Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • F-117 Nighthawk Flight Manual Added to the List of War Thunder Leaked Documents  

    F-117 Nighthawk Flight Manual Added to the List of War Thunder Leaked Documents  

    The list of export-restricted military documents leaked by players of the popular free-to-play game War Thunder just got longer. The flight manual for the F-117 Nighthawk, a stealth aircraft manufactured by Lockheed Martin, was posted on the War Thunder official site forum, a place for community discussion about various War Thunder related topics like in-game strategy, proposed game changes, and, over the past few years, occasionally classified military documents. The leaked flight manual included lots of information about F-117 flight sensor locations, firing angles, and many other intricacies.

    A Consistent Issue

    Oddly enough, this isn’t the first time War Thunder forum moderators have had to remove forum posts on the basis of them including military-classified content. On the topic of the F-117 flight manual leak, the head of PR for War Thunder’s developer Gaijin Entertainment, Konstantin Govorun, confirmed that their “moderators quickly nuked the post, deleted the files and banned the user. This is probably 12th time this happens.”

    The History of War Thunder Leaks

    The first leak relating to War Thunder and classified military documents, according to Wikipedia, was of the Challenger 2 tank and its armor structure. Following classified documents leaked by users consisted of specifications of many different tanks, fighter jets, and helicopters, most of which had the export-restricted classification level. In each case, posts containing the sensitive information were deleted and users were subsequently warned. Many of the leaks weren’t intended to be malicious, either. Most of them were posted in order to settle arguments about in-game content, a sort of “I-told-you-so” card that’s been pulled several times based on the numerous incidents.

    The Leclerc Leaks

    In the example of the document leak involving the French Leclerc tank, from October 2021, the documents were posted on the forum in order to resolve an argument about turret rotation speed.

    The (blurred) Leclerc documents posted in the War Thunder Forum
    The (blurred) argument about turret rotation speed that spawned the leak

    The poster of the documents claimed to a crew member on the Leclerc S2, which at the time was fielded by the French Army. The post itself was removed within a few hours in accordance with Gaijins strict moderation policy. In response to the recent leaks, a spokesperson for the US Air Force stated that the government “has urged companies to avoid allowing the distribution of information that is detrimental to public safety and national security.” The number of times that the leaks have occurred points to a larger issue here, and could be happening for a number of reasons, but the biggest takeaway from this ongoing issue is that it’s absolutely necessary to check if a document is classified or export restricted before sharing it with others.

    FAQ on War Thunder Leaked Military Documents

    What is the War Thunder military documents leak?

    The War Thunder military documents leak refers to incidents where classified or export-restricted military documents have been posted on the War Thunder official forum. These leaks typically involve sensitive information about military vehicles and equipment used in the game.

    How many times have military documents been leaked on the War Thunder forum?

    As of the latest incident involving the F-117 Nighthawk flight manual, this marks the twelfth time classified or export-restricted military documents have been leaked on the War Thunder forum.

    What types of documents have been leaked?

    The leaks have included various classified or export-restricted military documents, such as:

    • Challenger 2 Tank Armor Structure
    • Leclerc Tank Turret Rotation Speed
    • Specifications of Various Tanks
    • Fighter Jet Manuals
    • Helicopter Specifications
    • F-117 Nighthawk Flight Manual

    What was included in the most recent leak of the F-117 Nighthawk?

    The leaked flight manual for the F-117 Nighthawk included detailed information about the aircraft’s flight sensor locations, firing angles, and other critical operational intricacies.

    Why do these leaks keep happening?

    Many of these leaks occur because players are trying to win arguments or validate their points about in-game content by using real-world classified information. While these actions are not typically malicious, they nonetheless pose significant security risks.

    How does War Thunder handle these leaks?

    War Thunder’s developer, Gaijin Entertainment, has a strict moderation policy. When a leak occurs, the moderators quickly remove the post, delete the files, and ban the user who posted the classified information.

    What is the stance of the US government regarding these leaks?

    In response to these leaks, a spokesperson for the US Air Force has stated that the government urges companies to avoid the distribution of information that could compromise public safety and national security.

    What was the first instance of a classified document leak on the War Thunder forum?

    The first known instance of a classified document leak on the War Thunder forum was related to the Challenger 2 tank and its armor structure.

    What happened in the Leclerc tank document leak?

    In October 2021, documents about the French Leclerc tank were posted on the forum to resolve an argument about turret rotation speed. The poster claimed to be a crew member on the Leclerc S2, which was fielded by the French Army at that time. The post was removed within a few hours due to Gaijin’s strict moderation policies.

    How can companies avoid such leaks?

    It is crucial for individuals and companies to ensure that any documents being shared are not classified or export-restricted. Proper training and awareness about the importance of safeguarding sensitive information can help prevent such leaks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact

  • 38 TB of Private Company Data was Leaked by Microsoft AI Researchers

    38 TB of Private Company Data was Leaked by Microsoft AI Researchers

    38 Terabytes. That’s the amount of storage it takes to store 7600 hours of HD video, enough to watch for 316 days without repeating anything.

