Author: blogmirnet

Commvault is monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment. Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure. This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.

The Cybersecurity and Infrastructure Security Agency (CISA) believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.

CISA urges users and administrators to review the mitigations and apply necessary patches and updates for all systems.

CISA added CVE-2025-3928 to the Known Exploited Vulnerabilities Catalog and is continuing to investigate the malicious activity in collaboration with partner organizations.

Mutiple sources periodically receives reports of users implementing mailbox forwarding rules that automatically forward messages from their work email to an external mailbox that is not monitored by their organization. Email forwarding to external non-work accounts via automatic forwarding rules or by manually forwarding messages poses several significant privacy and security risks to an organization’s information assets. It can lead to data leakage, such as personally identifiable information (PII), sensitive data, financial information, and more.   Additionally, if these external non-work accounts are compromised, email forwarding can provide unauthorized access to the leaked organization’s information assets. This unauthorized access enables threat actors to exfiltrate sensitive data and implement their own mailbox rules to auto-forward emails to an external account controlled by them to obfuscate their malicious activities. Furthermore, forwarding emails can impact spam filters and message authentication checks, potentially resulting in emails being flagged as spam or failing to be delivered to intended recipients. Forwarding emails can also lead to a loss of trust and negatively impact an organization’s domain reputation.   Organizations implement email policies with specific requirements or conditions when accessing and using their email services. These policies may prohibit users from transmitting, storing, processing, or sharing sensitive information using personal or unauthorized email accounts. The policies can include other unauthorized services, such as social media accounts, chat services, file storage, file synchronization, and file sharing. Since email forwarding can result in issues with compliance with applicable contractual, regulatory, and statutory requirements, users violating such policies are subject to disciplinary action, penalties, and fines.   In the District Court of New Jersey’s Bramshill Investments LLC v. Pullen case, the defendant manually forwarded proprietary documents and information from her work email account to her personal email account. The plaintiff’s outside compliance consultant discovered the activity and notified the plaintiff, who later fired the defendant for violating the plaintiff’s business protocols, the defendant’s employment agreement, and regulatory and privacy regulations.   In the District Court of New Jersey’s US v. Andrew Blum case , a former vice president of product development and co-conspirator at a New Jersey-based producer of oil products and proprietary flavors stole their employer’s trade secrets. The defendant and co-conspirator signed an employee handbook and a non-disclosure agreement (NDA), agreeing not to disclose or use proprietary or confidential information while employed or after termination. However, the employer’s IT team discovered that the co-conspirator used a personal email account on a work computer to forward files containing proprietary and trade secret information to the defendant to his personal email account.

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.

• Mozilla Firefox is a web browser used to access the Internet.
• Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
• Mozilla Thunderbird is an email client.
• Mozilla Thunderbird ESR is a version of the email client intended to be deployed in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Firefox versions prior to 138
• Thunderbird versions prior to ESR 128.10
• Thunderbird versions prior to 138
• Firefox ESR versions prior to 115.23
• Firefox ESR versions prior to 128.10

RISK:
Government:

• Large and medium government entities: HIGH
• Small government: MEDIUM

Businesses:

• Large and medium business entities: HIGH
• Small business entities: MEDIUM

Home Users: LOW

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-by Compromise (T1189)

• Privilege escalation in Firefox Updater. (CVE-2025-2817)
• WebGL shader attribute memory corruption in Firefox for macOS. (CVE-2025-4082)
• Process isolation bypass using “javascript. (CVE-2025-4083)
• Memory safety bugs fixed in Firefox 138 and Thunderbird 138. (CVE-2025-4092)
• Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10. (CVE-2025-4093)

Additional lower severity vulnerabilities include: 

• Potential information leakage and privilege escalation in UITour actor. (CVE-2025-4085)
• Specially crafted filename could be used to obscure download type. (CVE-2025-4086)
• Unsafe attribute access during XPath parsing. (CVE-2025-4087)
• Cross-site request forgery via storage access API redirects. (CVE-2025-4088)
• Potential local code execution in “copy as cURL” command. (CVE-2025-4089, CVE-2025-4084)
• Leaked library paths in Firefox for Android. (CVE-2025-4090)
• Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. (CVE-2025-4091)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051:Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026:Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050:Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021:Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

• Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
  • Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040:Behavior Prevention on Endpoint)
  • Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017:User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4089
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4093

Mozilla:
https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-32/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-31/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

A vulnerability has been discovered in SonicWall Secure Mobile Access (SMA) 100 Management Interface, which could allow for remote code execution. SonicWall Secure Mobile Access (SMA) is a unified secure access gateway used by organizations to provide employees access to applications from anywhere. Successful exploitation of this vulnerability could allow for remote code execution.

Threat Intelligence According to SonicWall on April 15, this vulnerability is believed to be actively exploited in the wild. As a precautionary measure, SonicWall PSIRT has upgraded the CVSS score from medium to high severity (7.2).

