Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen Cybersecurity Bulletin (October 30th, 2025)

    Netizen Cybersecurity Bulletin (October 30th, 2025)

    Overview:

    • Phish Tale of the Week
    • CISA Orders Federal Agencies to Patch VMware Tools Vulnerability Exploited by Chinese State Hackers
    • YouTube Ghost Network: 3,000 Malware-Infested Videos Used to Spread Credential Stealers Across Compromised Channels
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as the USPS and informing you that action needs to be taken regarding your package’s delivery. The message politely explains that “USPS” is holding our package that we ordered at “the warehouse,” and that we just need to confirm our address in order to get it delivered. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to click on this smishing link:

    1. The first warning sign for this SMS is the fact that it includes a URL in the message. Typically, companies will send notifications like this through SMS, but they’ll end with a call to action within an already trusted environment, for example the statement “check your tracking details for more information.” Always be sure to think twice and check “urgent” statuses like this one through a trusted environment, and never click on links sent through an SMS from an unknown number.
    2. The second warning signs in this text is the messaging. This message tries to create a sense of urgency and get you to take action by using language such as “Within the next 12 hours” and “Please confirm.” Phishing and smishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
    3. The final warning sign for this email is the style of the link. After a quick look at the address, one can quickly deduce that we’ve been sent a phishing link. Trusted companies like USPS typically will use a simple, standardized domain as their website. For example, USPS’s official website is simply “usps.com.” Threat actors typically will utilize message-related words in the links they send you. After taking one quick look at the URL, “uspz.usspaob.top,” it’s very obvious that this text is an attempt at a smish.


    General Recommendations:

    smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    CISA Orders Federal Agencies to Patch VMware Tools Vulnerability Exploited by Chinese State Hackers

    The Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch a high-severity vulnerability in Broadcom’s VMware Aria Operations and VMware Tools after confirming that it is being exploited by Chinese hackers. The flaw, tracked as CVE-2025-41244, allows a local attacker with limited privileges to gain root access on a virtual machine managed by Aria Operations when SDMP is enabled.

    CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, which lists security flaws known to be used in real-world attacks. Federal Civilian Executive Branch agencies have until November 20 to apply patches as required under Binding Operational Directive 22-01. The agency warned that unpatched systems remain exposed to ongoing attacks and urged organizations outside the federal government to also apply updates as soon as possible.

    Broadcom patched the issue one month ago following reports from security researcher Maxime Thiebaut at NVISO, who discovered that a Chinese state-sponsored actor identified as UNC5174 had been exploiting it since October 2024. Thiebaut released proof-of-concept code showing how an attacker could use the vulnerability to escalate privileges on both Aria Operations and VMware Tools installations, granting full control over the affected virtual machine.

    UNC5174, which Google Mandiant has described as a contractor for China’s Ministry of State Security, has been involved in several major intrusions over the past two years. The group was observed selling access to compromised U.S. defense contractors, British government entities, and Asian institutions after exploiting other high-profile vulnerabilities such as CVE-2023-46747 in F5 BIG-IP, CVE-2024-1709 in ConnectWise ScreenConnect, and CVE-2025-31324 in SAP NetWeaver.

    Since the beginning of 2025, Broadcom has released patches for three other VMware zero-days and addressed two additional high-severity issues in VMware NSX reported by the National Security Agency. These repeated discoveries highlight the growing focus of advanced threat actors on virtualization platforms, which serve as gateways to large numbers of sensitive systems once compromised.

    CISA’s latest directive emphasizes that these vulnerabilities remain a common path for intrusions into government networks and that patching is the most effective mitigation. Agencies and private organizations using affected VMware products are advised to follow Broadcom’s guidance, verify their environments for exposure, and apply available fixes without delay.

    To read more about this article, click here.

    YouTube Ghost Network: 3,000 Malware-Infested Videos Used to Spread Credential Stealers Across Compromised Channels

    A new report from Check Point has revealed a widespread campaign that weaponized YouTube to distribute malware at scale. Dubbed the “YouTube Ghost Network,” the operation involved more than 3,000 videos published across hundreds of compromised channels, many of which had been active since 2021. These videos masqueraded as legitimate tutorials for pirated software or gaming cheats but instead directed users to malware downloads.

    The malicious uploads, often disguised with convincing visuals, likes, and comments, were designed to appear trustworthy. Some received well over 200,000 views before being removed. The network relied heavily on hacked accounts whose original content was replaced with fake installation guides for cracked software. Victims were lured to download supposed installers from file-sharing platforms such as MediaFire or Dropbox, or from phishing pages hosted on Google Sites and Blogger. Each of these locations contained hidden payloads leading to information-stealing malware.

    Researchers found that the operation was built on a structured, role-based system that assigned functions to different account types. “Video accounts” uploaded the infected videos and pinned download links. “Post accounts” promoted those same links through YouTube’s community tab. “Interact accounts” boosted engagement by liking and commenting on the videos to create a false sense of credibility. This setup allowed the operators to replace banned or removed accounts quickly without disrupting the campaign, maintaining a continuous presence across YouTube.

    The network’s organization made it difficult for automated moderation systems to shut it down completely. Even after Google removed a majority of the videos, new ones continued to appear through replacement accounts. Some evidence suggests that the network might operate as a form of “distribution-as-a-service,” meaning multiple groups could be leasing access to it to spread different strains of malware.

