Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Understanding Zero Trust Network Access (ZTNA) for Modern Security

    Understanding Zero Trust Network Access (ZTNA) for Modern Security

    Zero Trust Network Access (ZTNA) is rapidly becoming a foundational security model for modern organizations, especially as hybrid work, cloud adoption, and increasingly sophisticated cyberthreats redefine the perimeter of enterprise IT.

    Unlike traditional models that grant broad network access once a user is authenticated, ZTNA enforces continuous verification for every access request, regardless of whether a user is inside or outside the network. Access is granted based on context such as user identity, device posture, location, and risk profile. The goal is simple: never trust by default.

    Why ZTNA Replaces Legacy Perimeter-Based Security

    Traditional network security hinges on a binary trust model, entities inside the network are trusted, and those outside are not. This approach has become ineffective in the face of cloud computing, remote work, and a distributed workforce. Once inside the network, attackers can often move laterally with minimal resistance. ZTNA is designed to eliminate this risk.

    By shifting to an identity-centric, least-privilege access model, ZTNA makes it more difficult for attackers to exploit user credentials, pivot across systems, or exfiltrate data.

    Core Principles Behind ZTNA

    ZTNA is built around three main principles:

    • Verify explicitly: Authenticate and authorize based on all available data points, including user identity, device health, location, and behavior.
    • Enforce least-privilege access: Limit user access to only the applications or data required for their role.
    • Assume breach: Operate under the premise that your environment is already compromised, and minimize impact by restricting access at every layer.

    These principles are enforced using a combination of modern technologies like identity and access management (IAM), micro-segmentation, and endpoint posture assessments.

    How ZTNA Works: Key Mechanics

    ZTNA enforces secure access through continuous, adaptive control mechanisms:

    Identity Verification and Device Posture

    Access requests begin with verifying who the user is and assessing the state of their device. Multi-factor authentication is common, but device health checks—such as verifying OS patches or the presence of endpoint protection—are equally critical.

    Micro-Segmentation

    Rather than trusting an entire VLAN or subnet, ZTNA divides the network into isolated segments. Access to each segment is tightly controlled, limiting the blast radius of any potential compromise.

    Application-Level Access

    Users are granted access to individual applications, not the full network. This ensures attackers can’t scan for additional resources or discover sensitive internal systems.

    Continuous Risk Evaluation

    ZTNA solutions monitor behavior during the session. If unusual behavior is detected, such as a login from a foreign country or a rapid access pattern, ZTNA can trigger reauthentication or revoke access.

    Key Benefits of ZTNA

    Adopting a Zero Trust Network Access model brings significant security and operational advantages:

    • Reduced attack surface: Resources are invisible to unauthorized users, lowering the chance of discovery or brute-force attacks.
    • Minimized lateral movement: Attackers are contained within the limited environment they gain access to, significantly reducing breach impact.
    • Improved compliance: Role-based access controls and detailed audit logs make it easier to meet regulations like HIPAA, GDPR, or PCI-DSS.
    • Elimination of VPN complexity: ZTNA offers secure remote access without requiring full tunnel VPNs, simplifying user experience and reducing latency.
    • Adaptive security: Continuous verification means ZTNA reacts in real time to changes in risk posture or environmental context.

    ZTNA vs. VPNs and Legacy Models

    Virtual Private Networks (VPNs) offer encrypted tunnels to a trusted network, but once users connect, they often have excessive access. ZTNA replaces this with granular access to only approved applications. VPNs are also difficult to scale and manage, while ZTNA solutions can be deployed with more agility, especially in cloud-native environments.

    ZTNA and SASE: A Modern Partnership

    Secure Access Service Edge (SASE) integrates networking and security into a cloud-native framework. ZTNA is a critical component of SASE, providing the access control portion of the model.

    While SASE handles broader functions such as secure web gateways, firewall-as-a-service, and cloud access security brokers, ZTNA ensures that only authorized users gain application-level access. Together, they offer end-to-end protection and are particularly useful for organizations managing multi-cloud deployments and globally distributed workforces.

    Final Thoughts

    Zero Trust Network Access is no longer optional for modern enterprises. As cyberattacks become more sophisticated and traditional perimeters fade, ZTNA offers a scalable, identity-driven approach to securing access—without hindering productivity. By adopting ZTNA, organizations can move toward a future where trust is earned, risk is minimized, and secure access becomes the default.

    If your organization is considering moving toward Zero Trust or integrating ZTNA into your existing architecture, starting with a proper assessment of your current access model is a critical first step.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (8/18/2024)

    Netizen: Monday Security Brief (8/18/2024)

    Today’s Topics:

    • New “Win-DDoS” Technique Exploits Windows Domain Controllers for Massive DDoS Attacks
    • Attackers Target the Foundations of Crypto: Smart Contracts Under Threat
    • How can Netizen help?