    It’s also the amount of private company data that Microsoft AI researchers accidentally exposed, including over 30,000 internal Teams messages, according to cloud security company Wiz.

    The Microsoft Azure Leak

    A Microsoft-owned GitHub repository, named robust-models-transfer, was set up by Microsoft’s AI research devision, and was intended for use in AI image recognition. In the repository, users were instructed to download AI models from an Azure storage link. What Microsoft wasn’t aware of, however, was that the Azure URL shared in the repository granted root access to the entire Azure storage account. This mistake, according to Wiz, was a result of a misconfigured SAS (Shared Access Signature) Token, which can allow users to easily share permissions through simply sending a link to a collaborator. However, instead of the typical read-only permissions, according to Wiz, the token “was configured to grant permissions on the entire storage account, exposing additional private data by mistake.”

    Just a few of the confidential files released through the data leak, from Wiz

    According to Wiz, the Azure token allowed full access to the storage account for 3 years before the token was invalidated manually on June 24, 2023. Microsoft completed their investigation into the data leak on August 16, 2023, and “no customer data was exposed, and no other internal services were put at risk because of this issue,” the Microsoft Security Response Center reported.

    How to Prevent Azure Data Leaks

    Wiz recommends that users stray away from using SAS entirely due to the concerns about their management and trackability. “There isn’t any official way to keep track of these tokens within Azure, nor to monitor their issuance, which makes it difficult to know how many tokens have been issued and are in active use.” It’s recommended that users take several steps in order to prevent similar leaks, including:

    • Consider utilizing Service SAS tokens with Stored Access Policies for external sharing.
    • For time-limited sharing needs, opt for User Delegation SAS tokens.
    • Establish separate storage accounts dedicated to external sharing to limit the potential impact of over-privileged tokens to external data only.
    • Use a CSPM solution to enforce and monitor SAS token access policies across your organization.
    • To eliminate SAS tokens entirely, disable SAS access for each storage account separately.
    • Block access to the “list storage account keys” operation in Azure to prevent unauthorized access to account keys.
    • Rotate the account keys periodically to invalidate pre-existing SAS tokens.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact

  • Microsoft Enhances Teams Security in Prevention of Storm-0324 Malware Distribution

    Microsoft Enhances Teams Security in Prevention of Storm-0324 Malware Distribution

    On September 12, Microsoft released new information about threat actors Storm-0324, a group that gains initial access to systems through email-based phishing and then distributes access to other malicious groups. The transfer of access typically leads to ransomware deployment, making Storm-0324 essentially a middle-man group for system intrusion, one that specializes in initial system penetration. According to Microsoft’s insights, Storm-0324 is associated with various malware strains, including JSSLoader, which facilitates access for ransomware-as-a-service actors like Sangria Tempest (also known as ELBRUS, Carbon Spider, FIN7). In the past, Storm-0324 has been linked to the distribution of malware such as Gozi infostealer and Nymaim downloader and locker.

    An example of a typical Storm-0324 attack timeline, from Microsoft Security

    Storm-0324’s Expansive Phishing Resume

    One of the prime characteristics of Storm-0324 that makes them stand out as threat actors is their ability to craft malicious email chains. They utilize traffic distribution systems (TDS) like BlackTDS and Keitaro in order to tailor user traffic, evading detection by certain security solutions. These emails often appear as legitimate services like DocuSign and Quickbooks, baiting users to click on links that lead to SharePoint-hosted files containing malicious JavaScript. The infection chain that follows typically involves the delivery of a first-stage payload through various file formats, including Microsoft Office documents, Windows Script Files (WSF), and VBScript. According to Microsoft, these payloads have included malware like Nymaim, Gozi, Trickbot, Gootkit, Dridex, Sage ransomware, GandCrab ransomware, and IcedID.

    An example of a Storm-0324 phishing email from Microsoft Security

    Since 2019, however, Storm-0324 has predominantly been distributing JSSLoader, which ultimately hands off access to prominent ransomware actor Sangria Tempest. This handoff begins with phishing emails referencing invoices or payments, leading victims to a SharePoint site hosting a ZIP archive. Once the JavaScript within this archive is executed, a JSSLoader variant DLL is dropped, followed by additional Sangria Tempest tooling.

    New Teams Phish and Microsoft’s Response

    In recent developments, Storm-0324 has started using phishing lures sent over Microsoft Teams, leveraging a tool called TeamsPhisher to target users. Microsoft has taken proactive measures to combat these threats, suspending accounts and tenants associated with fraudulent activities. To lessen the impact of this new campaign, they have “rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders,” in essence making it clearer to Teams users when they chat with people outsize of their organization. In addition to these enhancements, they also implemented “new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant,” which will assist in the prevention of impersonation tactics utilized in social engineering.