    Malware families linked to the Ghost Network include Lumma Stealer, Rhadamanthys Stealer, RedLine Stealer, StealC, and Phemedrone. These tools are designed to harvest browser credentials, cryptocurrency wallets, and authentication tokens from infected devices. One hijacked channel with over 120,000 subscribers was caught hosting a fake Adobe Photoshop installer that deployed Hijack Loader, which in turn downloaded Rhadamanthys.

    Check Point noted that the growth of this network mirrors a broader shift in cybercrime tactics toward using legitimate platforms as delivery systems. Attackers exploit engagement metrics and user trust rather than relying solely on traditional phishing emails or malicious ads. By embedding malware campaigns within well-known services, they gain both reach and credibility.

    The report emphasized that the success of operations like the YouTube Ghost Network demonstrates how cybercriminals are adapting to new content ecosystems. By leveraging social media features such as likes, comments, and community posts, they are able to scale attacks while maintaining the appearance of legitimacy.

    Google confirmed that it has removed most of the identified malicious content and continues to work with security researchers to track and disrupt these activities. Still, the campaign shows that large-scale content networks can be turned into malware delivery systems when trust mechanisms are abused, and that vigilance from both platforms and users remains the only reliable defense against such evolving tactics.

    To read more about this article, click here.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Aisuru Botnet Shifts From DDoS to Residential Proxies

    Aisuru Botnet Shifts From DDoS to Residential Proxies

    Aisuru, the botnet known for unleashing several record-breaking DDoS attacks this year, has shifted focus. Instead of flooding networks with traffic, its operators are now renting out infected Internet of Things (IoT) devices as residential proxies. This move turns a once-destructive campaign into a profitable, quieter business model. The infected devices now serve as relays for customers seeking to hide their online activity, blending malicious traffic with that of everyday home users.

    From Massive Attacks to Silent Rentals

    The botnet first appeared in August 2024 and has since compromised at least 700,000 IoT systems, including routers, digital video recorders, and security cameras. At its peak, Aisuru was capable of generating attacks exceeding 30 terabits per second. In June, it launched a 6.3-terabit-per-second assault against KrebsOnSecurity, one of the largest attacks Google’s mitigation network had ever recorded.

    Such attacks did more than target single websites, they caused collateral damage across entire Internet service providers. When Aisuru’s nodes were used for outbound DDoS traffic, the resulting data floods sometimes reached over a terabit per second per provider, overloading routers and affecting legitimate customers. Federal authorities and major ISPs in both the United States and Europe have since begun cooperating to identify and block the botnet’s infrastructure.

    The Rise of the Residential Proxy Economy

    Recent updates to Aisuru’s malware turned its infected devices into part of the residential proxy market. Proxy services lease access to these devices, letting customers mask their online traffic as if it came from legitimate household connections. While proxies have valid business uses such as price monitoring or web analytics, they are often abused to disguise cybercrime operations including ad fraud, credential stuffing, and large-scale scraping.

    This market has grown explosively. Data collected from monitoring services indicates that hundreds of millions of residential IPs are now available for rent. Much of this surge is likely tied to botnets like Aisuru, which provide a steady influx of compromised devices. The abundance of residential proxies has become a valuable resource for data harvesting operations supporting artificial intelligence projects, particularly those training large language models on scraped content.

    Exploiting SDKs for Bandwidth and Profit

    Many proxy networks expand their reach through software development kits bundled into mobile or desktop apps. These SDKs often claim user consent but can quietly convert a device into a traffic relay. Infected devices under Aisuru’s control may be forced to install such SDKs automatically, allowing the botmasters to profit each time bandwidth from those devices is sold to proxy services.

    Researchers have linked parts of this ecosystem to companies in China operating under collective brands like HK Network. These entities manage multiple proxy services that resell bandwidth among themselves, complicating efforts to track their true ownership and size. The structure allows them to market large proxy pools under different names while remaining largely anonymous.

    Impact on the Internet and AI Infrastructure

    This shift from DDoS to proxy operations has significant consequences. Instead of causing short-lived outages, the infrastructure now supports long-term, large-scale data scraping that burdens websites, APIs, and open-source projects. Some maintainers report that nearly all of their incoming traffic now comes from automated crawlers feeding AI systems.

    The strain has grown so severe that companies like Cloudflare are testing “pay-per-crawl” systems to let website owners charge AI bots for access. Others, like Reddit, have begun legal action against proxy providers accused of enabling large-scale scraping in violation of platform policies.

    Implications for Security Teams

    For security operations centers and network defenders, this evolution demands new detection methods. Malicious traffic now originates from residential IPs, making it far harder to distinguish from legitimate user activity. Traditional blocklists and data-center IP reputation checks no longer suffice. Behavioral indicators—such as simultaneous long-duration sessions, abnormal bandwidth usage, or repetitive access patterns—are now key signals.

    Monitoring outbound flows from IoT networks, enforcing segmentation, and maintaining strict firmware update policies are critical steps in preventing internal devices from being hijacked into proxy networks. Collaboration with ISPs and intelligence-sharing groups will also be vital as these hybrid proxy-botnets continue to expand.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (10/27/2025)

    Netizen: Monday Security Brief (10/27/2025)

    Today’s Topics:

    • Chrome Zero-Day Exploited Through Spyware Built by Hacking Team Successor
    • Persistent Hidden Commands Found in ChatGPT Atlas Browser Memory
    • How can Netizen help?

    Chrome Zero-Day Exploited Through Spyware Built by Hacking Team Successor

    ZERO-DAY text and binary code concept from the desktop computer screen,ZERO-DAY vulnerability concept (also known as a 0-day)A zero-day vulnerability is a flaw in software or hardware.

