers are logging into multiple accounts in rapid succession, suggesting they already possess valid credentials rather than relying on brute-force methods.

    According to Huntress, the wave of activity began around October 4, 2025, with logins traced to a single IP address, 202.155.8[.]73, used to authenticate into multiple SonicWall appliances. In some cases, the threat actors disconnected shortly after access, while in others they conducted reconnaissance, network scans, and attempted to access local Windows accounts.

    The discovery comes shortly after SonicWall confirmed a separate security incident involving unauthorized exposure of firewall configuration backup files from MySonicWall cloud accounts. The breach reportedly affects all customers using SonicWall’s cloud backup service, where configuration files contain sensitive details such as DNS settings, authentication data, domain configurations, and encryption certificates.

    Security firm Arctic Wolf warned that these exposed files could allow attackers to replicate internal configurations or gain network access. However, Huntress has stated that no direct evidence yet links the configuration file breach to the ongoing VPN compromises.

    Huntress recommends organizations using SonicWall’s cloud configuration backup service take immediate precautions, including:

    • Resetting credentials on all live firewall and VPN devices.
    • Restricting WAN management and remote administrative access.
    • Revoking external API keys that connect to firewalls or management systems.
    • Monitoring VPN and administrative logins for suspicious activity.
    • Enforcing multi-factor authentication (MFA) for all remote and privileged accounts.

    The incident coincides with renewed ransomware campaigns exploiting known SonicWall vulnerabilities such as CVE-2024-40766, which has been linked to Akira ransomware operations. A recent report by Darktrace detailed a similar intrusion targeting a U.S.-based organization in late August 2025. The attack involved network scanning, privilege escalation via “UnPAC the hash,” and eventual data exfiltration.

    Darktrace identified the compromised system as a SonicWall VPN server, suggesting that this activity forms part of a broader campaign targeting SonicWall devices for initial access into corporate environments.

    These ongoing incidents highlight a critical trend: attackers are continuing to exploit older, well-documented vulnerabilities alongside stolen credentials to breach enterprise networks. Organizations that depend on SonicWall infrastructure are strongly urged to apply all available patches, review authentication logs, and remove legacy access paths to mitigate ongoing threats.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.