Systems Affected

SMA 200 SMA 210 SMA 400 SMA 410 SMA 500v (ESX, KVM, AWS, Azure) Versions 10.2.1.0-17sv and earlier Versions 10.2.0.7-34sv and earlier Versions 9.0.0.10-28sv and earlier

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by SonicWall to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References SonicWall: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022  CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20035

Register Today! Deep-Dive into the CSF 2.0 Govern Function to Improve Cybersecurity

One of the major updates to CSF 2.0 is the creation of the Govern Function, highlighting the importance of ensuring cybersecurity capabilities support the broader mission through Enterprise Risk Management (ERM).

Governance is the process of determining enterprise objectives, setting direction to achieve those objectives, and monitoring performance to adjust strategy as necessary. Risk governance provides the transparency, responsibility, and accountability that enables managers to effectively manage risk.

In the second webinar in NIST’s new multi-part CSF 2.0 webinar series, we will provide a discussion covering:

• Demystifying what governance is.
• The role of the Govern Function in a cybersecurity-focused framework.
• Strategies for bidirectional communication between cybersecurity practitioners and leadership.
• How organizations of all sizes can put cybersecurity governance into practice using the CSF 2.0.
• How you can use the CSF in conjunction with other NIST publications (such as the NIST IR 8286 series, SP 800-30, etc.) to better integrate cybersecurity and enterprise risk management for governance oversight.  
• CSF 2.0 implementation resources in support of cybersecurity governance.

Time will be reserved at the end for audience questions.

Event Date: May 20, 2025

Event Time: 2:00PM-3:00PM ET

Speakers:

• Julie Chua, Division Chief, Applied Cybersecurity Division, NIST
• Stephen Quinn, Senior Computer Scientist and CSF Project Lead, Computer Security Division, NIST

Register Here

The NJCCIC received reports of Social Security Administration (SSA) phishing emails, consistent with the SSA’s scam alert earlier this month. The emails contain SSA branding to appear legitimate and claim to be from the SSA. However, upon further inspection, they were sent from non-.gov top-level domains (TLDs) with the sender’s display name as “Social Security administration.” The subject line displays, “Your benefits statement is now available for download.” The emails create urgency to convince potential victims to download and review their Social Security statements immediately to ensure uninterrupted access to their benefits and prevent processing delays. The emails also instruct potential victims to click the “Download Statement” button and install the required file specifically on PC/Windows systems. If clicked and installed, sensitive information and devices may be at risk.

These communications are not legitimate, as the SSA will not ask for personally identifiable information (PII), including Social Security numbers or dates of birth, or financial information via email, phone, or text message. Also, the SSA will not threaten to suspend your Social Security number, demand immediate payment, warn of legal action, download “secure” software, or request permission to access your device.

Recommendations

Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders. Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources. Navigate to official websites, such as the SSA, by typing official website URLs into browsers manually and only submit account credentials and sensitive information on official websites. Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes. Confirm the legitimacy of the requests by contacting the SSA directly through their official website.

In direct deposit or payroll diversion scams, threat actors research the targeted organization and identify an employee to impersonate. They typically register a free email address using the employee’s name and utilizing display name spoofing in the messages. In some cases, they compromise the employee’s email account to avoid suspicion. Then the threat actors email payroll, finance, or human resources departments to request direct deposit changes and applicable forms. Sometimes, the threat actors locate direct deposit change forms online and include the filled-out forms in the email. They intend to divert the employee’s direct deposit account information to an account under the threat actor’s control.

The NJCCIC continues to receive multiple reports of direct deposit scams, primarily targeting educational institutions. However, all organizations, regardless of sector, are at risk. In one incident, threat actors created a Google Gmail account, impersonated an employee, and attempted to change the direct deposit account information. They sent an email with a blank subject line and content containing “Good Morning, Hope you’re having a great day. Before the next payroll will be issued, I need to replace the account where my most recent deposit was made due to a bank change. What information is required?”

In another incident, threat actors impersonated an employee and emailed the finance department with a subject line of “New Account Info.” The email contained, “I am currently experiencing issues logging into the [redacted] portal, as I am being redirected to the homepage with a blank page. Therefore, I can provide my new banking information for the update. Here is the voided check with my new bank details for the change. Please cancel the previous account and use the new details provided below [redacted bank information].”

In the examples above, the requests to change direct deposit information were easily identified as scams. However, in another direct deposit scam, threat actors intended to compromise an employee’s account to impersonate them and avoid suspicion. They contacted the organization’s help desk to request a password and multi-factor authentication (MFA) reset in a successful social engineering attack. The threat actors gained unauthorized access to the employee’s account and emailed a direct deposit change request to the payroll department. The payroll employee initiated the change based solely on the email request, deviating from the organization’s established policy. Additionally, to evade detection, the threat actors created an inbox rule to delete emails containing “direct deposit” automatically. However, the organization’s security monitoring solution detected the rule promptly, and the account was locked.

Organizations, especially employees in payroll, finance, or human resources departments, are advised to identify several red flags in direct deposit scams. First, the authenticity of the request is concerning when the sender’s name does not match the email address. Threat actors may also create urgency to speed up the process and use phrases such as “This is urgent” or “Please make the change immediately.” Additionally, if the request includes a form attachment, there may be errors, the Social Security number may not be correct, or the signature may be suspicious. Furthermore, the request may not include a recommended voided check.

