blogmirnet – My information Resource (blog.mir.net)

The Risks of Email Forwarding

Mutiple sources periodically receives reports of users implementing mailbox forwarding rules that automatically forward messages from their work email to an external mailbox that is not monitored by their organization.

Email forwarding to external non-work accounts via automatic forwarding rules or by manually forwarding messages poses several significant privacy and security risks to an organization’s information assets.

It can lead to data leakage, such as personally identifiable information (PII), sensitive data, financial information, and more. Additionally, if these external non-work accounts are compromised, email forwarding can provide unauthorized access to the leaked organization’s information assets.

This unauthorized access enables threat actors to exfiltrate sensitive data and implement their own mailbox rules to auto-forward emails to an external account controlled by them to obfuscate their malicious activities. Furthermore, forwarding emails can impact spam filters and message authentication checks, potentially resulting in emails being flagged as spam or failing to be delivered to intended recipients.

Forwarding emails can also lead to a loss of trust and negatively impact an organization’s domain reputation. Organizations implement email policies with specific requirements or conditions when accessing and using their email services. These policies may prohibit users from transmitting, storing, processing, or sharing sensitive information using personal or unauthorized email accounts.

The policies can include other unauthorized services, such as social media accounts, chat services, file storage, file synchronization, and file sharing. Since email forwarding can result in issues with compliance with applicable contractual, regulatory, and statutory requirements, users violating such policies are subject to disciplinary action, penalties, and fines.

In the District Court of New Jersey’s Bramshill Investments LLC v. Pullen case, the defendant manually forwarded proprietary documents and information from her work email account to her personal email account.

The plaintiff’s outside compliance consultant discovered the activity and notified the plaintiff, who later fired the defendant for violating the plaintiff’s business protocols, the defendant’s employment agreement, and regulatory and privacy regulations.

In the District Court of New Jersey’s US v. Andrew Blum case , a former vice president of product development and co-conspirator at a New Jersey-based producer of oil products and proprietary flavors stole their employer’s trade secrets. The defendant and co-conspirator signed an employee handbook and a non-disclosure agreement (NDA), agreeing not to disclose or use proprietary or confidential information while employed or after termination.

However, the employer’s IT team discovered that the co-conspirator used a personal email account on a work computer to forward files containing proprietary and trade secret information to the defendant to his personal email account.

Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client.
Mozilla Thunderbird ESR is a version of the email client intended to be deployed in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Firefox versions prior to 138
Thunderbird versions prior to ESR 128.10
Thunderbird versions prior to 138
Firefox ESR versions prior to 115.23
Firefox ESR versions prior to 128.10

RISK:
Government:

Large and medium government entities: HIGH
Small government: MEDIUM

Businesses:

Large and medium business entities: HIGH
Small business entities: MEDIUM

Home Users: LOW

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-by Compromise (T1189)

Privilege escalation in Firefox Updater. (CVE-2025-2817)
WebGL shader attribute memory corruption in Firefox for macOS. (CVE-2025-4082)
Process isolation bypass using “javascript. (CVE-2025-4083)
Memory safety bugs fixed in Firefox 138 and Thunderbird 138. (CVE-2025-4092)
Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10. (CVE-2025-4093)

Additional lower severity vulnerabilities include:

Potential information leakage and privilege escalation in UITour actor. (CVE-2025-4085)
Specially crafted filename could be used to obscure download type. (CVE-2025-4086)
Unsafe attribute access during XPath parsing. (CVE-2025-4087)
Cross-site request forgery via storage access API redirects. (CVE-2025-4088)
Potential local code execution in “copy as cURL” command. (CVE-2025-4089, CVE-2025-4084)
Leaked library paths in Firefox for Android. (CVE-2025-4090)
Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. (CVE-2025-4091)

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051:Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026:Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050:Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021:Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040:Behavior Prevention on Endpoint)
- Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017:User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Vulnerability in SonicWall Secure Mobile Access (SMA) 100 Series Management Interface Could Allow for Remote Code Execution

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

A vulnerability has been discovered in SonicWall Secure Mobile Access (SMA) 100 Management Interface, which could allow for remote code execution. SonicWall Secure Mobile Access (SMA) is a unified secure access gateway used by organizations to provide employees access to applications from anywhere. Successful exploitation of this vulnerability could allow for remote code execution.

