Month: April 2025

The initial public draft (ipd) of NIST Special Publication (SP) 800-228, Guidelines for API Protection for Cloud-Native Systems, is now available for public comment.

Modern enterprise IT systems rely on a family of application programming interfaces (APIs) for integration to support organizational business processes. Hence, a secure development and deployment of APIs is critical for overall enterprise security. This, in turn, requires the identification of risk factors or vulnerabilities in various phases of the API life cycle and the development of controls or protection measures to prevent their exploits.

This document addresses the following aspects for achieving that goal:

1. The identification and analysis of risk factors or vulnerabilities introduced during various activities of API development and runtime,
2. Recommended basic and advanced controls and protection measures during the pre-runtime and runtime stages of APIs, and
3. An analysis of the advantages and disadvantages of various implementation options (i.e., patterns) for those controls to enable security practitioners to adopt an incremental, risk-based approach to securing their APIs.

The public comment period is open through May 12, 2025. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included in the front matter of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More

Responding to the need to propel AI innovation by developing AI standards more quickly while encouraging openness and collaboration – incorporating a wide range of expertise – NIST is launching its AI Standards Zero Drafts Pilot Project. 

As discussed at NIST’s AI symposium in September, this initiative will pilot a new process of distilling stakeholder views into “zero drafts”—thorough but preliminary proposals that will be submitted into the private sector-led standardization process to be developed into voluntary consensus standards.

NIST has proposed initial topics related to testing, evaluation, verification, and validation; AI design and architecture concepts; transparency documentation; among others. NIST solicits private and public sector input on priority topics and scoping. For each topic selected by NIST based on this feedback, the agency anticipates releasing a concept paper for public comment. NIST then will propose and revise a document to be submitted to the formal standardization process.

More details are available on a dedicated NIST web page. Please send any suggestions via email to [email protected].

Threat actors continue to exploit trusted financial software through impersonation, phishing emails, and fraudulent invoices or transactions. They can sign up for free accounts for legitimate software and target potential victims from within those services, utilizing email addresses from domains not flagged by typical security tools. They can also combine voice and email phishing techniques in telephone-oriented attack delivery (TOAD) attacks, relying on their targets to call actor-controlled phone numbers directly. The threat actors impersonate the trusted service and trick the targets into disclosing sensitive information over the phone, such as login credentials or financial information. TOAD attacks can result in credential theft, financial fraud, unauthorized access, malware installation, and ransomware.

The NJCCIC’s email security solution identified a TOAD attack impersonating Intuit QuickBooks and Stripe by Commerce Sync. The message appears to be created on legitimate Stripe infrastructure to evade detection. It contains a PDF attachment purporting to be a legitimate Intuit QuickBooks invoice for an upcoming subscription renewal. The threat actors use QuickBooks and Stripe branding in the message and PDF attachment. However, upon closer inspection, the message is suspicious because the QuickBooks name has a space in the subject line, sender’s display name, email content, and attachment. The invoice is addressed and billed to a generic “user.” Also, the link to pay the invoice does not navigate to verified Stripe domains and instead displays that the invoice is not found, forcing the target to call actor-controlled phone numbers, such as 888-375-7282, 888-652-2384, 888-514-8354, and others. The message and attachment also prompt the target to email sales with questions or in need of assistance to non-Intuit email addresses with “quicksbook[.]com” and “quick-books[.]com” domains instead of official Intuit domains.

Recommendations

Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders. Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources. Navigate directly to official and verified websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials, personal details, and financial information on websites visited via links delivered in messages. Safeguard your information and accounts, including account credentials and other sensitive information. Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Report any suspicious activity, identity theft, or fraud to your financial institution, local police department, the Federal Trade Commission (FTC), or the credit reporting bureaus. Report phishing emails and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.

The NJCCIC was recently notified of a cyber incident in which a threat actor compromised a user’s account credentials by targeting the Password Hash Synchronization (PHS) login method. Azure utilizes PHS to validate credentials and authenticate users without needing an additional Identity Provider (IdP). When PHS is enabled, Azure AD Connect uses the AD replication protocol to retrieve the password NT hash for every synced user. The hash is then rehashed and synced to Azure AD. Even if another authentication mechanism is used, PHS is enabled by default and will be used as a backup method during server outages. In a PHS attack, the threat actor exploits PHS and Azure AD Connect server functionality, often by intercepting connector credentials via man-in-the-middle attacks or injecting malicious code directly into the PHS process, allowing them to extract the domain users’ NT hashes.