    A zero-day vulnerability in Google Chrome has been tied to a spyware operation run by Memento Labs, the rebranded successor of the notorious Hacking Team. The flaw, identified as CVE-2025-2783, was discovered by Kaspersky researchers earlier this year and used in a campaign known as Operation ForumTroll. The attackers targeted both government and private sector organizations in Russia and Belarus, deploying a spyware tool called Dante.

    After the 2015 breach that exposed Hacking Team’s internal files and source code, many believed the company was finished. In 2019, it was acquired by IntheCyber Group and relaunched under a new name: Memento Labs. By 2023, the company unveiled Dante, a new surveillance platform that analysts now say is a direct evolution of the old Remote Control Systems (RCS) spyware.

    Kaspersky’s report revealed that despite claims of a clean restart, Dante contains striking similarities to Hacking Team’s earlier work. This finding highlights how the commercial spyware industry has persisted through name changes and acquisitions, continuing to supply tools for government-linked surveillance.

    The attacks began through targeted phishing messages containing short-lived links. Once clicked, they delivered a Chrome exploit that used an unusual quirk in Windows to bypass browser sandboxing. Boris Larin, principal security researcher at Kaspersky, explained that the vulnerability involved how Windows handles pseudo handles, or constant values representing objects inside privileged processes.

    By exploiting this flaw, attackers managed to disable Chrome’s sandbox protections and execute malicious code without triggering alarms. Larin described the exploit as one of the most unusual sandbox escapes Kaspersky has ever encountered, warning that the same logic flaw might exist in other Windows services or applications. He also called the DuplicateHandle API a dangerous function that should reject pseudo handles altogether to prevent privilege escalation.

    The spyware behind the campaign, Dante, was heavily protected by VMProtect, an obfuscation tool that makes reverse engineering difficult. Every string within the code was encrypted, though once decrypted, researchers found unmistakable indicators that tied the program to Memento Labs.

    According to Kaspersky, the spyware was not directly observed in Operation ForumTroll but was linked to other attacks involving the same infrastructure and coding patterns. These overlaps suggest that Memento’s spyware ecosystem has been active since at least 2022, operating quietly through multiple campaigns.

    The case demonstrates how commercial spyware vendors continue to drive zero-day exploitation across widely used platforms such as Chrome and iOS. Companies like Memento Labs operate under the guise of providing lawful surveillance tools, yet their products often end up in politically motivated campaigns that target journalists, activists, and foreign government entities.

    Public exposure and company rebranding have done little to slow this market. Despite the downfall of Hacking Team a decade ago, its descendants continue to build and sell advanced intrusion frameworks. Each reappearance underscores the difficulty of dismantling the commercial spyware ecosystem, which thrives on the global demand for offensive cyber capabilities.

    Persistent Hidden Commands Found in ChatGPT Atlas Browser Memory

    Security researchers have disclosed a vulnerability in OpenAI’s ChatGPT Atlas browser that can let attackers inject persistent, hidden instructions into the assistant’s memory and trigger arbitrary code execution. LayerX Security reported the flaw after demonstrating how a cross-site request forgery exploit can write attacker-supplied instructions into ChatGPT memory. Those instructions can survive across devices and sessions and execute when a user later interacts with the assistant.

    LayerX co-founder and CEO Or Eshed described the threat as capable of infecting systems with malicious code, elevating attacker privileges, or deploying malware. Michelle Levy, head of security research at LayerX, said their tests showed that once memory was tainted, normal user prompts sometimes triggered code fetches, privilege escalations, or data exfiltration without obvious safeguards activating.

    The problem hinges on two features. First, memory, introduced by OpenAI in February 2024, is meant to persist helpful user details between chats so responses feel more personalized. Second, the Atlas browser’s current defenses against phishing and web-based attacks appear weaker than those of established browsers, which makes it easier for an authenticated user to be tricked into a harmful action. LayerX’s testing against more than 100 real-world web threats found that Edge blocked 53 percent, Chrome blocked 47 percent, and Dia blocked 46 percent. In comparison, Perplexit’s Comet and ChatGPT Atlas blocked only 7 percent and 5.8 percent respectively.

    The attack scenario LayerX demonstrated follows a simple chain. A logged-in user is socially engineered into visiting a malicious page. That page issues a CSRF call that writes hidden instructions into ChatGPT’s persistent memory. Later, when the user asks ChatGPT to assist with a legitimate task, the assistant consults the tainted memory and may act on the hidden instructions. LayerX withheld some low-level details while sharing proof-of-concept behavior with reporters.

    The implications extend beyond single sessions. Because the poisoned memory can travel with the user profile, any device where that profile is active may inherit the compromise. This creates opportunities for attackers to contaminate development workflows or automated tasks by slipping commands into code suggestions or prompt templates. NeuralTrust and others have already shown how prompt injection and malicious URLs can break an agent’s expected behavior; the Atlas memory flaw adds a lasting persistence vector.

    Enterprises that rely on AI agents integrated into browser workflows should treat this class of issue as an operational risk. Developers and security teams can take several practical steps. Turn off persistent memory for high-risk accounts or for users who handle sensitive code and data. Limit ChatGPT access to segmented accounts that do not carry privileged credentials. Add monitoring for unexpected outbound code fetches and unusual command patterns originating from AI-assisted requests. Apply stricter phishing defenses, use browser isolation for AI browsing sessions, and require re-authentication for memory writes or other sensitive actions.

    OpenAI and security vendors have both been notified of the findings. LayerX called out Atlas’s relative lack of anti-phishing protections as a major factor that increases exposure compared with mainstream browsers. Until browser vendors and AI platform operators add explicit controls to protect persistent memory, users should assume that any feature that stores instructions across sessions can be abused and should be treated with caution.

    Security teams, product owners, and developers who integrate agentic browsers into workflows must evaluate how persistent memory is used and whether that usage can be hardened. Small configuration changes and stricter access controls can reduce immediate exposure, while longer term fixes will require design changes that separate stored user preferences from executable instructions and that prevent remote sources from silently modifying memory.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Why SMBs Can’t Afford to Ignore the Growing Threat of Initial Access Brokers

    Why SMBs Can’t Afford to Ignore the Growing Threat of Initial Access Brokers

    Initial Access Brokers (IABs) have become a cornerstone of the modern cybercrime economy. Instead of carrying out attacks themselves, these actors specialize in breaking into corporate networks and then selling that access to other criminals. By outsourcing the hardest part of the intrusion, getting inside, they allow ransomware operators, data thieves, and other malicious groups to move straight to exploitation. This division of labor lowers risk for IABs while fueling the speed and scale of attacks across industries.

    Why IABs Are Rising

    The growth of Ransomware-as-a-Service (RaaS) has created a perfect market for IABs. Affiliates can launch attacks almost immediately once they purchase valid access, cutting down the time it takes to deploy ransomware. In many cases, IABs now work directly with RaaS affiliates rather than advertising on dark web forums, which reduces visibility to law enforcement. This tighter collaboration benefits both sides: ransomware operators scale their operations more quickly, and IABs secure steady demand for their services.

    Shifting Targets

    The targeting patterns of IABs show how flexible and opportunistic this market has become. In 2023, business services dominated the victim pool, accounting for nearly a third of all observed compromises. By 2024, that dominance shrank to about 13 percent as brokers broadened their focus. Industries across the board are now at risk, with the United States continuing to be the top target due to its economic weight, followed by Brazil and France. The trend indicates that smaller and mid-sized organizations are no longer overlooked; they are now prime targets thanks to the volume-based sales strategy of IABs.

    The Economics of Access

    Pricing illustrates the strategic change. In 2023, access listings ranged from $500 to $3,000, with an average of around $1,979 but a median closer to $1,000. By 2024, most listings, roughly 58 percent, fell under $1,000. Only a small fraction (7 percent) were high-value sales, though those skewed the overall average upward to about $2,047. The drop in price for most access points signals a pivot toward selling more accounts in bulk, trading individual high-ticket sales for volume. The result is that cybercriminals can launch more attacks for less, increasing both the number of victims and the potential damage.

    What’s Next

    IABs are expected to remain a key player in cybercrime. Their ability to provide pre-packaged access lowers barriers for less skilled attackers and accelerates timelines for ransomware groups. With prices trending downward and more industries falling into scope, the threat surface is expanding quickly.

    Organizations that once assumed they were too small or too obscure to be targeted should reconsider that assumption. As access becomes cheaper and more plentiful, even modest businesses are at greater risk.

    What SOC Teams Need to Know

    Security teams should treat IAB-driven intrusions as a high-likelihood precursor to ransomware. Early detection of credential misuse, unusual remote access activity, and privilege escalation attempts is critical. SOC analysts should focus on:

    • Monitoring for abnormal VPN, RDP, and Citrix activity, particularly logins from unexpected geographies or at odd times.
    • Expanding visibility into cloud and SaaS platforms, since stolen access is often resold for these environments.
    • Using threat intelligence to track IAB offerings, which often surface on closed forums before access is sold to ransomware affiliates.
    • Ensuring credential hygiene, MFA enforcement, and rapid offboarding of stale accounts to shrink the attack surface available to brokers.

    By aligning detection and response efforts around the tactics IABs use, SOC teams can catch compromises earlier in the kill chain, before ransomware or data theft occurs.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Why SNMPv1 and v2c Put Your Network at Risk (and Why You Should Upgrade)

    Why SNMPv1 and v2c Put Your Network at Risk (and Why You Should Upgrade)

    The Simple Network Management Protocol (SNMP) has long been the backbone of network monitoring. Routers, switches, servers, and even printers rely on SNMP to relay information about performance, status, and availability to a central monitoring system. This setup makes life easier for administrators, allowing for automated discovery, mapping, and alerts across the network.

    However, the protocol was designed in a time when perimeter defenses were considered sufficient. That assumption no longer holds true. Today, SNMP, particularly in its earlier versions, is a potential entry point for attackers. Understanding the weaknesses of SNMP, how it can be exploited, and what steps can be taken to mitigate risk is essential for modern network security.

    How SNMP Works and Where the Risks Begin

    SNMP relies on an agent embedded in each device and a manager that issues requests. The manager sends Get requests that contain a community string, which serves as an identifier or password. These requests allow the agent to pull data from the device and send it back to the manager for monitoring.

    The problem arises because in SNMPv1 and SNMPv2c, community strings are transmitted in plain text. Attackers can intercept them with a packet sniffer, steal credentials, and then either eavesdrop or make unauthorized changes to devices. From there, they can escalate into denial-of-service attacks or even command injection on vulnerable systems.

    Versions of SNMP: Strengths and Weaknesses

    • SNMPv1: The original version, simple to deploy but protected only by a community string that is visible in plain text.
    • SNMPv2c: Added 64-bit counters and improved error handling but still left community strings exposed without encryption.
    • SNMPv3: Introduced authentication, encryption, and better access control. This version significantly improves security, although it is more complex to configure and maintain.