Threat Intelligence According to SonicWall on April 15, this vulnerability is believed to be actively exploited in the wild. As a precautionary measure, SonicWall PSIRT has upgraded the CVSS score from medium to high severity (7.2).

Systems Affected

SMA 200 SMA 210 SMA 400 SMA 410 SMA 500v (ESX, KVM, AWS, Azure) Versions 10.2.1.0-17sv and earlier Versions 10.2.0.7-34sv and earlier Versions 9.0.0.10-28sv and earlier

Risk
Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High
– Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by SonicWall to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References
SonicWall:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20035

CSF 2.0 Webinar Series: Deep-Dive into the Govern Function

Register Today! Deep-Dive into the CSF 2.0 Govern Function to Improve Cybersecurity

One of the major updates to CSF 2.0 is the creation of the Govern Function, highlighting the importance of ensuring cybersecurity capabilities support the broader mission through Enterprise Risk Management (ERM).

Governance is the process of determining enterprise objectives, setting direction to achieve those objectives, and monitoring performance to adjust strategy as necessary. Risk governance provides the transparency, responsibility, and accountability that enables managers to effectively manage risk.

In the second webinar in NIST’s new multi-part CSF 2.0 webinar series, we will provide a discussion covering:

Demystifying what governance is.
The role of the Govern Function in a cybersecurity-focused framework.
Strategies for bidirectional communication between cybersecurity practitioners and leadership.
How organizations of all sizes can put cybersecurity governance into practice using the CSF 2.0.
How you can use the CSF in conjunction with other NIST publications (such as the NIST IR 8286 series, SP 800-30, etc.) to better integrate cybersecurity and enterprise risk management for governance oversight.
CSF 2.0 implementation resources in support of cybersecurity governance.

Time will be reserved at the end for audience questions.

Event Date: May 20, 2025

Event Time: 2:00PM-3:00PM ET

Speakers:

Julie Chua, Division Chief, Applied Cybersecurity Division, NIST
Stephen Quinn, Senior Computer Scientist and CSF Project Lead, Computer Security Division, NIST

Social Security Administration Phishing Emails

The NJCCIC received reports of Social Security Administration (SSA) phishing emails, consistent with the SSA’s scam alert earlier this month. The emails contain SSA branding to appear legitimate and claim to be from the SSA. However, upon further inspection, they were sent from non-.gov top-level domains (TLDs) with the sender’s display name as “Social Security administration.”

The subject line displays, “Your benefits statement is now available for download.” The emails create urgency to convince potential victims to download and review their Social Security statements immediately to ensure uninterrupted access to their benefits and prevent processing delays.

The emails also instruct potential victims to click the “Download Statement” button and install the required file specifically on PC/Windows systems.
If clicked and installed, sensitive information and devices may be at risk.

These communications are not legitimate, as the SSA will not ask for personally identifiable information (PII), including Social Security numbers or dates of birth, or financial information via email, phone, or text message.

Also, the SSA will not threaten to suspend your Social Security number, demand immediate payment, warn of legal action, download “secure” software, or request permission to access your device.

Recommendations

Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.

Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources.

Navigate to official websites, such as the SSA, by typing official website URLs into browsers manually and only submit account credentials and sensitive information on official websites.

Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.

Confirm the legitimacy of the requests by contacting the SSA directly through their official website.

Direct Deposit Scams Continue

In direct deposit or payroll diversion scams, threat actors research the targeted organization and identify an employee to impersonate. They typically register a free email address using the employee’s name and utilizing display name spoofing in the messages. In some cases, they compromise the employee’s email account to avoid suspicion. Then the threat actors email payroll, finance, or human resources departments to request direct deposit changes and applicable forms. Sometimes, the threat actors locate direct deposit change forms online and include the filled-out forms in the email. They intend to divert the employee’s direct deposit account information to an account under the threat actor’s control.