Recommendations

Refrain from responding to messages, opening attachments, and clicking links from unknown senders, and exercise caution with emails from known senders. If correspondence contains changes to bank information or is otherwise urgent or suspicious, contact the sender via a separate means of communication—by phone using contact info obtained from official sources or in person—before taking action.  Implement security controls that help prevent account compromise, including establishing strong passwords and enabling multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.  Organizations are advised to implement strict verification processes and procedures to prevent unauthorized direct deposit changes, such as requiring direct deposit forms accompanied by a voided check or bank encoding form, verbal or in-person agreement from the requesting employee, and multiple approvals for the change request. Organizations are advised to educate their helpdesk and IT personnel on the tactics used by cyber threat actors to gain unauthorized access to accounts. Review and secure email and payroll systems for vulnerabilities and keep them up to date. If funds are unintentionally wired to a fraudulent account, immediately notify a supervisor, banking institution, the FBI, and the US Secret Service so that attempts can be made to stop the wire transfer. Unless the fraudulent transaction is discovered quickly (typically within 48 hours), it can be difficult, if not impossible, to return the stolen funds. If personally identifiable information (PII) has been compromised, review the Identity Theft and Compromised PII NJCCIC product for additional recommendations and resources, including credit freezes and enabling MFA on accounts.

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

A vulnerability has been discovered in SAP NetWeaver Visual Composer, which could allow for remote code execution. SAP NetWeaver Visual Composer is SAP’s web-based software modelling tool. It enables business process specialists and developers to create business application components, without coding. Successful exploitation of this vulnerability could allow for remote code execution in the context of the system.

Threat Intelligence ReliaQuest and watchtower confirmed CVE-2025-31324 is being actively exploited in the wild.

System Affected

VCFRAMEWORK version 7.50

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by SAP to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References ReliaQuest: https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US   BleepingComputer: https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:

Apple is aware of a report that these vulnerabilities may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

SYSTEMS AFFECTED:

• Versions prior to iOS 18.4.1 and iPadOS 18.4.1
• Versions prior to visionOS 2.4.1
• Versions prior to tvOS 18.4.1
• Versions prior to macOS Sequoia 15.4.1

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

Tactic: Execution (TA0002):

Technique: Exploitation for Client Execution (T1203):

• Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. (CVE-2025-31200)
• An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. (CVE-2025-31201)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassessbi-annually, or more frequently.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

• Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
  • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:
 

Apple:

https://support.apple.com/en-us/100100

https://support.apple.com/en-us/122282

https://support.apple.com/en-us/122400

https://support.apple.com/en-us/122401

https://support.apple.com/en-us/122402

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31200

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31201

Over the past several weeks, the NJCCIC received reports of unauthorized account access facilitated by phishing campaigns. While the targeted accounts varied, the images in this post originate from a campaign that aims to access users’ Microsoft 365 accounts and uses tactics and techniques similar to other phishing campaigns. The initial phishing email typically directs the user to click on a link to view a message or document. Cybercriminals often give the document a name to feign the sensitivity or urgency of the document’s content. If clicked, the link will likely lead to a fraudulent login page, as noted in Image 1.

Image 1

Once an email address or username is submitted, the user will be prompted to provide their password. In Image 2 below, the prompt states that the user is being asked to verify their password because of the sensitivity of the information they are accessing, which is an attempt to decrease the user’s suspicions.

Image 2

Once the password is submitted, the user is often prompted to reenter it as if they submitted it incorrectly, as noted in Image 3. This tactic is likely used to ensure that the user entered their correct password into the form.

Image 3

After submitting the password a second time, the user is redirected to the Microsoft 365 Service Status webpage to appear as though the user was successfully logged in, as noted in Image 4. In other campaigns, the user may be redirected to the official Microsoft 365 login page, and they may assume this occurred because they entered their login information incorrectly.

Image 4

Recommendations

Refrain from clicking links or opening attachments delivered in suspicious or unexpected emails, even from known senders, and only submit account credentials on official websites.  If you are unsure of the email’s legitimacy, contact the sender via a separate means of communication – such as by telephone – obtained from trusted sources before taking action. if a password is entered into a fraudulent login form, revoke active session tokens, immediately change the user’s password, ensure multi-factor authentication is enabled and choosing a more secure method (authentication app, biometric, or hardware token) where available.  Additionally, remove any unauthorized auto-forward, auto-delete, or reply-to rules created for compromised email accounts.  Organizations that identify compromised accounts on their networks are encouraged to lock the users’ accounts, identify any malicious emails sent during the compromise, and notify recipients. If mailbox auditing is enabled, review the logs to identify which mailboxes were accessed or had access attempts made without authorization.  Email account compromises typically precede ransomware infections. Efforts to recover these accounts should also include analyzing any suspicious activity (such as attempts to elevate privileges, create new rules or users, or move laterally) that could indicate broader network compromise. Review the Trustwave blog post detailing a new technique used by Tycoon2FA to compromise Microsoft 365 accounts.