Author: blogmirnet

The NJCCIC’s email security solution identified a fake CAPTCHA malware campaign sent to New Jersey State employees in an attempt to deliver the SectopRAT infostealer. The emails contain links directing targets to malicious or compromised websites and prompting deceptive CAPTCHA verification challenges. In the background, the visited website copies a command to the target’s clipboard. The CAPTCHA prompts the target to verify their identity by opening a Windows Run dialog box and running the paste command.

The first part of the command triggers a legitimate Windows executable, mshta[.]exe, to fetch a malicious file from the specified domain and run it. The file type can be html, mp3, mp4, jpg, jpeg, swf, and others. This first part of the command is purposefully obfuscated so that the target only sees the last part of the pasted content stating “I am not a robot – reCAPTCHA Verification ID: ####” in the Windows Run dialog box, which prompts the user to click OK to verify their identity. If completed, the encoded PowerShell command runs in the background, and the target inadvertently downloads and executes SectopRAT.

Further analysis indicated that the identified compromised websites used technologies such as the WordPress Content Management System (CMS) platform and JavaScript Libraries. A possible point of entry was an outdated PHP form that allowed threat actors to access the system and inject the malicious code. Additionally, the redirect links pointed to URLs of newly registered domains.

In a similar campaign, threat actors compromised a shared video service unique to auto dealerships in a supply chain attack. When active, auto dealership website visitors risk being infected with SectopRAT. Researchers also discovered similar fake CAPTCHA malware campaigns deploying Lumma and Vidar infostealers and stealthy rootkits. Legitimate CAPTCHA verification challenges validate a user’s identity and do not require users to copy and paste commands or output into a Windows Run dialog box. Recommendations   If you encounter a suspicious CAPTCHA verification challenge, refrain from visiting the website or taking further action. Keep browsers and anti-virus/anti-malware software up to date. Keep systems up to date and apply patches after appropriate testing. Disable JavaScript in the browser before visiting unknown websites. Website administrators are advised to remove the malicious code and ensure the website is patched and updated. Verify all administrators and update the administrative credentials for the CMS platform. Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.

REGISTRATION OPEN | Trusted IoT Onboarding Open House

Event Date/Time: April 17, 2025 | 8:30 a.m. – 4:00 p.m. 

Location: NCCoE at 9700 Great Seneca Highway, Rockville, MD 20850

The NIST National Cybersecurity Center of Excellence (NCCoE) invites you to join us for our in-person Open House Event to discuss trusted IoT Onboarding!

Untrusted provisioning of IoT device credentials to networks can expose organizations to significant cybersecurity risks. To mitigate these risks, implementing trusted, scalable, and automated mechanisms—starting with secure IoT device network-layer onboarding—is critical for properly safeguarding the IoT ecosystem.

The NIST NCCoE, in collaboration with 11 industry collaborators, has developed several technical build implementations using commercially available technologies such as Wi-Fi Easy Connect, Bootstrap Router Key Infrastructure (BRSKI), and Thread. These technologies accelerate the adoption of trusted network-layer onboarding and relevant best practices. This work is documented in NIST Special Publication (SP) 1800-36, which offers organizations guidance for step-by-step implementation.

During this event, join the NCCoE team and project collaborators to explore the technical implementation solutions outlined in SP 1800-36 and connect with leading experts in the field. This is a valuable opportunity for those interested in advancing IoT security, and our team looks forward to your participation and insights.

The deadline to register is April 10, 2025. Registration is for in-person attendance only. There is no cost to attend.

View Agenda and Register

A vulnerability has been discovered in Veeam Backup & Replication, which could allow for arbitrary code execution. Veeam Backup & Replication is a comprehensive data protection and disaster recovery solution. With Veeam Backup & Replication, you can create image-level backups of virtual, physical and cloud machines and restore from them. Exploitation of this vulnerability requires authentication to the domain but could result in arbitrary code execution. Data such as backups and images could be compromised.

THREAT INTELLEGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild. 

SYSTEMS AFFECTED:

• Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds. 