    Microsoft recommends defenders to start implementing steps to prevent Storm-0324 attacks including:

    • Deploy authentication methods that are resilient to phishing attacks, safeguarding user credentials.
    • Require phishing-resistant authentication for employees and external users accessing critical applications, enhancing security.
    • Train users about social engineering and credential phishing threats, emphasizing caution with unsolicited messages and MFA code sharing.
    • Utilize Safe Links in Microsoft Defender for Office 365 to verify URLs and neutralize malicious links.
    • Activate ZAP in Microsoft Office 365 to quarantine and neutralize threats post-delivery.
    • Limit the use of domain-wide, administrator-level service accounts, reducing the risk of unauthorized access and malware installation.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact

  • Human Error: The Largest Threat to our Cybersecurity

    Human Error: The Largest Threat to our Cybersecurity

    Constantly, we hear that new, emerging technologies pose the greatest threats to our cybersecurity. The fear of the unknown drives organizations to enhance their security measures, aiming to prepare for complex attacks by various threat actor groups. Countless news reports highlight new technologies and innovations in the realm of cybersecurity, all aimed at discovering, tracking, and patching vulnerabilities that could potentially be exploited. While digital vulnerabilities are crucial to consider, it’s essential to recognize that the most obvious vulnerability is quite literally right in front of our faces.

    Social Engineering and MGM’s Compromisation

    MGM is currently reeling from an extremely detrimental cyberattack, an attack that has shut down the company website, crucial systems that keep the hotels operating efficiently, and slot machines, not to mention the MGM Rewards App. “How could one gain access to such a large system and exploit it so efficiently?”, one might ask. According to Scattered Spider, the subgroup of ALPHV behind the attack, MGM was compromised by using social engineering. The hackers allegedly found an employee on LinkedIn and called the organization’s help desk to access their account. All it took was a quick Google search and a quick conversation with the help desk, who was fooled into believing the person calling was just an employee having trouble accessing their company account.  The reason for the intrusion wasn’t within MGM systems being insecure, but in fact human error.

    Why is Human Error Such a Risk?

    Social engineering, like the method employed by Scattered Spider, is a prime example of how cybercriminals exploit human error to gain unauthorized access to sensitive systems. Phishing, another common technique, preys on the human tendency to trust and respond to seemingly legitimate messages or requests. These tactics are often the most significant threats faced by companies because they target vulnerabilities at the core of cybersecurity, rather than exploiting computer systems directly. In social engineering attacks, instead of preying on vulnerable computer systems, threat actors prey upon human nature, for example in the MGM attack’s case relying on the human nature to be understanding overriding protocol that would prevent ALPHV from gaining access to their system.

    Types of Attacks that Exploit Human Error

    Social engineering attacks come in various forms, from impersonating trusted colleagues or vendors to using psychological manipulation to extract sensitive information. In many cases, these attacks don’t require advanced technical skills or complex hacking tools; they rely on the art of deception and the willingness of individuals to assist what appears to be a legitimate request. All it takes is one unsuspecting employee to fall victim to a social engineering attack for cybercriminals to gain a foothold within an organization.

    Some types of social engineering attacks from malicious actors that rely on human error include:

    • Pretexting: Pretexting involves creating a fabricated scenario or pretext to obtain information from individuals. Attackers often pose as someone trustworthy, such as a co-worker, customer, or even a government official. By building a credible backstory, they convince the target to share sensitive information or perform certain actions. For example, an attacker might impersonate a company executive and request financial data from an employee, exploiting their trust in the executive’s authority.
    • Phishing: Phishing attacks, as mentioned earlier, use deceptive emails, messages, or websites to trick recipients into revealing personal information, login credentials, or financial details. These messages can appear highly convincing, often mimicking reputable organizations, banks, or government agencies. Threat actors create a sense of urgency or fear to manipulate recipients into taking immediate action, such as clicking on a malicious link or downloading a harmful attachment.
    • Baiting: Baiting attacks entice victims by offering something appealing, like free software, music downloads, or other enticing digital content. The attacker typically disguises malicious code within the enticing offer. When victims download the bait content, they unknowingly infect their systems with malware, giving attackers access to sensitive information and/or control over the compromised device.
    • Tailgating and Piggybacking: Physical security is just as vital as digital security. In these types of attacks, individuals gain unauthorized access to secure areas by exploiting trust or exploiting the kindness of others. Tailgating involves an attacker closely following an authorized person into a restricted area, while piggybacking occurs when an attacker convinces someone to hold a door open for them. Both methods capitalize on the human tendency to be polite and helpful.
    • Quid Pro Quo: In quid pro quo attacks, attackers offer something in exchange for information or access. For instance, they might pose as IT support and promise to fix a non-existent issue on a victim’s computer. In return, they request the victim’s login credentials or other confidential information. This type of social engineering leverages the victim’s desire for immediate help or gain.