The NJCCIC continues to receive multiple reports of direct deposit scams, primarily targeting educational institutions. However, all organizations, regardless of sector, are at risk. In one incident, threat actors created a Google Gmail account, impersonated an employee, and attempted to change the direct deposit account information. They sent an email with a blank subject line and content containing “Good Morning, Hope you’re having a great day. Before the next payroll will be issued, I need to replace the account where my most recent deposit was made due to a bank change. What information is required?”

In another incident, threat actors impersonated an employee and emailed the finance department with a subject line of “New Account Info.” The email contained, “I am currently experiencing issues logging into the [redacted] portal, as I am being redirected to the homepage with a blank page. Therefore, I can provide my new banking information for the update. Here is the voided check with my new bank details for the change. Please cancel the previous account and use the new details provided below [redacted bank information].”

In the examples above, the requests to change direct deposit information were easily identified as scams. However, in another direct deposit scam, threat actors intended to compromise an employee’s account to impersonate them and avoid suspicion. They contacted the organization’s help desk to request a password and multi-factor authentication (MFA) reset in a successful social engineering attack. The threat actors gained unauthorized access to the employee’s account and emailed a direct deposit change request to the payroll department. The payroll employee initiated the change based solely on the email request, deviating from the organization’s established policy. Additionally, to evade detection, the threat actors created an inbox rule to delete emails containing “direct deposit” automatically. However, the organization’s security monitoring solution detected the rule promptly, and the account was locked.

Organizations, especially employees in payroll, finance, or human resources departments, are advised to identify several red flags in direct deposit scams. First, the authenticity of the request is concerning when the sender’s name does not match the email address. Threat actors may also create urgency to speed up the process and use phrases such as “This is urgent” or “Please make the change immediately.” Additionally, if the request includes a form attachment, there may be errors, the Social Security number may not be correct, or the signature may be suspicious. Furthermore, the request may not include a recommended voided check.

Recommendations

Refrain from responding to messages, opening attachments, and clicking links from unknown senders, and exercise caution with emails from known senders.

If correspondence contains changes to bank information or is otherwise urgent or suspicious, contact the sender via a separate means of communication—by phone using contact info obtained from official sources or in person—before taking action.

Implement security controls that help prevent account compromise, including establishing strong passwords and enabling multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.

Organizations are advised to implement strict verification processes and procedures to prevent unauthorized direct deposit changes, such as requiring direct deposit forms accompanied by a voided check or bank encoding form, verbal or in-person agreement from the requesting employee, and multiple approvals for the change request.

Organizations are advised to educate their helpdesk and IT personnel on the tactics used by cyber threat actors to gain unauthorized access to accounts.

Review and secure email and payroll systems for vulnerabilities and keep them up to date. If funds are unintentionally wired to a fraudulent account, immediately notify a supervisor, banking institution, the FBI, and the US Secret Service so that attempts can be made to stop the wire transfer.

Unless the fraudulent transaction is discovered quickly (typically within 48 hours), it can be difficult, if not impossible, to return the stolen funds.

If personally identifiable information (PII) has been compromised, review the Identity Theft and Compromised PII NJCCIC product for additional recommendations and resources, including credit freezes and enabling MFA on accounts.

Vulnerability in SAP NetWeaver Visual Composer Could Allow for Remote Code Execution

A vulnerability has been discovered in SAP NetWeaver Visual Composer, which could allow for remote code execution. SAP NetWeaver Visual Composer is SAP’s web-based software modelling tool. It enables business process specialists and developers to create business application components, without coding. Successful exploitation of this vulnerability could allow for remote code execution in the context of the system.

Threat Intelligence ReliaQuest and watchtower confirmed CVE-2025-31324 is being actively exploited in the wild.