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium 

Businesses:

• Large and medium business entities: High
• Small business entities: Medium 

Home users: Low 

TECHNICAL SUMMARY:
A vulnerability has been discovered in Veeam Backup & Replication, which could allow for arbitrary code execution. Details of the vulnerability are as follows: 

Tactic: Execution (TA0002):

Technique: Software Deployment Tools (T1072):

• A vulnerability in Veeam Backup & Replication which could allow remote code execution (RCE) by authenticated domain users. The vulnerability affects Backup & Replication systems that are domain joined. Veeam explicitly mentions that having domain-joined backup servers is against their security and compliance best practices. However, it is acknowledged that this configuration might still be relatively common in practice. (CVE-2025-23120)

Successful exploitation of this vulnerability requires authentication to the domain but could result in arbitrary code execution. Data such as backups and images could be compromised. 

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Veeam or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
     
• Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc. (Mitigation M1015 : Active Directory Configuration)
  • Safeguard 4.1: Establish and Maintain a Secure Configuration Process: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 18.5: Perform Periodic Internal Penetration Tests: Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
     
• Manage the creation, modification, use, and permissions associated to user accounts. (Mitigation M1018 : User Account Management)
  • Safeguard 6.1: Establish an Access Granting Process: Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.
  • Safeguard 6.2: Establish an Access Revoking Process: Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.
  • Safeguard 6.8: Define and Maintain Role-Based Access Control: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
  • Safeguard 15.7: Securely Decommission Service Providers: Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems.
     
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (Mitigation M1030 : Network Segmentation)
  • Safeguard 3.12: Segment Data Processing and Storage Based on Sensitivity: Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.
  • Safeguard 4.4: Implement and Manage a Firewall on Servers: Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
  • Safeguard 12.8: Establish and Maintain Dedicated Computing Resources for All Administrative Work: Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access.
  • Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.
     
• Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. (Mitigation M1032 : Multi-factor Authentication)
  • Safeguard 6.4: Require MFA for Remote Network Access: Require MFA for remote network access.
  • Safeguard 6.5: Require MFA for Administrative Access: Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
     

REFERENCES:

Veeam:
https://www.veeam.com/kb4724 

Rapid7:
https://www.rapid7.com/blog/post/2025/03/19/etr-critical-veeam-backup-and-replication-cve-2025-23120/

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23120

Join us at Microsoft 365 Copilot Training for IT to learn how to use Microsoft Copilot to simplify your everyday tasks. During this free event, discover how Copilot can help you enhance efficiency, simplify complex tasks, and optimize technical workflows. You’ll be able to: Use Copilot to summarize the information in a product spec document for a network security product and create a project plan to implement the product. Use Copilot in PowerPoint to create and customize a business presentation based on the product plan that you created for the new network security product. Use Copilot in Word to modify a technical implementation report for a customer who is planning to install your new network security product. Use Copilot in Outlook to draft an email that provides highlights from the technical implementation report that you created for the customer who is installing your new network security product. Join us at an upcoming event:

Delivery Language: English Closed Captioning Language: English Event Delivery: Digital

Tuesday, March 25, 2025,  4:00 – 5:00 PM (GMT-05:00)   Monday, April 07, 2025,  12:00 – 1:00 PM (GMT-05:00)

Tuesday, April 22, 2025,  10:00 – 11:00 AM (GMT-05:00)   Tuesday, May 06, 2025,  2:00 – 3:00 PM (GMT-05:00)

Space is limited. Register for free today.

Draft Released Today for Public Comment— NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide

The Initial Public Draft (IPD) of NIST Special Publication 1308, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide is now published! This document shows how the Workforce Framework for Cybersecurity (NICE Framework) and the Cybersecurity Framework (CSF) 2.0 can be used together to address cybersecurity risk.

This QSG draws on three key NIST resources to enable users to align their cybersecurity, ERM, and workforce management practices in a streamlined process: The Cybersecurity Framework (CSF) 2.0. The Workforce Framework for Cybersecurity (NICE Framework). The NIST IR 8286 series, Integrating Cybersecurity and Enterprise Risk Management (ERM).

This publication is the most recent within a portfolio of CSF 2.0 quick start guides released since February 26, 2024. These resources provide different audiences with tailored pathways into the CSF 2.0 and make the Framework easier to put into action. View all CSF 2.0 quick start guides here. 

The comment period for NIST Special Publication 1308, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide is open through April 25, 2025, at 11:59 PM.

Read the Quick Start Guide

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, threat actors could install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Google indicates limited, targeted exploitation of CVE-2024-43093 and CVE-2024-50302.