    New “Win-DDoS” Technique Exploits Windows Domain Controllers for Massive DDoS Attacks

    SafeBreach researchers have detailed a new attack method, dubbed Win-DDoS, that allows threat actors to conscript thousands of public-facing Windows Domain Controllers (DCs) into a powerful DDoS botnet without deploying malware or compromising endpoints. The technique, presented at DEF CON 33, abuses flaws in Windows LDAP client code and RPC behavior to redirect LDAP referrals toward a victim server, overwhelming it with traffic.

    The attack leverages the Connectionless LDAP (CLDAP) and LDAP referral mechanism:

    1. An attacker sends an RPC call to a public DC, causing it to act as a CLDAP client.
    2. The DC contacts the attacker’s CLDAP server, which responds with a referral to the attacker’s LDAP server.
    3. The LDAP server sends a list of referral URLs pointing to a single victim IP and port.
    4. The DC repeatedly queries the victim server, creating sustained, high-bandwidth traffic.

    This approach is infrastructure-free for the attacker, requires no code execution or authentication, and leaves minimal forensic traces.

    SafeBreach also introduced TorpeDoS, an RPC-based denial-of-service technique that magnifies the efficiency of a single attacker’s RPC calls to the point where one host can cause an impact comparable to a distributed botnet.

    The research uncovered four denial-of-service vulnerabilities impacting core Windows services:

    • CVE-2025-26673 (CVSS 7.5) – LDAP uncontrolled resource consumption; unauthenticated DoS (patched May 2025).
    • CVE-2025-32724 (CVSS 7.5) – LSASS uncontrolled resource consumption; unauthenticated DoS (patched June 2025).
    • CVE-2025-49716 (CVSS 7.5) – Netlogon uncontrolled resource consumption; unauthenticated DoS (patched July 2025).
    • CVE-2025-49722 (CVSS 5.7) – Print Spooler uncontrolled resource consumption; authenticated adjacent-network DoS (patched July 2025).

    These zero-click, unauthenticated flaws can crash domain controllers and other Windows systems remotely if exposed, posing a threat to both public and internal infrastructure.

    The findings challenge traditional enterprise threat models by showing that:

    • Internal systems can be abused without full compromise.
    • DoS risks extend beyond public-facing services.
    • Large-scale DDoS potential exists without a typical botnet build-out.

    SafeBreach warns that unpatched systems and exposed Domain Controllers significantly increase the risk of both network disruption and targeted outages.

    Attackers Target the Foundations of Crypto: Smart Contracts Under Threat

    Cybercriminals are increasingly turning their attention to smart contracts, the self-executing programs that power decentralized finance (DeFi) and other blockchain-based applications, not only exploiting vulnerabilities in poorly written code but also crafting malicious contracts designed to deceive and drain cryptocurrency wallets.

    A recent scam analyzed by SentinelOne involved a fraudulent Solidity-based smart contract promoted through YouTube tutorials and similar channels. Victims were told they could profit from automated trading arbitrage bots that exploit minor cryptocurrency price differences for maximal extractable value (MEV). In reality, the contract contained obfuscated transfer functions that siphoned funds to an attacker-controlled externally owned account (EOA).

    In one high-profile incident, a single malicious contract drained roughly 244.9 ETH, about $935,000, from victims. Smaller but still significant thefts included a $28,000 Ethereum wallet and another worth $15,000.

    Data from SolidityScan, a CredShields project, shows that since 2020 over $14 billion has been stolen via blockchain manipulation and cryptocurrency fraud. More than 55% of these losses were due to vulnerabilities or bugs in smart contracts, with the remainder attributed to private-key leaks and rug pulls—instances where developers intentionally withdraw all funds from a project.

    Shashank, CEO of CredShields and co-lead of the OWASP Smart Contract Top 10 project, warns that while immutability and transparency are strengths of blockchain systems, these same traits can magnify the damage caused by coding flaws. Even a single logical error can cause irreversible financial loss and severe reputational damage.

    While the DeFi sector is the most visible victim, the risk extends to any industry integrating blockchain and smart contracts, finance, supply chain, logistics, and real estate among them. Common threats include:

    • Unauthorized access to contract functions or data.
    • Oracle manipulation, altering the data inputs that smart contracts rely upon.
    • Logic exploitation, taking advantage of flawed programming to redirect funds or alter outcomes.

    To mitigate these risks, experts recommend:

    • Maintaining an inventory of all deployed smart contracts.
    • Conducting independent audits before and after deployment.
    • Enabling real-time monitoring of contract behavior and transaction patterns.
    • Rejecting obfuscated code in business contracts.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • What Are Human Digital Twins in Cybersecurity?