In the recent incident, after compromising the account, the threat actor created a new computer name and established an alternate phone number as the account’s method for multi-factor authentication (MFA). Within a few hours of gaining access to the compromised account, the threat actors sent nearly 800 phishing emails to both internal and external accounts. These emails likely aimed to compromise additional user accounts for subsequent cyber threat activity; threat actors often compromise user accounts prior to launching ransomware attacks.

Recommendations

Ensure user accounts require MFA, favoring authentication apps and hardware tokens over SMS-based codes. As advised by Microsoft, treat Azure AD Connect as a Tier 0 server. Implement network segmentation to reduce the impact of a network compromise. Monitor for man-in-the-middle attacks and atypical network and account behavior. Follow the principle of least privilege to reduce the number of accounts with unnecessary access. Revoke session tokens when an account is compromised and reduce the duration of valid session tokens. Review additional technical analysis in the Sygnia blog post.

A vulnerability has been discovered in CrushFTP, which could allow for unauthorized access. CrushFTP is a proprietary multi-protocol, multi-platform file transfer server. The vulnerability is mitigated if the DMZ feature of CrushFTP is in place. Successful exploitation of this vulnerability could allow an attacker to remotely control the compromised server and execute remote code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLEGENCE:
There are currently no reports of the vulnerability being exploited in the wild. 

SYSTEMS AFFECTED:

• CrushFTP v10 and v11 versions.

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered in CrushFTP, which could allow for unauthorized access. Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• An exposed HTTP(S) port on CrushFTP’s web interface could lead to unauthenticated access. The vulnerability is mitigated If you have the DMZ feature of CrushFTP in place.

Successful exploitation of this vulnerability could allow an attacker to remotely control the compromised server and execute remote code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by CrushFTP or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

CrushFTP:
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
 
Bleeping Computer:
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-unauthenticated-access-flaw-immediately/

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2825

The Cybersecurity and Infrastructure Security Agency (CISA) has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:

Create a web shell, manipulate integrity checks, and modify files.  Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.  Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.

RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8.

For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.

CISA urges users and administrators to implement the following actions in addition to the Mitigation Instructions for CVE-2025-0282:

For the highest level of confidence, conduct a factory reset. For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.  See Ivanti’s Recommended Recovery Steps for more information, including how to conduct a factory reset.  Reset credentials of privileged and non-privileged accounts.  Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The krbtgt account should be reset twice because the account has a two-password history. The first account reset for the krbtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to Federal Civilian Executive Branch (FCEB) agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise.  Review access policies to temporarily revoke privileges/access for affected devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.  Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions.  Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.

For more guidance, see the Ivanti Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283).

Join us at a free Microsoft 365 Copilot Training for IT to explore the fundamentals of using Copilot as your own AI assistant. Through expert-led demos, discover how Copilot helps boost collaboration, provides real-time insights, and streamlines workflows. During this tutorial, you’ll discover how to create prompts that deliver results, build foundational AI skills, and get the most out of Copilot in the apps you use every day. Engage with Microsoft experts to ask questions and get answers on how to apply AI to your daily tasks. You’ll gain skills to use Copilot to: Synthesize your emails, meetings, and chats in Microsoft Teams related to specific IT topics, projects, or activities. Perform data analysis and create summaries of product spec sheets to aid in decision making. Develop project plan ideas for a new technology solution in a Microsoft Word document. Draft an email about the proposed implementation plan in Microsoft Outlook. Create a presentation using Microsoft PowerPoint to pitch the project plan. Join us at an upcoming event: Delivery Language: English Closed Captioning Language: English Event Delivery: Digital
Monday, April 07, 2025,  12:00 – 1:00 PM (GMT-05:00)   Tuesday, April 22, 2025,  10:00 – 11:00 AM (GMT-05:00)
Tuesday, May 06, 2025,  2:00 – 3:00 PM (GMT-05:00)   Tuesday, May 20, 2025,  4:00 – 5:00 PM (GMT-05:00)

Space is limited. Register for free today.