Systems Affected

Android OS patch levels prior to 2025-03-05

Risk Government: – Large and medium government entities: High – Small government entities: High

Businesses: – Large and medium business entities: High – Small business entities: High

Home Users: Low

Recommendations

Apply appropriate mitigations provided by Google to vulnerable systems immediately after appropriate testing. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Reference Android: https://source.android.com/docs/security/bulletin/2025-03-01

Threat actors can perform reconnaissance by searching for and weaponizing publicly disclosed data and using a variety of impersonation techniques to convince their target that they are known and trusted parties involved in real estate transactions, including attorneys, real estate agents, brokers, title agencies, escrow services, mortgage companies, third-party vendors, buyers, and sellers. To appear legitimate, they spoof a familiar contact’s source name or email address or use domain names that mimic a trusted source in spearphishing attacks. The messages typically instruct the target to transfer funds, divulge sensitive information, or submit account credentials via phishing links to the threat actors posing as trusted individuals.

Threat actors target and gain unauthorized access to legitimate email accounts using compromised credentials. Compromised email accounts contain a wealth of information, including personally identifiable information (PII), various forms of identification, legal documentation, settlement statements, closing disclosures, and pre-closing transactions. One part or a combination of this information can be used to commit further malicious activities, such as identity theft and fraud. Real estate wire transfer scams can result in system compromises, data breaches, financial losses, and reputational damages.

The NJCCIC continues to receive reports of impersonation scams and wire transfer fraud in real estate transactions. Threat actors targeted numerous New Jersey title agencies and real estate attorneys, compromised email accounts, and sent fraudulent wire transfer instructions. The funds were typically transferred before the scheme was discovered. Threat actors are likely to increase their targeting as spring and early summer approaches, as these seasons generally are peak for real estate, both selling and buying.

Cybercriminals use information-stealing malware, also known as infostealers, to gather data about users, their devices, and their networks. This information can include personal information, account information like online passwords, and other sensitive data. Infostealers are installed on victim devices in several ways, such as malicious browser extensions and downloads.

Users download browser extensions for a variety of reasons. After an extension is downloaded from official web stores, threat actors surreptitiously purchase or hijack popular extensions for malicious purposes and capitalize on the trust the extension has gained. Users often continue to use the extension even after it has been taken over by the new vendor, as they are likely unaware of the change. Oftentimes, the new vendor will also update permissions related to the extension, allowing them to access, read, and modify files on the users’ system and more, as noted in image 1. Some threat actors use the extension to inject code into the system’s browser to facilitate malvertising and search engine optimization fraud, which leads into the second stage of their operation.

Image 1

If threat actors can manipulate search results and the online advertising viewed by users, they can push them to initiate malicious downloads. For example, the NJCCIC’s security operations center (SOC) team noted that malicious software known as pdfconverters[.]exe is often obtained by users searching for free worksheets, calendars, and more. While this program can convert documents, its real purpose is acting as a RedLine infostealer. A screenshot of the site and associated URLs advertising this download is noted in images 2 and 3.

Image 2

Image 3

Users who navigate to the sites advertising malicious downloads are often redirected there by other sites. Image 4 shows how a user is referred to these sites by malvertisements (column 3).

Image 4

Once pdfconverters[.]exe is downloaded, the threat actors exfiltrate information to command and control (C2) domains through WebView2, which occurs in a window that is hidden from the user. A screenshot of the WebView2 history in image 5 shows those domains being contacted; however, this was not visible in the user’s regular browsing history.

Image 5

Once the infostealer has been installed on the user’s device, it can gather sensitive information including the data, files, and images on the device; browsing history; account passwords, and more. Image 6 shows an example of the browser information that would be viewable by the threat actors, who could easily decrypt the passwords associated with the noted websites.

Image 6

For technical analysis and IOCs, please continue reading…

On 14 March a root certificate (the resource used to prove an add-on was approved by Mozilla) will expire, meaning Firefox users on versions older than 128 (or ESR 115) will not be able to use their add-ons. We want developers to be aware of this in case some of your users are on older versions of Firefox that may be impacted.

Should you see bug reports or negative reviews reflecting the effects of the certificate expiration, we recommend alerting your users to this support article that summarizes the issue and guides them through the process of updating Firefox so their add-ons work again

Apple has patched its third zero-day flaw of the year with a new emergency security update for iPhones, iPads, Macs and its other devices.

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in vision OS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).