System Affected

VCFRAMEWORK version 7.50

Risk
Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High
– Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by SAP to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References
ReliaQuest:
https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US

BleepingComputer:
https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:

Apple is aware of a report that these vulnerabilities may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

SYSTEMS AFFECTED:

Versions prior to iOS 18.4.1 and iPadOS 18.4.1
Versions prior to visionOS 2.4.1
Versions prior to tvOS 18.4.1
Versions prior to macOS Sequoia 15.4.1

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

Tactic: Execution (TA0002):

Technique: Exploitation for Client Execution (T1203):

Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. (CVE-2025-31200)
An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. (CVE-2025-31201)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
- Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
- Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
- Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
- Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassessbi-annually, or more frequently.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Apple:

https://support.apple.com/en-us/100100

https://support.apple.com/en-us/122282

https://support.apple.com/en-us/122400

https://support.apple.com/en-us/122401

https://support.apple.com/en-us/122402

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31200

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31201

Microsoft Phishing Refresher

Over the past several weeks, the NJCCIC received reports of unauthorized account access facilitated by phishing campaigns. While the targeted accounts varied, the images in this post originate from a campaign that aims to access users’ Microsoft 365 accounts and uses tactics and techniques similar to other phishing campaigns. The initial phishing email typically directs the user to click on a link to view a message or document. Cybercriminals often give the document a name to feign the sensitivity or urgency of the document’s content. If clicked, the link will likely lead to a fraudulent login page, as noted in Image 1.

Image 1

Once an email address or username is submitted, the user will be prompted to provide their password. In Image 2 below, the prompt states that the user is being asked to verify their password because of the sensitivity of the information they are accessing, which is an attempt to decrease the user’s suspicions.

Image 2

Once the password is submitted, the user is often prompted to reenter it as if they submitted it incorrectly, as noted in Image 3. This tactic is likely used to ensure that the user entered their correct password into the form.

Image 3

After submitting the password a second time, the user is redirected to the Microsoft 365 Service Status webpage to appear as though the user was successfully logged in, as noted in Image 4. In other campaigns, the user may be redirected to the official Microsoft 365 login page, and they may assume this occurred because they entered their login information incorrectly.

Image 4

Recommendations

Refrain from clicking links or opening attachments delivered in suspicious or unexpected emails, even from known senders, and only submit account credentials on official websites. If you are unsure of the email’s legitimacy, contact the sender via a separate means of communication – such as by telephone – obtained from trusted sources before taking action.
if a password is entered into a fraudulent login form, revoke active session tokens, immediately change the user’s password, ensure multi-factor authentication is enabled and choosing a more secure method (authentication app, biometric, or hardware token) where available. Additionally, remove any unauthorized auto-forward, auto-delete, or reply-to rules created for compromised email accounts.

Organizations that identify compromised accounts on their networks are encouraged to lock the users’ accounts, identify any malicious emails sent during the compromise, and notify recipients.

If mailbox auditing is enabled, review the logs to identify which mailboxes were accessed or had access attempts made without authorization. Email account compromises typically precede ransomware infections.

Efforts to recover these accounts should also include analyzing any suspicious activity (such as attempts to elevate privileges, create new rules or users, or move laterally) that could indicate broader network compromise.

Review the Trustwave blog post detailing a new technique used by Tycoon2FA to compromise Microsoft 365 accounts.