    What Are Human Digital Twins in Cybersecurity?

    Human Digital Twins (HDTs) are an emerging cybersecurity technology used to detect anomalies, insider threats, and credential abuse through behavioral modeling. In enterprise environments where identity threats and advanced persistent threats are growing, HDTs add a new layer of defense by monitoring how users interact with systems, not just who they are. Instead of relying solely on static identity or role-based access controls, HDTs use telemetry and behavioral baselines to continuously verify the authenticity of user actions.

    This article explains how Human Digital Twins work, their technical structure, and how they fit into modern cybersecurity frameworks such as Zero Trust and behavioral threat detection.

    Behavioral Modeling and User Context in Security

    Unlike identity and access management (IAM) tools, which define entitlements, HDTs construct a behavioral profile of each user over time. This model includes metrics such as:

    • Login frequency and session duration
    • Application usage patterns
    • File access sequences
    • Typing cadence and cursor movement
    • Common destinations within internal tools

    These user behavior profiles are continuously updated, allowing organizations to detect account compromise, suspicious lateral movement, or early signs of insider threats, even if access credentials remain valid.

    Detecting Credential Misuse and Insider Threats

    One of the most valuable uses for Human Digital Twins in cybersecurity is detecting compromised accounts. Attackers often bypass firewalls and endpoint protection by stealing valid credentials. Traditional authentication tools may not recognize that an attacker is inside the network if login data appears normal.

    HDTs fill this gap by analyzing what a user does after logging in. For example, if a legitimate employee typically accesses HR tools and suddenly starts querying engineering repositories, the system can compare the behavior to the twin’s baseline and assign a behavioral risk score. This helps detect threat actors using compromised credentials in real time.

    In insider threat scenarios, HDTs can detect subtle behavioral shifts that do not trigger predefined rules but still represent elevated risk. A user working irregular hours or copying atypical data volumes may be flagged for review even if policies were not explicitly violated.

    Technical Architecture of Human Digital Twins

    The underlying architecture of an HDT solution involves telemetry collection, feature extraction, and model training. High-volume data from endpoints, cloud environments, and network sensors is ingested into behavioral analytics engines. These engines use time-series analysis and unsupervised learning to build individual behavioral baselines.

    Integrating HDTs with SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platforms allows behavioral alerts to trigger automated responses—such as MFA reauthentication, session termination, or privilege escalation blocks.

    Role of HDTs in Zero Trust Security

    Human Digital Twins are highly effective in Zero Trust architectures, which emphasize continuous verification and risk-based access decisions. While Zero Trust often focuses on identity verification and device posture, HDTs add behavioral fidelity to those assessments.

    For instance, a Zero Trust access gateway may permit a login attempt based on a strong password and healthy device. However, if the user then begins accessing systems they have never used, or transfers files atypically, the HDT system can intervene. This enables adaptive access control, where user privileges are dynamically adjusted based on behavioral context.

    Addressing Behavioral Drift and Privacy Concerns

    Like all AI-driven cybersecurity tools, HDTs are not without operational challenges. Behavioral drift, normal shifts in a user’s work habits due to job role changes or business processes, must be accounted for to reduce false positives. Regular retraining and baseline recalibration are necessary to maintain high detection fidelity.

    Privacy is another consideration. Because HDTs collect detailed interaction data, organizations must implement strong governance policies, including data minimization, pseudonymization, and strict access controls over behavioral models. Compliance with data protection laws such as GDPR and FISMA is essential when deploying HDTs in regulated environments.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Why Every SMB Needs a Data Retention and Deletion Policy

    Why Every SMB Needs a Data Retention and Deletion Policy

    Small and mid-sized businesses (SMBs) are accumulating data at a faster pace than ever, yet many lack a formal data retention policy or defined data deletion policy. Without clear governance, this unchecked data sprawl increases exposure to cyberattacks, legal challenges, and regulatory violations. For organizations operating with limited resources, this can be especially dangerous.

    Developing and enforcing a data lifecycle framework is no longer a best practice, it is a necessity. From compliance mandates to cost savings and risk mitigation, a well-designed policy supports both operational and security goals. This guide outlines why a data retention and deletion policy is critical for SMBs and how to implement one effectively.

    The Hidden Risk of Storing Too Much Data

    In many SMB environments, legacy files, inactive accounts, and old backups remain untouched for years. While this may seem harmless, excessive data retention introduces significant cybersecurity and compliance risks. The more sensitive data stored unnecessarily, the larger your attack surface and the greater your liability.

    Old data increases the likelihood of:

    • Regulatory non-compliance, especially for data privacy laws like GDPR or CCPA.
    • Greater impact from a data breach, particularly if PII (personally identifiable information) is exposed.
    • Slower incident response and complex eDiscovery processes.
    • Higher costs for cloud storage, log aggregation, or backup management.

    Consider an SMB in financial services that retains customer records indefinitely. If those records are exfiltrated during a ransomware attack, regulators may penalize the organization for violating data minimization principles—even if the breach was properly disclosed.

    Data Retention and Regulatory Compliance

    Numerous laws dictate how long businesses must keep and when they must delete certain types of records. For SMBs handling sensitive data, understanding these timelines is essential for avoiding fines and legal consequences.

    Examples include:

    • HIPAA: Requires healthcare organizations to keep records for at least 6 years.
    • FINRA/SEC: Financial communications must be retained for up to 7 years.
    • GDPR/CCPA: Require personal data to be deleted when no longer necessary.
    • IRS regulations: Recommend retention of tax records for 7 years.

    Failing to implement a data retention policy aligned with these standards puts small businesses at direct risk of sanctions and audit failures.

    Building a Data Retention and Deletion Policy That Works

    An effective data retention and deletion policy should be practical, enforceable, and regularly reviewed. It must clearly define how long specific data types are retained and how they are securely destroyed. Integration with existing cybersecurity tools is key.

    Key components of a sound policy:

    • Classification of data types (e.g., HR, financial, customer, operational)
    • Clear retention periods based on legal and business requirements
    • Mapping of storage locations including cloud platforms and on-prem systems
    • Secure deletion methods to support data disposal compliance
    • Defined roles and automation rules for enforcement and auditing

    Where possible, SMBs should leverage their existing infrastructure, such as Microsoft 365 retention labels, Google Vault, or endpoint protection platforms, to automate lifecycle enforcement.

    Cybersecurity Benefits of Data Deletion

    Beyond compliance, enforcing a data deletion policy significantly strengthens SMB cybersecurity. Sensitive information retained longer than necessary becomes an easy target for threat actors. Breached backups, archive drives, or inactive cloud folders can still contain valuable credentials, financial records, or customer PII.

    Removing unneeded data:

    • Reduces the amount of information attackers can access
    • Lowers the scope of breach disclosures
    • Simplifies security monitoring and incident response
    • Improves endpoint performance and storage hygiene

    This is especially relevant as ransomware groups increasingly extort stolen data rather than just encrypting it. Effective secure data disposal limits what attackers can steal.

    Practical Tools for Enforcement

    Many data lifecycle management tasks can be handled through affordable or built-in tools. Examples include:

    • Microsoft Purview and Compliance Center: Manages retention rules for Exchange, Teams, SharePoint.
    • Google Workspace Vault: Handles retention and legal holds for Gmail and Drive.
    • Endpoint DLP tools: Flag or restrict data exfiltration from unmanaged systems.
    • Backup platforms: Automatically prune expired recovery points based on defined rules.

    These solutions help enforce your data retention policy at scale and produce audit logs showing proof of compliance.

    Why SMBs Must Act Now

    Unregulated data retention is no longer just a storage issue, it is a cybersecurity liability. A defined data retention and deletion policy enables small businesses to stay compliant, improve security posture, and prepare for potential audits or legal holds. Whether you store financial documents, employee records, or customer data, minimizing unnecessary retention is critical.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Why Federal Cybersecurity Needs a Zero Trust Model

    Why Federal Cybersecurity Needs a Zero Trust Model

    As federal agencies adopt cloud-first mandates and hybrid work becomes the norm, the traditional idea of a secure network perimeter no longer applies. Critical systems, identity infrastructure, and data now span multiple environments, including FedRAMP-authorized cloud platforms and mobile endpoints. In this environment, static perimeter-based security models aren’t just ineffective, they introduce risk. Addressing this requires a cybersecurity model grounded in continuous verification, least privilege enforcement, and adaptive access controls. That model is Zero Trust.

    Why Traditional Federal Cybersecurity Models Fall Short in 2025

    Legacy architectures focused on securing physical data centers and trusted internal networks. Firewalls and VPNs once acted as the gatekeepers, but modern infrastructures are increasingly decentralized. Agencies now manage a mix of cloud services, mobile workforces, and inter-agency collaboration, making it impossible to rely on a fixed Trusted Internet Connection (TIC) model alone.

    Despite this evolution, federal agencies still need to uphold the tenets of confidentiality, integrity, and availability (CIA). The challenge is applying these principles in dynamic environments. This shift has prompted frameworks like OMB M-22-09, which mandates federal Zero Trust implementation through measurable maturity outcomes.

    What Zero Trust Security Means for Government Agencies

    Zero Trust security assumes no actor, system, or connection is trustworthy by default. Each access request must be continuously evaluated based on identity, device health, location, and risk context.

    For federal agencies, Zero Trust became a mandate with Executive Order 14028. That order required all agencies to adopt Zero Trust architecture by the end of fiscal year 2024. The Office of Management and Budget (OMB) outlined a national strategy aligned with CISA’s Zero Trust Maturity Model (ZTMM). The model emphasizes granular enforcement across five pillars:

    • Identity, Credential, and Access Management (ICAM)
    • Endpoint and Device Trust
    • Secure Network Infrastructure
    • Application Security and Workload Protection
    • Data Classification and Encryption

    Each pillar is subject to continuous diagnostics and mitigation (CDM) and dynamic policy enforcement based on context,: user behavior, device posture, access time, and location.

    Avoiding Fragmentation in Federal Zero Trust Implementation

    A common pitfall in agency Zero Trust efforts is deploying tools in isolation, what CISA refers to as “siloed maturity.” For example, implementing endpoint detection without integrating identity-aware proxy enforcement can allow compromised users to retain privileges. Without cross-pillar telemetry, gaps emerge.

    Disjointed deployments lead to:

    • Delayed mean time to detect (MTTD) and mean time to respond (MTTR)
    • Increased total cost of ownership (TCO) across tools
    • Inconsistent audit trails and compliance gaps during FISMA reviews

    Agencies need unified security telemetry across identity, endpoint, and data layers to meet both OMB timelines and TIC 3.0 policy enforcement capabilities.

    Key Questions for Designing Federal Zero Trust Architecture

    Before evaluating vendors or solutions, CISOs should conduct a system-level assessment framed around the following:

    • Who are the authorized identities accessing systems? (agency staff, contractors, interagency users)
    • What types of sensitive workloads are being accessed? (e.g., FOIA documents, law enforcement databases, CUI)
    • Where is this data hosted? (FedRAMP High cloud environments, internal enclave systems)
    • How should access be monitored and enforced? (via SSO, MFA, real-time session control, device health attestation)

    This aligns with CISA’s call to implement Identity Governance and Administration (IGA), continuous risk scoring, and adaptive access policies.

    Integrated Security for Federal Environments

    Rather than layering point solutions on top of legacy infrastructure, agencies should adopt platforms that natively integrate controls across ZTMM pillars, particularly ICAM, Endpoint Detection and Response (EDR), and Data Loss Prevention (DLP).

    Platforms should support:

    • Attribute-based access control (ABAC) mapped to NIST 800-53 controls
    • FedRAMP-Moderate or High baseline authorization
    • Integration with Security Operations Centers (SOCs) and SIEM tools like Wazuh or Elastic Security

    A unified Zero Trust platform simplifies policy management and centralizes logging, improving both situational awareness and audit readiness.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Microsoft August 2025 Patch Tuesday Fixes 107 Flaws, Publicly Disclosed Kerberos Zero-Day

    Microsoft August 2025 Patch Tuesday Fixes 107 Flaws, Publicly Disclosed Kerberos Zero-Day

    Microsoft’s August 2025 Patch Tuesday delivers fixes for 107 vulnerabilities, including one publicly disclosed zero-day in Windows Kerberos. Thirteen vulnerabilities are classified as critical, with nine involving remote code execution, three tied to information disclosure, and one elevation of privilege flaw.

    Breakdown of Vulnerabilities

    • 44 Elevation of Privilege vulnerabilities
    • 35 Remote Code Execution vulnerabilities
    • 18 Information Disclosure vulnerabilities
    • 9 Spoofing vulnerabilities
    • 4 Denial of Service vulnerabilities

    These totals exclude security fixes for Mariner, Azure, and Microsoft Edge addressed earlier in the month. Non-security updates released include Windows 11 KB5063878 and KB5063875, and Windows 10 KB5063709.

    Zero-Day Vulnerability

    CVE-2025-53779 | Windows Kerberos Elevation of Privilege Vulnerability

    This publicly disclosed flaw allows an authenticated attacker to escalate privileges to domain administrator over a network. The issue arises from relative path traversal in Kerberos, which can be abused if an attacker has elevated access to specific dMSA attributes:

    • msds-groupMSAMembership: Enables the user to utilize the dMSA.
    • msds-ManagedAccountPrecededByLink: Allows specifying a user the dMSA can act on behalf of.

    The vulnerability was disclosed in a technical report by Yuval Gordon of Akamai in May 2025.

    Other Critical Vulnerabilities

    This month’s critical patches also address multiple remote code execution flaws in core Windows components and Microsoft Office, as well as high-impact information disclosure issues that could lead to data exposure in enterprise environments.

    Adobe and Other Vendor Updates

    Several major vendors released important updates alongside Microsoft’s August patches:

    • 7-Zip: Patched a path traversal flaw leading to potential remote code execution.
    • Adobe: Issued emergency updates for AEM Forms zero-days after public proof-of-concept code appeared.
    • Cisco: Released patches for WebEx and Identity Services Engine vulnerabilities.
    • Fortinet: Updated FortiOS, FortiManager, FortiSandbox, and FortiProxy to address multiple security issues.
    • Google: Fixed two actively exploited Qualcomm vulnerabilities in Android.
    • Microsoft: Issued a separate warning for CVE-2025-53786, a Microsoft Exchange flaw that could be used to hijack cloud environments.
    • Proton: Patched its iOS Authenticator app to prevent plaintext logging of sensitive TOTP secrets.
    • SAP: Released updates for multiple products, with some vulnerabilities rated at 9.9 severity.
    • Trend Micro: Published a temporary fix tool for an actively exploited Apex One RCE flaw, with a full update to follow.
    • WinRAR: Issued an update for an actively exploited path traversal vulnerability that could lead to RCE.

    Recommendations for Users and Administrators

    Given the public disclosure of CVE-2025-53779, organizations should prioritize patching Windows Kerberos services, especially in domain controller environments. Limiting access to sensitive dMSA attributes, monitoring for abnormal Kerberos activity, and applying the August updates across Windows systems is recommended.

    Attention should also be given to third-party patches from vendors such as Adobe, Cisco, and Fortinet, particularly where vulnerabilities are actively exploited.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • NETIZEN EARNS A SPOT ON THE INC. 5000 LIST OF THE NATION’S MOST SUCCESSFUL BUSINESSES FOR A THIRD TIME

    NETIZEN EARNS A SPOT ON THE INC. 5000 LIST OF THE NATION’S MOST SUCCESSFUL BUSINESSES FOR A THIRD TIME

    Allentown, PA: Netizen Corporation, an ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III certified Veteran Owned provider of cybersecurity and related solutions, was named for a third time to the annual Inc. 5000 list of the nation’s most successful businesses. Established in 2013 and currently led by partners Michael Hawkins as CEO and Akhil Handa as COO, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Their innovative solutions transform complex cybersecurity, compliance, and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure and operations.

    The Inc. 5000 list represents a unique look at the most successful companies within the American economy’s most dynamic segment— its independent small and midsized businesses. Companies such as Microsoft, Dell, LinkedIn, Yelp, Zillow, and many other well-known names gained their first national exposure as honorees of the Inc. 5000.

    In 2019, Netizen ranked 47th overall, and, as such, was the nation’s fastest growing company in the cybersecurity and IT industry, the 2nd fastest growing business in all of Pennsylvania, the nation’s 2nd fastest growing Veteran-owned business, and achieved the highest ranking that a company based in the Lehigh Valley region had ever earned on the Inc. 5000 list with over 3,600% revenue growth, per the official program website.

    In 2020, Netizen ranked 184th, which placed them as the fastest growing company in the Lehigh Valley region, the nation’s 2nd fastest growing business in the cybersecurity and IT industry, the 2nd fastest growing business in all of Pennsylvania, and the 16th fastest growing Veteran-Owned business in America with over 2,222% revenue growth.

    In 2025, Netizen ranks 4,988th on Inc. Magazine’s list of America’s 5,000 fastest growing and most successful privately held businesses based on 2021 to 2024 growth.

    “Earning our third placement on the Inc. 5000 list—particularly after navigating the immense challenges of the pandemic era—reflects the exceptional capabilities and skill of our reorganized and reinvigorated team of highly trained professionals. They are truly the elite specialists of our industry,” said Michael Hawkins, CEO of Netizen Corporation. “This achievement is a direct result of our company’s commitment to technical excellence, curation of long-term customer relationships, and dedication to continuous personal and professional growth. Our renewed focus on these core tenets has driven both individual success and company-wide expansion these past several years while simultaneously increasing market diversification through expanded offerings.”

    About Netizen Corporation:

    Founded in September 2013, Netizen is a highly specialized provider of cybersecurity and related technology solutions. The company, a Small Business Administration (SBA) certified Service-Disabled Veteran Owned Business (SDVOSB), is headquartered in Allentown, PA with additional offices and staff locations in Virginia (DC Metro), South Carolina (Charleston), and Florida. Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of its operations.

    In addition to being one of the fastest-growing private businesses in the U.S. three times, Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for Veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Netizen operates a state-of-the-art 24x7x365 Security Operations Center (SOC) in Allentown, PA that delivers comprehensive cybersecurity monitoring solutions for both government and commercial clients. Their service portfolio also includes cybersecurity assessments and advisory, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. They specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Their proven track record in these domains positions them as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Learn more at Netizen.net.

    POINT OF CONTACT:

    • Tristan Boheim
    • Account Executive
    • Phone: 1-800-450-1773
    • Email:   press@Netizen.net
  • Netizen: Monday Security Brief (8/11/2024)

    Netizen: Monday Security Brief (8/11/2024)

    Today’s Topics:

    • Threat Actor RomCom Exploits WinRAR Zero-Day in Targeted Espionage Campaign
    • Over 29,000 Microsoft Exchange Servers Remain Unpatched for High-Severity Hybrid Cloud Exploit
    • How can Netizen help?

    Threat Actor RomCom Exploits WinRAR Zero-Day in Targeted Espionage Campaign

    A Russia-linked threat group known as RomCom, also tracked as Storm-0978, Tropical Scorpius, and UNC2596, has been caught exploiting a newly discovered WinRAR zero-day vulnerability, CVE-2025-8088, in cyberespionage operations targeting organizations in Europe and Canada.

    CVE-2025-8088 is a path traversal flaw in WinRAR involving the use of alternate data streams. It allows attackers to craft malicious archive files that extract contents to attacker-controlled paths rather than the user-specified directory. This can be abused to overwrite critical files or plant malicious payloads without user awareness.

    The vulnerability was reported to WinRAR by ESET, which observed active exploitation beginning July 18, 2025. A beta fix was released on July 25, just one day after disclosure, and the final patch was issued on July 30.

    RomCom leveraged spearphishing emails to deliver the malicious archives, disguising them as resumes to increase credibility. The targeting was precise, indicating prior reconnaissance. Intended victims included organizations in the financial, defense, manufacturing, and logistics sectors across Canada and Europe.

    While ESET confirmed that none of the targeted organizations were successfully compromised, the payloads were designed to install a range of backdoors, including SnipBot, RustyClaw, and Mythic Agent.

    RomCom has a history of combining cyberespionage with opportunistic cybercrime and is known for exploiting zero-days against high-value targets in Europe and North America. This activity underscores the group’s ability to pivot quickly to new vulnerabilities and weaponize them in targeted campaigns.

    ESET noted that CVE-2025-8088 shares similarities with CVE-2025-6218, another WinRAR path traversal bug patched earlier this year. Russian security firm Bi.zone reported that both flaws have been exploited in recent operations, including attacks by a group it tracks as Paper Werewolf against Russian organizations such as an equipment manufacturer.

    Organizations using WinRAR are advised to update immediately to the latest version to close CVE-2025-8088 and related vulnerabilities. Security teams should also review spearphishing defenses, enhance email filtering for malicious attachments, and monitor for the delivery of suspicious archive files.

    Over 29,000 Microsoft Exchange Servers Remain Unpatched for High-Severity Hybrid Cloud Exploit

    More than 29,000 Microsoft Exchange servers exposed to the internet have not been patched against CVE-2025-53786, a high-severity vulnerability that could enable attackers to escalate privileges within hybrid cloud environments and potentially achieve full domain compromise.

    This flaw affects Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition in hybrid configurations. An attacker with administrative access to an on-premises Exchange server could exploit CVE-2025-53786 to forge or manipulate trusted tokens and API calls, moving laterally into the connected cloud environment. The activity leaves minimal traces, making detection difficult.

    Microsoft addressed the vulnerability in April 2025 with a hotfix released as part of its Secure Future Initiative, introducing a dedicated hybrid app to replace the insecure shared identity model previously used between on-premises Exchange and Exchange Online. Although Microsoft has not observed active exploitation, it rated the flaw as “Exploitation More Likely” due to the potential for consistent exploit development.

    According to scans by Shadowserver, as of August 10, 2025, there were 29,098 unpatched Exchange servers online. Over 7,200 were located in the United States, 6,700 in Germany, and 2,500 in Russia. The remaining vulnerable servers are distributed across other regions, all at risk of compromise if exploited.

    Following Microsoft’s disclosure, CISA issued Emergency Directive 25-02, mandating all Federal Civilian Executive Branch agencies to mitigate CVE-2025-53786 by August 11, 2025, at 9:00 AM ET. Agencies were instructed to:

    • Inventory Exchange environments using Microsoft’s Health Checker script.
    • Disconnect unsupported, public-facing Exchange servers from the internet.
    • Apply the April 2025 hotfix and update to the latest cumulative updates (CU14 or CU15 for Exchange 2019, CU23 for Exchange 2016).

    CISA warned that failing to patch could result in a “hybrid cloud and on-premises total domain compromise.”

    Although the directive applies only to federal agencies, CISA urged all organizations, public and private, to apply the same mitigations. The agency emphasized that the risk extends to “every organization and sector using this environment,” regardless of industry.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • New EDR Killer Tool Circulating Among Eight Ransomware Groups

    New EDR Killer Tool Circulating Among Eight Ransomware Groups

    Security researchers from Sophos have uncovered a new EDR-killing utility, likely an evolution of the previously documented “EDRKillShifter,” now being used by at least eight different ransomware operations. These include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.

    Tool Behavior and Attack Flow

    The EDR killer is delivered as a heavily obfuscated binary that decodes itself at runtime and injects into trusted system processes. It looks for a digitally signed driver, often using a stolen or expired certificate, with a randomly generated five-character name hardcoded into the executable. Once located, the driver is used to perform a Bring Your Own Vulnerable Driver (BYOVD) attack, which allows the tool to achieve kernel-level privileges.

    Once active in the kernel, the rogue driver poses as a legitimate file, such as the CrowdStrike Falcon Sensor Driver, but proceeds to shut down core antivirus and EDR services. The tool systematically kills processes and stops services associated with major security vendors.

    Targeted Security Solutions

    Vendors affected by these attacks include:

    • Sophos
    • Microsoft Defender
    • SentinelOne
    • Kaspersky
    • Symantec
    • Trend Micro
    • McAfee
    • Cylance
    • Webroot
    • F-Secure
    • HitmanPro

    Though each sample varies slightly in its configuration (e.g., targeted software or driver names), the presence of a shared packing mechanism (HeartCrypt) and consistent functionality points to a collaborative development effort rather than opportunistic reuse.

    Shared Framework, Not Leaked Code

    Sophos noted that this is not a case of a single leaked binary spreading among threat actors. Instead, the evidence indicates each group is using a unique build from a common proprietary toolkit. This form of code sharing and modular reuse is increasingly common among ransomware syndicates looking to streamline operations.

    Trend Mirrors Previous Tool Sharing

    This tactic is not isolated. Other tools like AuKill, used by Medusa Locker and LockBit, and FIN7’s AvNeutralizer, which was sold to multiple gangs including BlackCat, AvosLocker, and BlackBasta, follow similar patterns of reuse and collaborative tooling in the ransomware space.

    What SOC Teams Need to Know

    Security operations teams should treat this wave of EDR killer tools as a priority threat, especially given the speed and sophistication of the tactics involved. These tools bypass traditional user-space protections by abusing signed kernel-mode drivers, many of which originate from legitimate vendors but are either expired or stolen. SOC analysts should closely monitor for anomalous driver loading events, especially those tied to unsigned or improperly signed drivers using rare filenames. Emphasis should also be placed on kernel telemetry, driver validation policies, and lateral movement behaviors immediately following driver installation. Runtime obfuscation and process injection mean that static signatures will often fail, so behavioral analytics and memory inspection must become baseline components of detection strategy. Additionally, SOC teams should consider implementing driver blocklists via Windows Defender Application Control (WDAC) or equivalent kernel-level protections to prevent the loading of known malicious or legacy drivers.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Google Confirms Breach in Salesforce CRM Data Theft Campaign Linked to ShinyHunters

    Google Confirms Breach in Salesforce CRM Data Theft Campaign Linked to ShinyHunters

    Google has confirmed that it was recently impacted by the same wave of Salesforce CRM data theft attacks that have been affecting multiple high-profile companies, part of an ongoing campaign attributed to the ShinyHunters extortion group.

    The company disclosed that in June 2025, one of its corporate Salesforce instances was compromised during a targeted attack classified internally as the work of threat actor “UNC6040” (also referred to as “UNC6240”). The attackers used voice phishing (vishing) techniques to breach employee accounts, gaining access to Salesforce data containing customer contact information for small and medium-sized businesses.

    Data Exposure Details

    According to Google’s statement, the stolen data consisted primarily of business names, contact details, and related notes, most of which was considered basic or publicly available information. The unauthorized access lasted for only a brief period before Google identified the intrusion and cut off the attackers, followed by a full impact assessment and mitigation measures.

    ShinyHunters’ Role in the Campaign

    While Google referred to the actors as UNC6040, cybersecurity sources and BleepingComputer’s ongoing investigation indicate that the ShinyHunters group is behind this broader campaign. ShinyHunters is a well-known threat actor responsible for numerous high-profile breaches in recent years, including attacks on Snowflake, AT&T, Wattpad, Oracle Cloud, and PowerSchool.

    The group has reportedly breached multiple Salesforce instances across global enterprises and is actively extorting victims. Companies are being contacted via email with ransom demands to prevent the public release of stolen data. One victim reportedly paid 4 Bitcoin, which is at this period in time approximately $400,000, to keep its information from being leaked.

    Additional Victims and Extortion Activity

    Other companies known to be affected in the ongoing attacks include Adidas, Qantas, Cisco, Allianz Life, and luxury brand subsidiaries of LVMH such as Louis Vuitton, Dior, and Tiffany & Co. ShinyHunters has indicated that once private extortion attempts are completed, the group intends to leak or sell the stolen data on underground forums.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.