    Documented Vulnerabilities and Exploits

    The risks of older SNMP versions are well documented in the CVE database. A few examples include:

    • CVE-2002-0012 and CVE-2002-0013: Exploitable flaws in SNMPv1 that allow attackers to flood targets with requests, leading to denial-of-service or privilege escalation.
    • Command Injection Attacks: Certain GE Industrial Solutions UPS adapters and older Symantec Web Gateway versions with outdated firmware allow remote command execution through SNMP-enabled services.

    Even SNMPv3 has known issues. Researchers have demonstrated that its discovery mechanism can be manipulated to weaken encryption and authentication if not properly configured.

    How Attackers Exploit SNMP

    Attackers often scan for SNMP services, particularly on UDP ports 161 and 162. Tools like Nmap can brute-force community strings and quickly identify weakly configured devices. Once inside, attackers can flood networks with requests, change configurations, or passively intercept communications to extract sensitive information.

    Best Practices to Secure SNMP

    Securing SNMP does not mean abandoning it. It means configuring it carefully and minimizing exposure. Some best practices include:

    1. Disable SNMP on hosts where it is not required.
    2. Replace default community strings like “public” and “private” with strong, unique values.
    3. Restrict access using Access Control Lists (ACLs).
    4. Block or monitor ports 161 and 162 at the firewall.
    5. Use read-only mode whenever possible.
    6. Regularly update firmware and software.
    7. Adopt SNMPv3 and configure it with encryption and authentication.
    8. Avoid using NoAuthNoPriv mode, which does not encrypt transmissions.
    9. Limit access to specific OIDs and performance data using SNMP views.

    Are SNMP Vulnerabilities Still a Threat?

    Yes. Even though ransomware and phishing dominate the headlines, SNMP misconfigurations can still lead to serious data leaks or costly downtime. Attackers continue to exploit legacy systems and overlooked services. Given that downtime can cost thousands of dollars per minute, it is risky to ignore SNMP security.

    Conclusion: Choose SNMPv3, Harden Configurations

    SNMP remains an indispensable tool for administrators. Versions 1 and 2c are outdated and insecure, and should no longer be used. SNMPv3 is the most secure option available, but it requires careful setup. With proper configuration, authentication, and encryption, organizations can significantly reduce the risk of SNMP-based attacks while still benefiting from its monitoring capabilities.

    How Netizen Can Help

    Netizen specializes in helping organizations address vulnerabilities like those found in SNMP environments. Our team performs detailed security assessments and pre-assessments to identify gaps in network security configurations and highlight misconfigurations before attackers exploit them. By aligning your SNMP setup with industry best practices, we help you reduce the risk of downtime, unauthorized access, and data exposure.

    Netizen is a Service-Disabled Veteran-Owned Small Business with ISO 27001, ISO 20000-1, ISO 9001, and CMMI Level III certifications. We operate a 24×7 Security Operations Center and provide advisory services to organizations across defense, government, and commercial sectors. If your business relies on network monitoring tools, our experts can help ensure they are properly secured, updated, and configured to withstand today’s threats.

    Looking to strengthen your defenses and prevent overlooked vulnerabilities from becoming serious problems? Start the conversation with Netizen today.

  • Building Strong Compliance Management Systems with ISO 37301

    Building Strong Compliance Management Systems with ISO 37301

    ISO 37301 is an international Type A management system standard that sets requirements and provides guidance for establishing, implementing, and improving a compliance management system (CMS). A CMS gives organizations a structured approach to meeting both mandatory obligations such as laws, regulations, and licenses, as well as voluntary commitments including internal policies, codes of conduct, and industry standards.

    The standard applies to organizations of all sizes and sectors. It is built on principles of integrity, good governance, transparency, accountability, proportionality, and sustainability. Since ISO 37301 follows the ISO High-Level Structure (HLS), it can operate as a standalone framework or integrate smoothly with other standards such as ISO 27001 for information security or ISO 9001 for quality management.

    How It Differs from ISO 19600

    In 2014, ISO released ISO 19600, a guideline for compliance management systems. ISO 37301 builds on that foundation by adding the option of third-party certification. This makes compliance efforts auditable and verifiable, providing stronger credibility. Organizations that previously followed ISO 19600 already have a head start toward alignment with ISO 37301.

    Why It Matters for Organizations

    Adhering to compliance obligations is no longer a choice but a necessity for organizations that want sustainable growth and resilience. ISO 37301 equips leadership with policies, processes, and controls that help detect, prevent, and respond to noncompliance. By adopting it, organizations demonstrate diligence to regulators and business partners, protect their reputation, and reduce exposure to legal and financial penalties.

    Key Features

    ISO 37301 emphasizes leadership commitment, requiring governing bodies and executives to set the tone for compliance through clear policies, resource allocation, and visible support. It is risk-based, meaning organizations must identify and manage compliance risks as part of normal business planning. The standard also requires competence and awareness at all levels so that compliance is not just a function of policy but part of organizational culture. Continuous evaluation and improvement are built in, ensuring the CMS evolves as regulations and operations change.

    Training and Certification

    Individuals can pursue training to strengthen their role in compliance management. Options include foundation courses for entry-level staff, lead implementer training for professionals responsible for designing and rolling out a CMS, and lead auditor training for those conducting independent assessments. Specialized courses also exist for those transitioning from ISO 19600 or seeking introductory knowledge.