    Conclusion

    The recent MGM cyberattack is only one example in a relentless slew of social engineering attacks that aim to exploit the ever-so vulnerable human nature. Social engineering and phishing attacks, which manipulate individuals rather than computer systems, will continue to pose substantial risks to organizations, which is why it’s incredibly necessary for organizations to provide proper cybersecurity training to employees. All it takes is one small foothold: a click on a phishing link, a held-open door for an attacker to enter the building, or secure information given from an IT help desk to a threat actor pretending to be an employee.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact

  • ALPHV/BlackCat Hacker Group Claims Responsiblity for MGM Resorts Ransomware Attack

    ALPHV/BlackCat Hacker Group Claims Responsiblity for MGM Resorts Ransomware Attack

    MGM Resorts is currently scrambling to recover from a powerful ransomware attack that happened last Monday, causing a substantial amount of network systems to go down. Company websites as well as many crucial systems are currently offline, including the MGM app, which facilitates reservations, acts as a digital key to unlock rooms, and allows users to pay for food. MGM made an announcement on X acknowledging the attack at 11:30 AM Monday.

    https://twitter.com/MGMResortsIntl/status/1701256032369164399

    The question arises: how could such a complex system have been compromised so easily? According to malware archive vx-underground on X, ALPHV was able to gain access to the MGM systems by socially engineering an IT helpdesk employee they found on LinkedIn. “A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” vx-underground said in their tweet from Tuesday night.

    Vx-underground goes on to further suggest that MGM Grand will not meet ALPHV’s demands, commenting: “In our opinion, MGM will not pay,” meaning that the issue could last a while, at least until MGM takes action to replace compromised systems. The ransomware attack has also caused substantial delay in helping customers, as shown by this video from Tuesday at MGM Bellagio.

    Ryan McConechy, CTO of Barrier Networks, said it’s often typical for organizations with systems as large and as complicated as MGM’s to shut down in order to prevent further enumeration. “Until MGM provides more information, it’s not clear the exact reason why they decided to take this action…maybe to prevent active attackers pivoting or malware spreading…but it is a very costly move,” McConechy stated. “For every minute the gaming floor was down, MGM was losing money. Likewise, with reservations and their websites still being down, the company continues to suffer massive financial losses,” he explained. As of Wednesday, the MGM website is still unavailable, as well as many slot machines in various MGM casinos.

    What is ALPHV/BlackCat?

    BlackCat, alternatively referred to as ALPHV, emerged onto the ransomware scene in November 2021. Specifically, BlackCat operates as a ransomware-as-a-service (RaaS) entity and ranks among the most sophisticated RaaS ventures to date. BlackCat ransomware is meticulously engineered to resist removal efforts and may make attempts to incapacitate antivirus software or other protective measures. Additionally, it can tamper with system files and configurations to establish a persistent presence and complicate the recovery process after an attack. The culprits behind BlackCat ransomware demand payment, typically in the form of cryptocurrency like Bitcoin, in exchange for the decryption key. Victims may also encounter a message on their screens containing instructions on how to fulfill the ransom payment and obtain the decryption key.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact

  • Apple Releases Patch for Zero-Day iOS, macOS Vulnerabilities BLASTPASS

    Apple Releases Patch for Zero-Day iOS, macOS Vulnerabilities BLASTPASS

    Apple has just rolled out a crucial security update for iPhones and iPads in response to the discovery of newly identified vulnerabilities CVE-2023-41064 and CVE-2023-41061 in their system software. These vulnerabilities, also known as “BLASTPASS,” were found by researchers at the University of Toronto’s Citizen Lab, who revealed that the flaw was actively being exploited to distribute Pegasus, a commercial spyware developed by the Israeli company NSO Group. BLASTPASS is a serious duo of vulnerabilities, specifically because of their clickless nature: they only require a user to load an image or attachment in order to be exploited.

    CVE-2023-41064 is a buffer overflow issue fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, and CVE-2023-41061 is a validation issue fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. Both vulnerabilities, when exploited, result in remote code execution. Neither of the vulnerabilities have CVSS scores at this time. Citizen Lab strongly advises all users to take immediate action and update their devices.

    How To Install the Update:

    1. Access Your Settings: Open the Settings app on your iPhone or iPad.
    2. Navigate to General: Within Settings, select “General.”
    3. Find Software Update: Scroll down and tap on “Software Update.”
    4. Install iOS 16.6.1: You should see the iOS 16.6.1 software update listed. Tap it to begin the installation.

    If you don’t immediately spot the update, follow these steps:

    1. Check Your iOS Version: Return to the General page and tap “About” to confirm your iOS version. If it’s 16.6.1, you already have the update installed.
    2. Update Older Versions: If your device is still running 16.6 or an earlier version, repeat the previous steps.
    3. Restart Your Phone: If you still don’t see the update, try restarting your phone.
    4. Verify Internet Connection: Double-check your internet connection to ensure it’s stable. Then, wait a bit and try checking for the update again.