Oracle Quarterly Critical Patches Issued April 15th, 2025 – PATCH: NOW

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

Autonomous Health Framework, versions 23.8.0-23.11.0, 24.1.0-24.11.0, 25.1.0, 25.2.0
GoldenGate Stream Analytics, versions 19.1.0.0.0-19.1.0.0.10
JD Edwards EnterpriseOne Tools, versions 9.2.0.0-9.2.9.2
Management Cloud Engine, version 24.3.0
MySQL Client, versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL Cluster, versions 7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL Connectors, versions 9.0.0-9.2.0
MySQL Enterprise Backup, versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL Server, versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL Shell, versions 8.0.32-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL Workbench, versions 8.0.0-8.0.41
Oracle Access Manager, version 12.2.1.4.0
Oracle Agile Engineering Data Management, version 6.2.1
Oracle Application Express, versions 23.2.15, 23.2.16, 24.1.9, 24.1.10, 24.2.3, 24.2.4
Oracle Application Testing Suite, version 13.3.0.1
Oracle Banking APIs, versions 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
Oracle Banking Corporate Lending Process Management, versions 14.5.0.0.0-14.7.0.0.0
Oracle Banking Digital Experience, versions 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
Oracle Banking Liquidity Management, version 14.7.0.7.0
Oracle Banking Origination, versions 14.5.0.0.0-14.7.0.0.0
Oracle BI Publisher, versions 7.6.0.0.0, 12.2.1.4.0
Oracle Business Activity Monitoring, version 14.1.2.0.0
Oracle Business Intelligence Enterprise Edition, versions 7.6.0.0.0, 12.2.1.4.0
Oracle Business Process Management Suite, versions 12.2.1.4.0, 14.1.2.0.0
Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
Oracle Commerce Guided Search, versions 11.3.2, 11.4.0
Oracle Commerce Merchandising, versions 11.3.0, 11.3.1, 11.3.2
Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2, 11.4.0
Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0-15.0.1.0.0
Oracle Communications Cloud Native Core Binding Support Function, versions 24.2.0-24.2.2
Oracle Communications Cloud Native Core Certificate Management, version 24.2.2
Oracle Communications Cloud Native Core Console, version 24.2.2
Oracle Communications Cloud Native Core DBTier, versions 24.2.3, 24.2.4, 24.3.0
Oracle Communications Cloud Native Core Network Data Analytics Function, version 24.2.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 24.2.5, 25.1.100
Oracle Communications Cloud Native Core Network Repository Function, version 24.2.3
Oracle Communications Cloud Native Core Policy, versions 24.2.0-24.2.4
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 24.2.2, 24.2.3, 24.3.0
Oracle Communications Cloud Native Core Service Communication Proxy, versions 24.2.0, 24.2.3, 24.3.0, 25.1.100
Oracle Communications Cloud Native Core Unified Data Repository, versions 22.4.0, 23.1.0-23.4.0, 24.2.3, 25.1.100
Oracle Communications Diameter Signaling Router, version 9.0.0.0
Oracle Communications EAGLE Element Management System, version 46.6
Oracle Communications Element Manager, versions 9.0.0-9.0.3
Oracle Communications Messaging Server, version 8.1.0.26.0
Oracle Communications MetaSolv Solution, version 6.3.1
Oracle Communications Network Analytics Data Director, versions 24.1.0-24.3.0
Oracle Communications Network Charging and Control, versions 12.0.6.0.0, 15.0.0.0.0, 15.0.1.0.0
Oracle Communications Network Integrity, versions 7.3.6, 7.4.0, 7.5.0
Oracle Communications Operations Monitor, version 5.2
Oracle Communications Order and Service Management, versions 7.4.0, 7.4.1, 7.5.0
Oracle Communications Policy Management, version 15.0.0.0.0
Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0, 15.0.1.0.0
Oracle Communications Service Catalog and Design, versions 8.0.0.4.0, 8.1.0.2.0
Oracle Communications Session Border Controller, versions 9.2.0, 9.3.0, 10.0.0
Oracle Communications Session Report Manager, versions 9.0.0-9.0.3
Oracle Communications Unified Assurance, versions 6.0-6.1
Oracle Communications Unified Inventory Management, versions 7.4.0-7.4.2, 7.5.0-7.5.1, 7.6.0, 7.7.0
Oracle Communications User Data Repository, versions 14.0.0, 15.0.0, 15.0.1, 15.0.2