    Benefits of Implementation

    Organizations adopting ISO 37301 gain the ability to undergo independent certification, build a compliance culture that demonstrates accountability, and strengthen relationships with regulators and partners. They are better positioned to prevent legal violations, protect customer trust, and maintain long-term sustainability. By documenting compliance policies and ensuring staff understand their roles, organizations create a strong framework that can withstand scrutiny and adapt to change.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Turning Human Error Into Human Defense

    Turning Human Error Into Human Defense

    Phishing remains the single most persistent attack vector in cybersecurity. Despite two decades of progress in technical defenses, attackers continue to bypass firewalls, endpoint protections, and advanced monitoring tools by exploiting the one constant across every organization: people.

    Recent research, including Verizon’s Data Breach Investigations Report, shows that roughly 60% of breaches involve human factors such as clicking a malicious link or opening an infected attachment. Add to this another 20% to 30% linked to credential reuse, and the picture becomes clear: the vast majority of intrusions succeed because of human behavior, not because of unpatched software alone.

    The Human Element at the Core of Cyber Risk

    Phishing is no longer confined to crude “Nigerian prince” scams. Threat actors today are highly skilled at exploiting trust, urgency, and authority. Especially with the advent of AI, their lures are hyper-personalized, drawing on data scraped from social media, corporate directories, or past breaches. They extend far beyond email, with SMS-based smishing and phone-based vishing becoming increasingly common. Attackers also time campaigns to coincide with global events, financial anxieties, or even corporate announcements, amplifying the chances of success.

    At the higher end of the spectrum, Business Email Compromise (BEC) attacks now use detailed impersonation of executives, vendors, or partners. These schemes often bypass technical controls because they appear entirely legitimate until the financial loss is already complete.

    Industry-Specific Exposure

    Attackers adjust their tactics depending on the industry. In healthcare and education, the combination of diverse users and high-pressure environments makes organizations particularly prone to mistakes. In finance and professional services, attackers mimic legitimate client requests to trigger unauthorized fund transfers. In critical infrastructure and manufacturing, phishing campaigns are tailored to disrupt operations or steal valuable intellectual property.

    No sector is immune, but industries with high-value data or complex supply chains present especially tempting targets.

    Building a Human-Centric Defense

    Addressing human risk does not mean blaming employees. Instead, it requires creating conditions that make secure behavior easier and second nature. Organizations can build resilience through:

    • Security awareness training that is frequent, relevant, and interactive. Outdated annual training must be replaced by micro-learning, simulations, and role-specific content that evolves alongside threat tactics.
    • Phishing simulations that provide real-world practice. These tests should be designed as educational opportunities, giving immediate feedback rather than punishing mistakes.
    • Encouraging reporting by building a culture where employees feel comfortable flagging suspicious emails or messages without fear of retribution. Every reported phishing attempt is one less chance for attackers to succeed.
    • Layered technical defenses including AI-driven email security, multifactor authentication, zero trust architectures, password managers, and web filtering. While people remain the target, these technologies act as critical safeguards when mistakes happen.
    • Visible leadership support where executives not only mandate security initiatives but also model good behavior and reinforce that cybersecurity is a business priority, not just an IT concern.

    From Weakness to Strength

    A strong security culture depends on both people and technology working together, and that is where Netizen can help. Our team specializes in building environments where employees are supported by clear policies, meaningful training, and advanced monitoring solutions that reduce the chances of human mistakes becoming costly breaches.

    From our 24x7x365 Security Operations Center to services like CISO-as-a-Service, penetration testing, and compliance support, Netizen provides organizations with the tools, expertise, and guidance to make people part of the defense, not the weakness. For agencies and businesses in highly regulated industries, we bring proven experience in strengthening resilience and aligning with frameworks that emphasize human factors as much as technical safeguards.

    Your employees are already your first line of defense, Netizen helps ensure they are also your strongest. Start the conversation with us today and see how we can help turn your human error into human defense.

  • Netizen: Monday Security Brief (10/20/2025)

    Netizen: Monday Security Brief (10/20/2025)

    Today’s Topics:

    • CISA Flags Five New Actively Exploited Vulnerabilities Across Oracle, Microsoft, and More
    • Microsoft Halts Rhysida Ransomware Campaign Exploiting Azure Certificates
    • How can Netizen help?

    CISA Flags Five New Actively Exploited Vulnerabilities Across Oracle, Microsoft, and More

    The Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that attackers are targeting unpatched systems from Oracle, Microsoft, and other vendors.

    One of the most significant flaws is CVE-2025-61884 (CVSS 7.5), a server-side request forgery (SSRF) issue found in the Runtime component of Oracle E-Business Suite (EBS). The bug allows unauthenticated remote attackers to access sensitive data through crafted network requests. It follows the discovery of another serious Oracle EBS vulnerability, CVE-2025-61882 (CVSS 9.8), which enabled arbitrary code execution on exposed systems. Both flaws have been linked to real-world exploitation campaigns impacting dozens of organizations, with some activity tentatively associated with Cl0p-related extortion groups.

    CISA also added four other vulnerabilities to the catalog. CVE-2025-33073 (CVSS 8.8) affects the Microsoft Windows SMB Client and allows privilege escalation through improper access control. Microsoft addressed the flaw in its June 2025 patch release.

    Two vulnerabilities in Kentico Xperience CMS, CVE-2025-2746 and CVE-2025-2747 (both CVSS 9.8), involve authentication bypasses in the Staging Sync Server component that mishandled password validation for certain configurations. These issues were corrected in updates released in March 2025.

    The final entry, CVE-2022-48503 (CVSS 8.8), is an older flaw in Apple’s JavaScriptCore engine that could lead to arbitrary code execution through malicious web content. Apple fixed it in 2022, but it has resurfaced in active exploitation reports.

    CISA has directed all Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by November 10, 2025, to safeguard networks against known threats. Although the agency confirmed exploitation for the Oracle EBS bug, it noted that details of attacks involving the other four remain limited.

    Microsoft Halts Rhysida Ransomware Campaign Exploiting Azure Certificates

    Microsoft has shut down an ongoing Rhysida ransomware operation that relied on fake Microsoft Teams installers digitally signed with stolen or misused Azure certificates. The company confirmed that it has revoked more than 200 compromised code-signing certificates that attackers used to make malicious files appear legitimate.

    In a post on X, Microsoft Threat Intelligence reported that a cybercriminal group known as Vanilla Tempest, also tracked as Vice Society, was behind the campaign. The attackers distributed fraudulent Teams setup files signed through Azure’s Trusted Signing service to deliver a custom backdoor called Oyster, which later deployed the Rhysida ransomware payload.

    Vanilla Tempest is known for targeting schools, hospitals, and other public sector organizations. In this campaign, the group used domains resembling legitimate Microsoft services, such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top, to trick users into downloading malicious installers. These fake sites were reportedly promoted using SEO poisoning, pushing them higher in search results for unsuspecting victims.

    When users executed the bogus MSTeamsSetup.exe, it ran a downloader instead of the real collaboration tool. This downloader installed the Oyster backdoor, which Microsoft said has been in circulation since at least June. While Vanilla Tempest has used multiple ransomware strains in the past, including BlackCat (ALPHV), the group appears to have shifted its focus primarily to Rhysida.

    The attackers didn’t rely solely on Microsoft’s infrastructure. They also obtained code-signing certificates from SSL.com, DigiCert, and GlobalSign to authenticate their fake binaries. Signed malware poses a particular challenge for defenders, since many security systems inherently trust executables with valid digital signatures.

    It remains unclear how the threat actors gained access to Azure’s Trusted Signing service. The platform allows verified developers with a Microsoft Entra tenant ID and an Azure subscription to sign their applications, with current availability limited to U.S. and European regions. Documentation for the service notes that only organizations with at least three years of verifiable operational history are eligible.

    In response to the campaign, Microsoft revoked all known certificates linked to the malicious activity. The company declined to provide further comment beyond its public statement.

    DigiCert and GlobalSign, both named in Microsoft’s report, said they had not been asked to revoke any certificates related to the incident but were monitoring for misuse. GlobalSign CISO Arvid Vermote noted that the company investigates all reports of certificate abuse and revokes compromised credentials when verified, while DigiCert stated that it would act immediately upon receipt of credible intelligence.

    The incident highlights how attackers continue to exploit digital trust mechanisms to bypass enterprise defenses. Code-signing certificates, once intended to guarantee software authenticity, are increasingly being repurposed as tools for deception, allowing malicious software to masquerade as legitimate applications until its true purpose becomes clear.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Understanding ISO 20000-1: The Standard for IT Service Management

    Understanding ISO 20000-1: The Standard for IT Service Management

    Organizations depend on IT services to keep their operations running, and as these environments expand across cloud, on-premises, and hybrid platforms, the complexity of managing them has increased. ISO/IEC 20000-1 provides a structured framework for IT Service Management (ITSM) that allows organizations to deliver consistent, high-quality IT services while staying aligned with business priorities.

    What is ISO 20000-1?

    ISO/IEC 20000-1 is the international standard for IT Service Management Systems. It was first introduced in 2005 and has gone through revisions in 2011 and 2018 to keep up with modern practices. The standard defines how an organization can establish, implement, maintain, and continually improve an IT Service Management System, making it possible to demonstrate maturity in service delivery through certification.

    The standard has close ties to ITIL, which many organizations already use as a framework for service management best practices. The difference is that ISO 20000-1 is an auditable and certifiable standard, giving organizations the ability to formally prove their capabilities to customers, regulators, and partners. It addresses all areas of service management, from governance and accountability, to planning and designing services, to managing incidents, changes, and continuity. It also requires organizations to measure performance, conduct evaluations, and continuously improve service delivery.

    Why ISO 20000-1 Matters

    For IT service providers, ISO 20000-1 certification is a mark of credibility that is often required in government, defense, and other regulated sectors. For internal IT departments, it signals that operations are reliable and designed to meet business needs. Beyond compliance, the framework helps organizations improve the quality of their services. Consistency is gained by moving away from ad-hoc practices. Service reliability is strengthened through structured incident and problem management processes. Cost efficiency improves when resources are better utilized under well-defined workflows. Most importantly, the certification builds trust with customers who expect IT services to meet strict performance and availability requirements.

    How Certification Works

    The path to certification begins with defining the scope of the services that will be covered under the Service Management System. Organizations then put processes in place that meet the requirements of ISO 20000-1. Internal audits are carried out to assess readiness, followed by an external audit performed by an accredited certification body. Certification is valid for three years, but organizations must go through surveillance audits each year to confirm compliance, as well as a full recertification at the end of the cycle.

    ISO 20000-1 in Modern IT Operations

    As IT continues to shift toward cloud, DevOps, and hybrid approaches, ISO 20000-1 has remained relevant by adapting its structure. The 2018 revision adopted the Annex SL framework that is common across ISO standards, which makes it easier to integrate with others such as ISO 27001 for information security, ISO 22301 for business continuity, and ISO 9001 for quality management. This alignment means ISO 20000-1 can serve as a foundation for organizations adopting Zero Trust architectures or digital transformation initiatives. By applying ISO 20000-1, businesses can demonstrate that their IT services are reliable, efficient, and prepared for growth.

    Relationship with ISO 27001

    ISO 20000-1 and ISO 27001 often work together in practice. While ISO 20000-1 focuses on the quality and consistency of IT services, ISO 27001 ensures the security of information handled by those services. For example, change management under ISO 20000-1 keeps systems stable when updates are made, while ISO 27001 adds the requirement that changes meet security standards. Service continuity planning under ISO 20000-1 ensures that operations can recover from disruptions, while ISO 27001 guarantees that sensitive data remains protected during recovery.

    Why Organizations Adopt ISO 20000-1

    Companies pursue ISO 20000-1 certification for many reasons. Managed service providers see it as a way to stand out in competitive markets and often find that certification is a prerequisite for winning contracts. Internal IT teams use the standard to reduce risk, improve efficiency, and show executives that IT supports the business effectively. Organizations that already use ITIL often move to ISO 20000-1 to formalize those practices and gain the external validation that comes with certification.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • TikTok’s U.S. Deal: Less Data in Beijing, Same Risks for Enterprises

    TikTok’s U.S. Deal: Less Data in Beijing, Same Risks for Enterprises

    Negotiations over TikTok’s future in the United States are moving forward, but for CISOs and enterprise security teams, the risks tied to the platform remain stubbornly familiar. Even if ownership shifts to a U.S.-controlled entity, TikTok’s appetite for data and influence over user behavior will keep it high on the watchlist.

    Why the Deal Matters

    TikTok’s parent company, ByteDance, is subject to Chinese national security laws that can compel access to user data—a fact that has fueled years of concern in Washington, Brussels, and Ottawa. The proposed solution is the creation of a new U.S.-based entity where American investors hold an 80% stake. Oracle would manage TikTok’s U.S. data from Texas, joined by backers Andreessen Horowitz and Silver Lake. A majority U.S. board, including a government-appointed director, would oversee the operation.

    This arrangement addresses the most obvious issue: the possibility of direct state access from Beijing. But security professionals caution that restructuring on paper is not the same as securing the platform in practice.

    What Regulators Already Know

    Global regulators have already taken action against TikTok, making clear that concerns about its practices are not confined to the United States. The Irish Data Protection Commission fined the company €530 million for GDPR violations. The European Commission and Council of the EU banned TikTok from government devices, citing security fears. Canada went further, ordering a nationwide ban on government devices and directing the platform’s Canadian subsidiary to be shuttered.

    The message is consistent: reshuffling ownership does not erase the risks embedded in TikTok’s design.

    Data Controls vs. Reality

    For many experts, the question isn’t where TikTok stores its data, it’s how much data the platform continues to collect. Adam Marrè, CISO at Arctic Wolf, notes that while a U.S. ownership structure would reduce the likelihood of direct Chinese government access, it doesn’t change the fact that TikTok is built to harvest massive amounts of user information. “Ownership and geography alone are not enough to make a platform safe,” he says. “Transparency, accountability, and oversight matter just as much.”

    That point is echoed by Lily Li, founder of Metaverse Law, who highlights the need for operational safeguards. Storing U.S. data in Oracle facilities may shield it from Chinese security laws, but, she argues, it won’t prevent insider risk unless controls are strict. “To prevent enterprise data leaks or espionage, administrative access and encryption keys must remain in the hands of U.S.-based personnel who are accountable to U.S. management,” Li says.

    Together, their perspectives emphasize that even with new ownership, the data TikTok collects, and who can access it, remains a live concern for enterprises.

    The Algorithm Problem

    Infrastructure is only one layer of the challenge. At the heart of TikTok’s influence is its recommendation engine, which will reportedly remain licensed from ByteDance for the U.S. market. Algorithms determine what users see, how narratives spread, and where public attention shifts. Without visibility into how those algorithms function, experts warn that the risks of hidden data collection and influence operations persist.

    Marrè frames this as a behavioral problem as much as a privacy one. “Security isn’t just about where the data sits,” he explains. “It’s about how the platform shapes behavior and influences users.”

    Satish Swargam, principal security consultant at Black Duck, takes the concern further. He warns that any non-U.S.-based software artifacts tied to TikTok’s algorithm need to be examined in depth. “There is potential for non-U.S.-based algorithms to extract data and fuel influence campaigns,” he says. “The TikTok deal calls for tighter security controls, comprehensive artifact analysis, and a deep-dive threat model.”

    What Enterprises Should Focus On

    Whether or not the restructuring closes, CISOs should continue treating TikTok as a high-risk application. At a minimum, that means:

    • Policy Enforcement: Restrict or prohibit TikTok use on corporate-owned devices and networks.
    • Awareness Training: Educate staff about the risks of oversharing, especially around geolocation and activity tracking.
    • Monitoring and Detection: Watch for data leakage through the TikTok pixel or other trackers embedded in business systems.
    • Sector-Specific Controls: For defense, healthcare, and government contractors, bans should remain firm given the sensitivity of the data involved.

    The Bottom Line

    The TikTok restructuring plan would change who manages U.S. data, but it does little to address the broader enterprise risks of social engineering, insider abuse, and algorithm-driven influence. As Marrè, Li, and Swargam all stress in different ways, the challenge is not just data sovereignty, it’s how TikTok’s infrastructure, code, and design continue to create openings for risk.

    For security teams, that means the burden does not disappear with new ownership. TikTok will remain a security concern, no matter whose name is on the servers.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.