    It is absolutely necessary to update your IOS devices as soon as possible in order to negate the effects of the BLASTPASS vulnerabilities.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact

  • Prompt Injection: Generative AI’s Largest Vulnerability

    Prompt Injection: Generative AI’s Largest Vulnerability

    With the popularization of generative AI tools like ChatGPT, information has become increasingly easy to retrieve. Ask it anything, and ChatGPT will respond to the best of its ability, modifying itself to your prompt’s specifications as best it can. The more detailed the prompt, the more specific of a response you can get from an LLM (large language model) like ChatGPT. Naturally, the bot has filtrations as well. “OpenAI employs a response filtration system to filter out inappropriate, biased, or harmful content generated by the model,” was ChatGPT’s response when asked about the content filtration system. What’s been discovered, though, particularly through online communities utilizing ChatGPT for entertainment purposes, is that with a specific set of instructions a prompter is able to exploit the chatbot, “jailbreaking” it to disregard the content filtration system. This is only one of the several vulnerabilities that are becoming apparent in LLMs, vulnerabilities that will need to be kept in check as LLMs become more regularly used by organizations. The Open Worldwide Application Security Project (OWASP) recently published the OWASP Top 10 for LLM which details this jailbreaking method, known as prompt injection.

    What is Prompt Injection?

    “Direct Prompt Injections, also known as ‘jailbreaking’, occur when a malicious user overwrites or reveals the underlying system prompt. This may allow attackers to exploit backend systems by interacting with insecure functions and data stores accessible through the LLM,” OWASP describes in their report. Users inject a highly detailed prompt into the LLM that allows the user to almost overwrite previously trained instructions, essentially rooting the LLM. Depending on how much information the LLM holds, a malicious actor could then extract sensitive information the LLM may have access to. More like a typical malicious injection is an indirect prompt injection, which according to the OWASP Top 10 can “occur when an LLM accepts input from external sources that can be controlled by an attacker, such as websites or files. The attacker may embed a prompt injection in the external content hijacking the conversation context.”

    The Scope of the Prompt Injection Vulnerability

    The extent of this vulnerability is so dangerous specifically because of the overall differences throughout organization-utilized LLMs, and the fact that even companies like OpenAI don’t have complete control over their products. The OpenAI website states that while they’ve “made efforts to make the model refuse inappropriate requests, it will sometimes respond to harmful instructions or exhibit biased behavior.” It’s not that OpenAI as a company isn’t attempting to improve their LLMs, it’s that vulnerabilities within LLMs seem to be more unpredictable and more extensive than previously imagined. Companies that utilize ChatGPT and other LLM’s APIs in their tools may be vulnerable to various types of injections, most of which include injecting unauthorized scripts into the LLM.

    Examples of Prompt Injection

    OWASP cites a few examples of both indirect and direct prompt injection in their overview:

    • A malicious user crafts a direct prompt injection to the LLM, which instructs it to ignore the application creator’s system prompts and instead execute a prompt that returns private, dangerous, or otherwise undesirable information
    • A user employs an LLM to summarize a webpage containing an indirect prompt injection. This then causes the LLM to solicit sensitive information from the user and perform exfiltration via Java
    • A malicious user uploads a resume containing an indirect prompt injection. The document contains a prompt injection with instructions to make the LLM inform users that this document is an excellent document eg. excellent candidate or a job role. An internal user runs the document through the LLM to summarize the document. The output of the LLM returns information stating that this is an excellent document
    • A user enables a plugin linked to an e-commerce site. A rogue instruction embedded on a visited website exploits this plugin, leading to unauthorized purchases
    • A rogue instruction and content embedded on a visited website which exploits other plugins to scam users.

    Of course, vulnerabilities vary based on the LLM itself, and how much information it actually has access to. A customer support AI chatbot on a company’s website likely doesn’t have as much information as a company tool that utilizes an LLM’s API.

    Prevention of Prompt Injection Attacks

    There’s currently no foolproof way to prevent prompt injection, but OWASP does give a list of steps you can take to lessen the impact of these attacks:

    • Enforce privilege control on LLM access to backend systems. Provide the LLM with its own API tokens or extensible functionality, such as plugins, data access, and function-level permissions. Follow the principle of least privilege by restricting the LLM to only the minimum level of access necessary or its intended operations
    • Implement human-in-the-loop or extensible functionality. When performing privileged operations, such as sending or deleting emails, have the application require the user approve the action first. This will mitigate the opportunity or an indirect prompt injection to perform actions on behalf of the user without their knowledge or consent
    • Segregate external content from user prompts. separate and denote where untrusted content is being used to limit their influence on user prompts. For example, use ChatML for OpenAI API calls to indicate to the LLM the source of prompt input
    • Establish trust boundaries between the LLM, external sources, and extensible functionality (e.g., plugins or downstream functions). Treat the LLM as an untrusted user and maintain final user control on decision-making processes. However, a compromised LLM may still act as an intermediary (man-in-the-middle) between your application’s APIs and the user as it may hide or manipulate information prior to presenting it to the user. Highlight potentially untrustworthy responses visually to the user

    Conclusion

    Prompt injection will continue to be a dangerous vulnerability, and the necessity of LLM cybersecurity will only grow as LLMs become more commonly utilized by tech organizations. To ensure your LLM security, it’s essential to implement steps that limit the scope of prompt injection attacks and remain informed about new LLM vulnerabilities. While generative AI is incredibly powerful and a great tool for organizations, utilizing APIs from LLMs comes with a risk, so it’s important to make educated decisions while implementing it into your organization.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact

  • Protecting Your MSSQL Databases: Defending Against the FreeWorld Ransomware Threat

    Protecting Your MSSQL Databases: Defending Against the FreeWorld Ransomware Threat

    The .txt file generated by FreeWorld ransomware, from Securonix Threat Research

    A new cyberattack campaign named “DB#JAMMER” has emerged, specifically targeting exposed Microsoft SQL Server (MSSQL) databases. The implications of this campaign are nothing short of severe, especially for organizations relying on this technology, as DB#JAMMER is no ordinary cyberattack; it’s a well-choreographed assault that employs intricate tactics, including relentless brute-force attacks aimed at breaching MSSQL servers. Once these digital intruders gain access, they unleash a barrage of malicious payloads, comprising ransomware and the notorious Cobalt Strike. The aftermath of such an attack can be catastrophic, as it wreaks havoc on compromised systems. Securonix, a leading cybersecurity research firm, has been at the forefront of investigating this threat. They’ve diligently uncovered the inner workings of DB#JAMMER, shedding light on its complex attack sequence and the potential havoc it can wreak on businesses worldwide.

    The Attack Sequence

    DB#JAMMER is not your run-of-the-mill cyberattack; it follows a meticulously orchestrated sequence of steps designed to infiltrate and compromise MSSQL databases:

    • Initial Access: The campaign commences with determined brute-force attempts to gain unauthorized access to exposed MSSQL databases. These relentless efforts allow the attackers to breach the first line of defense.
    • Expanding Foothold: Once inside, the attackers embark on expanding their presence within the target system. They capitalize on the compromised MSSQL server as a strategic launching pad for a multitude of malicious payloads.
    • Payload Delivery: The attackers, operating with precision, unleash an array of malicious payloads. Among them are remote-access Trojans (RATs) and a recently discovered ransomware variant known as “FreeWorld.” This ransomware strain earned its moniker due to its distinct characteristics, including file names containing “FreeWorld,” a ransom instruction file titled FreeWorld-Contact.txt, and the “.FreeWorldEncryption” extension used for encrypted files.
    • Establishing Persistence: To ensure they maintain control over the compromised system, the threat actors take further steps. They create a remote SMB share to house their malicious tools. Within this repository, you’ll find a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk. Additionally, they employ a network port scanner and Mimikatz, a tool for extracting credentials and moving laterally within the network.
    • Configuration Changes: The attackers don’t stop at payload delivery; they also make strategic configuration changes. These alterations include creating or modifying user accounts and tweaking registry settings, all intended to hinder the system’s natural defenses.

    An Ongoing Threat

    As of the latest updates, the DB#JAMMER campaign still poses a significant threat. Although it seems to have specific targets initially, the campaign’s risk remains dangerous. This is because there are signs that the attackers might go beyond attacking just MSSQL databases, possibly affecting a wider range of systems and organizations. “At this point, our current assessment indicates a medium to high risk level because there are indications that the infiltration vectors employed by the attackers may extend beyond MSSQL,” emphasized Oleg Kolesnikov, Vice President of Threat Research and Cybersecurity at Securonix. Kolesnikov also mentions that the DB#JAMMER campaign was unique in its complex patterning, which means that if broadened the attacks could be devastating. “This is not something we have been seeing often, and what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors,” he points out. This evolving threat landscape emphasizes the importance of organizations strengthening their defenses, not only for MSSQL databases but for their entire digital infrastructure, to protect against the growing danger of DB#JAMMER.

    Protecting Your MSSQL Databases

    To fortify your defenses against threats like DB#JAMMER and ransomware in general, consider adopting the following security measures:

    • Limit Internet Exposure: Reduce your attack surface by restricting the exposure of MSSQL services to the internet. If feasible, avoid allowing external connections, as weak account credentials are often exploited through these avenues.
    • Implement Comprehensive Defenses: Develop a profound understanding of the attack progression and behaviors leveraged by malicious actors. Consider disabling or tightly restricting the use of potentially risky features like “xp_cmdshell.”
    • Enhance Logging: Augment your security posture by monitoring common malware staging directories, with particular focus on “C:\Windows\Temp.” Deploy additional process-level logging tools like Sysmon and PowerShell logging to enhance your detection capabilities.
    • Stay Informed: Stay vigilant and informed about the ever-evolving landscape of cybersecurity threats and trends. This knowledge will empower you to adapt your security measures accordingly, ensuring you stay one step ahead of potential attackers.

    In an era marked by a surge in ransomware attacks, safeguarding your MSSQL databases is no longer just a choice—it’s an absolute necessity. Implementing these proactive security measures can significantly strengthen your defenses against potent threats like FreeWorld ransomware, allowing you to safeguard your invaluable data. In today’s ever-evolving threat landscape, staying ahead is not a luxury; it’s essential to protect the critical assets and operations relying on MSSQL databases.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Critical Vulnerability in Hikvision Surveillance Cameras Points to Greater Issue Within the IoT

    Critical Vulnerability in Hikvision Surveillance Cameras Points to Greater Issue Within the IoT

    Security researchers from Cyfirma recently discovered that over 80,000 Hikvision surveillance cameras are still susceptible to a critical vulnerability that was patched in a security update over 2 years ago. CVE-2021-36260, which was added to the National Vulnerability Database in January of 2022, allows attackers to exploit Hikvision cameras due to their lack of input validation. Attackers exploiting this vulnerability can send malicious HTTP requests to the camera’s web server through server port 443, allowing them to immediately root the device. The unrestricted root shell gives the attacker access to camera data, enables them to enlist the camera in a botnet, and allows them to attack the camera server further. The vulnerability has a CVSS score of 9.8, just 0.2 points shy of reaching the maximum possible score. 

    The Scope of the Hikvision Vulnerability 

    Despite being an extremely critical vulnerability, the security update that neutralizes CVE-2021-36260 has yet to be implemented by a multitude of organizations, 2300 in total across 100 different countries according to Cyfirma. It spans across several different older versions of Hikvision firmware as well. “The vulnerability affects Hikvision products that use firmware versions V5.5.0 and earlier, V5.6.0 to V5.6.10, and V5.7.0 to V5.7.3,” noted Check Point Research.

    Top 10 Countries Using Vulnerable Hikvision Camera Products | Source: Cyfirma

    IoT Devices Require Stronger Security

    Cyfirma believes that Chinese threat groups such as MISSION2025/APT41, APT10, and even various Russian threat actor groups could potentially exploit the security cameras. “Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale. These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization’s environment,” Cyfirma wrote in their report. It seems that the issues caused by the simple lack of these security firmware updates are extremely expansive in nature, almost too expansive to main unpatched in so many instances. Why haven’t all the companies with outdated firmware pushed out the update to all their cameras? Overall, the organizations that deal with IoT devices like Hikvision cameras require more powerful security measures, including regular password updates and robust access controls, in order to further fortify the security of their systems. 

    The Vulnerability of the IoT 

    The commonality of CVE-2021-36260 2 years after the security patch shows the broader challenge with securing IoT devices. As Paul Bischoff, a privacy advocate with Comparitech, points out, “IoT devices such as cameras are not always as straightforward to secure as mobile applications. Updates are not automated; users must manually download and install them, and many users may never receive the notification.” Additionally, IoT devices may not offer clear indications of their security status and/or whether they require updates, unlike more user-friendly systems like smartphones. This makes the devices much harder to secure, which in the grand scheme of things leaves many devices vulnerable to exploitation. The situation is further exacerbated by the fact that some Hikvision cameras are shipped with preset passwords, which users often neglect to change. Because of these issues, it is imperative for organizations and users to take proactive measures in securing their IoT devices, including promptly applying security updates as soon as they come out and configuring robust access controls to mitigate the risks associated with vulnerabilities like CVE-2021-36260. Failure to do so not only puts your devices risk but also poses potential threats to the broader network and organizational security. 

    Conclusion

    In conclusion, the fact that over 80,000 Hikvision surveillance cameras are still vulnerable to a critical security flaw despite a security update being available for over two years highlights the essential importance of regularly updating your IoT devices, including Hikvision cameras, to the latest firmware. Neglecting security updates not only puts these devices at risk but also leaves them susceptible to exploits. It’s necessary that all owners of Hikvision cameras update their firmware as soon as possible to avoid this issue. Keeping both your firmware and your team updated is the best way to avoid exploitation. 

    How Can Netizen Help? 

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.  

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers. 

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.  

    Questions or concerns? Feel free to reach out to us any time –  

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (August 28th, 2023)

    Overview:

    • Phish Tale of the Week
    • North Korean Hackers Could be About to Cash Out 41 Million in Stolen Bitcoin
    • New WinRAR Zero-Day Vulnerability Could Install Malware When You Unzip Files
    • How can Netizen help?

    Phish Tale of the Week

    Phishing attempts can often target specific groups that can be exploited by malicious actors and come in many different forms. In this instance, we see a phishing scam targeting PayPal users with what appears to be a link that’s supposed to “reactivate your account.” PayPal says that our account has been limited, and clicking on this link is supposed to bring everything back to normal. There’s been unauthorized activity on our account, and the email seems urgent, so why don’t we click on that link and find out what’s been going on? Luckily, there’s plenty of reasons that point to this being a phishing scam.

    Here’s how we can tell not to click on this link:

    1. The first red flag in this message is the senders’ addresses. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the sender utilized email spoofing in order to change their email to “service@intl.limited.com” in order to make it seem more legitimate. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of urgency by using different phrases like “we noticed some unusual activity” and “Please take action on your account soon.” Phishing scams commonly attempt to create a sense of urgency in their emails in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the messaging of all emails in your inbox before clicking on a link in your email.
    3. The final warning sign for this email is the lack of legitimate PayPal information. Fortune 500 companies and similar organizations standardize all email communications with customers. Support links, addresses, acceptable use policies, and other information is always provided at the bottom of each email, along with options to unsubscribe or change messaging preferences. This email lacks all of the parts of a credible PayPal email and can be immediately detected as a phishing attempt.


    General Recommendations:

    phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

    • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    • Verify that the sender is actually from the company sending the message.
    • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    • Do not give out personal or company information over the internet.
    • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this week’s Cybersecurity Brief:

    North Korean Hackers Could be About to Cash Out 40 Million in Stolen Bitcoin

    The FBI has recently issued a warning concerning several cryptocurrency wallets believed to hold millions of dollars in stolen Bitcoin assets.

    “Over the last 24 hours, the FBI tracked cryptocurrency stolen by the Democratic People’s Republic of Korea (DPRK) TraderTraitor-affiliated actors (also known as Lazarus Group and APT38),” the warning from August 22nd reads. “The FBI believes the DPRK may attempt to cash out the bitcoin worth more than $40 million dollars.”

    This warning isn’t the first time the Lazarus Group has been in crypto-theft news either. The FBI reports that they’ve been behind several recent attacks, including:

    1. June 22, 2023: They stole $60 million worth of virtual currency from Alphapo.
    2. June 22, 2023: Another heist saw them steal $37 million worth of virtual currency from CoinsPaid.
    3. June 2, 2023: They managed to steal $100 million in virtual currency from Atomic Wallet.

    Previously, the hackers also stole assets in attacks against Harmony’s Horizon bridge and Sky Mavis’ Ronin Bridge, and were sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control in 2019.

    The agency has pinpointed the six addresses currently being tracked that are holding the 1580 stolen Bitcoin:

    1. 3LU8wRu4ZnXP4UM8Yo6kkTiGHM9BubgyiG
    2. 39idqitN9tYNmq3wYanwg3MitFB5TZCjWu
    3. 3NbdrezMzAVVfXv5MTQJn4hWqKhYCTCJoB
    4. 3AAUBbKJorvNhEUFhKnep9YTwmZECxE4Nk
    5. 3PjNaSeP8GzLjGeu51JR19Q2Lu8W2Te9oc
    6. 34VXKa5upLWVYMXmgid6bFM4BaQXHxSUo

    The FBI’s directive is clear: “Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses.” Interacting with these addresses, directly or indirectly, could inadvertently support illicit activities and fund criminal operations.

    The Lazarus Group’s cryptocurrency heists make clear the apparent need to upscale security regarding cryptocurrency. It’s imperative that organizations take immediate action to enhance their crypto-related cybersecurity posture. This includes bolstering security training about cryptocurrency for all personnel, keeping record of cryptocurrency transactions, and keeping a close eye to what cryptocurrency wallets you and your organization interact with.

    In these times, staying one step ahead in the ever-evolving world of cybersecurity isn’t just advisable—it’s essential. Your organization’s digital assets and financial future hinge on your proactive efforts to heighten awareness and be informed.

    To read more about this article, click here.

    New WinRAR Zero-Day Vulnerability Could Install Malware When You Unzip Files

    If you’re a WinRAR user, it’s crucial to stay informed about a recent security concern that demands your immediate attention. Reports have surfaced regarding a zero-day vulnerability within WinRAR, a widely used software for compressing and decompressing files. This particular vulnerability, assigned the identifier CVE-2023-40477, stems from an issue related to the validation of user-supplied data when opening an archive file. It can lead to memory access beyond allocated buffers, a serious problem that enables attackers to exploit it, earning the vulnerability a high CVSS severity rating of 7.8.

    This vulnerability was initially discovered by a vigilant security researcher known as “goodbyeselene” on June 8. In response, the software maintainers took swift action and released an updated version, WinRAR 6.23, on August 2, 2023, before the vulnerability was publicly disclosed by ZDI on August 17. This new version not only fixes the critical zero-day vulnerability but also addresses other security flaws that have come to light in recent months, including a flaw where “WinRAR could start a wrong file after a user double clicked an item in a specially crafted archive,” according to Group-IB researcher Andrey Polovinkin.

    This zero-day vulnerability had significant implications, with threat actors using it to their advantage. They crafted ZIP archives designed to serve as carriers for various malware families. These weaponized ZIP archives were distributed on trading forums, and once extracted and executed, the embedded malware enabled threat actors to withdraw money from broker accounts. “By exploiting a vulnerability within this program, threat actors were able to craft ZIP archives that serve as carriers for various malware families,” Polovinkin stated. “This vulnerability has been exploited since April 2023.”

    To safeguard your personal or business computer, it’s imperative to take action immediately. Upgrade to WinRAR version 6.23, the release that addresses the vulnerability and several other security concerns. By keeping your software up to date and remaining cautious when dealing with unfamiliar files, you can reduce the risk of falling victim to such threats.

    In conclusion, the WinRAR zero-day vulnerability serves as a reminder that threats are constantly updating, and that being safe from these threats requires you to stay up to date on recent vulnerabilities. Stay proactive, keep your software current, and exercise caution to protect your system from evolving threats. Your system’s security is in your hands.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.