Oracle Data Integrator, version 12.2.1.4.0
Oracle Database Server, versions 19.3-19.26, 21.3-21.17, 23.4-23.7
Oracle Demantra Demand Management, versions 12.2.6-12.2.14
Oracle Documaker, versions 12.7.1.6, 12.7.2.3, 13.0.0.1
Oracle E-Business Suite, versions 12.2.3-12.2.14, [ECC] 12-13
Oracle Enterprise Communications Broker, versions 4.1.0, 4.2.0
Oracle Enterprise Manager Base Platform, versions 13.5.0.0.0, 24.1.0.0.0
Oracle Essbase, version 21.7.1.0.0
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.8, 8.0.8.6, 8.1.1.4, 8.1.2.5
Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.2.8, 8.1.2.9
Oracle Financial Services Compliance Studio, version 8.1.2.9
Oracle Financial Services Model Management and Governance, version 8.1.2.7.0
Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0.0-7.0.0.0.0
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
Oracle GoldenGate, versions 19.1.0.0.0-19.26.0.0.250219, 21.3-21.17, 23.4-23.7
Oracle GoldenGate Veridata, versions 12.2.1.4.0-12.2.1.4.241210
Oracle GraalVM Enterprise Edition, versions 20.3.17, 21.3.13
Oracle GraalVM for JDK, versions 17.0.14, 21.0.6, 24
Oracle Graph Server and Client, versions 23.4.3, 23.4.4, 24.3.0, 24.4.0
Oracle Hospitality Cruise Shipboard Property Management System, version 23.2.1
Oracle Hospitality Reporting and Analytics, versions 9.1.34-9.1.36
Oracle Hospitality Simphony, versions 19.1-19.7
Oracle HTTP Server, versions 12.2.1.4.0, 14.1.2.0.0
Oracle Hyperion Financial Reporting, version 11.2.19.0.0
Oracle Hyperion Infrastructure Technology, version 11.2.19.0.0
Oracle Java SE, versions 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24
Oracle JDeveloper, version 12.2.1.4.0
Oracle Managed File Transfer, versions 12.2.1.4.0, 14.1.2.0.0
Oracle NoSQL Database, versions 1.5.0, 1.6.0, 1.6.1
Oracle Outside In Technology, version 8.5.7
Oracle Policy Automation, versions 12.2.0-12.2.36
Oracle Policy Modeling, versions 12.2.0-12.2.36
Oracle REST Data Services, versions 23.1, 23.2, 23.3, 23.4
Oracle Retail Order Broker, version 19.1
Oracle Retail Store Inventory Management, version 16.0.3.16
Oracle Retail Xstore Point of Service, versions 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1
Oracle SD-WAN Aware, version 9.0.1.11
Oracle SD-WAN Edge, version 9.1.1.9
Oracle Secure Backup, versions 12.1.0.1, 12.1.0.2, 12.1.0.3, 18.1.0.0, 18.1.0.1, 18.1.0.2, 19.1.0.0
Oracle Service Bus, version 12.2.1.4.0
Oracle Smart View for Office, version 24.200
Oracle SOA Suite, versions 12.2.1.4.0, 14.1.2.0.0
Oracle Solaris, version 11
Oracle SQL Developer, version 24.3.1.347.1826
Oracle TimesTen In-Memory Database, versions 22.1.1.1.0-22.1.1.30.0
Oracle Utilities Application Framework, versions 4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 24.1.0.0.0-24.3.0.0.0
Oracle VM VirtualBox, version 7.1.6
Oracle WebCenter Forms Recognition, version 14.1.1.0.0
Oracle WebCenter Portal, version 12.2.1.4.0
Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0
OSS Support Tools, versions 2.11.0-2.12.46, 8.0-8.18, 18.1-18.4, 19.1-19.4, 20.1-20.4, 22.2, 23.1-23.4, 24.1-24.4, 25.1
PeopleSoft Enterprise CC Common Application Objects, version 9.2
PeopleSoft Enterprise HCM Talent Acquisition Manager, version 9.2
PeopleSoft Enterprise PeopleTools, versions 8.60, 8.61, 8.62
Primavera Gateway, versions 20.12.0-20.12.17, 21.12.0-21.12.15
Primavera P6 Enterprise Project Portfolio Management, versions 22.12.0-22.12.18, 23.12.0-23.12.13, 24.12.0-24.12.2
Primavera Unifier, versions 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.13, 24.12.0-24.12.3
Siebel Applications, versions 17.0-25.2

RISK:
Government:

Large and medium government entities: High
Small government entities: High

Businesses:

Large and medium business entities: High
Small business entities: High

Home users: Low

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
- Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
- Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
- Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
- Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently
Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES: