This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.
A vulnerability has been discovered in SAP NetWeaver Visual Composer, which could allow for remote code execution. SAP NetWeaver Visual Composer is SAP’s web-based software modelling tool. It enables business process specialists and developers to create business application components, without coding. Successful exploitation of this vulnerability could allow for remote code execution in the context of the system.
Threat IntelligenceReliaQuest and watchtower confirmed CVE-2025-31324 is being actively exploited in the wild.
System Affected
VCFRAMEWORK version 7.50
Risk Government: – Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High – Small business entities: Medium
Home Users: Low
Recommendations
Apply appropriate updates provided by SAP to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLEGENCE:
Apple is aware of a report that these vulnerabilities may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.
SYSTEMS AFFECTED:
Versions prior to iOS 18.4.1 and iPadOS 18.4.1
Versions prior to visionOS 2.4.1
Versions prior to tvOS 18.4.1
Versions prior to macOS Sequoia 15.4.1
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:
Technique: Exploitation for Client Execution(T1203):
Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. (CVE-2025-31200)
An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. (CVE-2025-31201)
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassessbi-annually, or more frequently.
Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Over the past several weeks, the NJCCIC received reports of unauthorized account access facilitated by phishing campaigns. While the targeted accounts varied, the images in this post originate from a campaign that aims to access users’ Microsoft 365 accounts and uses tactics and techniques similar to other phishing campaigns. The initial phishing email typically directs the user to click on a link to view a message or document. Cybercriminals often give the document a name to feign the sensitivity or urgency of the document’s content. If clicked, the link will likely lead to a fraudulent login page, as noted in Image 1.
Image 1
Once an email address or username is submitted, the user will be prompted to provide their password. In Image 2 below, the prompt states that the user is being asked to verify their password because of the sensitivity of the information they are accessing, which is an attempt to decrease the user’s suspicions.
Image 2
Once the password is submitted, the user is often prompted to reenter it as if they submitted it incorrectly, as noted in Image 3. This tactic is likely used to ensure that the user entered their correct password into the form.
Image 3
After submitting the password a second time, the user is redirected to the Microsoft 365 Service Status webpage to appear as though the user was successfully logged in, as noted in Image 4. In other campaigns, the user may be redirected to the official Microsoft 365 login page, and they may assume this occurred because they entered their login information incorrectly.
Image 4
Recommendations
Refrain from clicking links or opening attachments delivered in suspicious or unexpected emails, even from known senders, and only submit account credentials on official websites. If you are unsure of the email’s legitimacy, contact the sender via a separate means of communication – such as by telephone – obtained from trusted sources before taking action. if a password is entered into a fraudulent login form, revoke active session tokens, immediately change the user’s password, ensure multi-factor authentication is enabled and choosing a more secure method (authentication app, biometric, or hardware token) where available. Additionally, remove any unauthorized auto-forward, auto-delete, or reply-to rules created for compromised email accounts.
Organizations that identify compromised accounts on their networks are encouraged to lock the users’ accounts, identify any malicious emails sent during the compromise, and notify recipients.
If mailbox auditing is enabled, review the logs to identify which mailboxes were accessed or had access attempts made without authorization. Email account compromises typically precede ransomware infections.
Efforts to recover these accounts should also include analyzing any suspicious activity (such as attempts to elevate privileges, create new rules or users, or move laterally) that could indicate broader network compromise.
Review the Trustwave blog post detailing a new technique used by Tycoon2FA to compromise Microsoft 365 accounts.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently
Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5:Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
NIST is pleased to announce the release of the Privacy Framework 1.1 Initial Public Draft (IPD)! The NIST Privacy Framework is a “living” tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1. This update builds on the success of Privacy Framework 1.0 by responding to current privacy risk management needs, realigning with NIST Cybersecurity Framework (CSF) 2.0, and enhancing usability.
The following resources are included with the Privacy Framework 1.1 IPD release:
NIST welcomes stakeholder feedback on the Privacy Framework 1.1 IPD by June 13, 2025. For more information, including a comment template and instructions for submitting feedback, please click the button below.
To receive periodic updates and hear about other opportunities to engage, subscribe to our Privacy Engineering mailing list. If you have questions, please contact us at privacyframework@nist.gov.
Adapt your skills and master the tools you’ll need to thrive in an AI-powered world at a free Microsoft Power Platform Virtual Training Day from Microsoft Learn. Join us at Create Agents in Microsoft Copilot Studio to design conversational apps using AI.
Discover how to build custom agents, manage topics and trigger phrases, configure nodes, and control variables and entities. Additionally, you’ll learn how to work with generative AI and collect data from sources like Microsoft Dataverse to configure and publish agents across multiple channels, including Microsoft Teams. Plus, gain insights to enhance productivity and efficiency while building your own agent experiences using Copilot Studio.
You’ll have the opportunity to: Explore how to build intelligent, conversational apps based on generative AI and large language models (LLMs). Learn the basic principles of developing and customizing topics and trigger phrases to guide conversations.
Find out how to create agents for Microsoft Copilot to address specific business needs. Discover how to pull data from multiple sources via Dataverse to boost agent performance.
Explore how AI and LLMs help boost productivity and increase collaboration through solutions like Microsoft 365 and Microsoft Teams.
Chat with Microsoft experts—ask questions and get answers to help you build agents. Join us at an upcoming Create Agents in Microsoft Copilot Studio event: April 28, 2025 11:00 AM – 1:30 PM | (GMT-05:00) Central Time US & Canada 12:00 PM – 2:30 PM | (GMT-04:00) Eastern Time US & Canada 10:00 AM – 12:30 PM | (GMT-06:00) Mountain Time US & Canada 9:00 AM – 11:30 AM | (GMT-07:00) Pacific Time US & Canada
Delivery Language: English Closed Captioning Language(s): English
et’s unlock the future together with 50 days of AI discovery and learning—and let’s attempt to set a world record at the same time!
*Updated as of March 28, 2025
The best way to learn something new is by taking it one step at a time. We know all this talk of AI can be overwhelming, so how about we take it one skill at a time? At Microsoft, our mission has always been to create technology that empowers others to innovate and solve real-world problems. And it’s no different with AI—we want to help you learn to use this powerful technology to make your life easier, especially as it becomes an integral part of our daily lives. Sometimes, starting is the hardest part, so we want to make that part simple for you.
This is why we’re excited to announce the Microsoft AI Skills Fest, a global event this April and May, designed to bring learners across the globe together to build their AI skills, from beginner explorers to the technologically gifted. Together, we can learn a new AI skill and maybe even set a groundbreaking record at the same time!
Everyone everywhere is invited
The AI Skills Fest is designed with you in mind, offering a wide variety of AI training for everyone, regardless of background or expertise. Join us to build your AI skills and unlock new opportunities for productivity, innovation, and growth.
Tech professionals. Learn how to quickly build AI-powered solutions using Microsoft’s AI apps and services. Gain skills and experience working with agents, AI security, Azure AI Foundry, GitHub Copilot, Microsoft Fabric, and more.
Business professionals. Find out how much easier your work life can be when you use Microsoft Copilot to simplify tasks and let your creativity loose!
Students. Explore technical skills to bring your ideas to life, with AI learning experiences for all skill levels and interests.
Business leaders. Empower your teams with AI skills for future success through curated upskilling opportunities.
Let’s earn a GUINNESS WORLD RECORDS™ title together on April 8, 2025!
The Microsoft AI Skills Fest will begin with a spectacular Kickoff Celebration on April 8, 2025. Starting in Australia at 9 AM Australian Eastern Standard Time and wrapping up in the United States at 4 PM Pacific Daylight Time, this 24-hour, globe-spanning event will feature a variety of AI learning activities designed to engage and inspire learners of all experience levels.
Together, we’ll have a once-in-a-lifetime opportunity to attempt a GUINNESS WORLD RECORDS™ title for most users to take an online multi-level artificial intelligence lesson in 24 hours. Don’t miss this unique chance to learn, compete, and celebrate your achievements—and to be part of these unprecedented and record-setting global festivities.
We’re excited to invite you to our upcoming Microsoft 365 Copilot QuickStart Training for nonprofits.
This beginner-friendly session will help you start using Microsoft 365 Copilot as your own AI assistant and unleash the power of AI in your daily tasks. We’ll cover the basics of Copilot, the art of ‘Prompting’ for the best results, and provide hands-on demos to show how you can use Copilot.
Select sessions are available in English, French, German, and Spanish.
Date: April 24, 2025 Time: 9:00 AM–11:30 AM PST Register here You can view the full calendar of sessions and register here. Even if you don’t have a Copilot license yet, you can still watch the demos and try the exercises once you receive your license. Share this invitation with your colleagues and friends to invite them to join.
Threat actors can use phone numbers obtained from past data breaches and public records to randomly call or send messages claiming to be a member of a loan processing team and providing a loan offer that appears too good to be true. They may provide vague details, impose urgent demands, or require advanced fees of a purported loan offer with the intent of stealing personally identifiable information (PII) and financial information, including Social Security numbers and bank account numbers.
The NJCCIC received reports of an advanced fee loan scam in which threat actors posed as lenders, guaranteed the loan approval without official credit checks, offered low rates or fees, and asked for money upfront. The victims submitted a supposed loan application and paid a deposit via peer-to-peer money transfer platforms typically used with these scams. The deposits were nominal due to a false claim of a low credit score or based on a percentage of the fake loan amount. In one scam, the victim applied for a loan and paid a $1,350 deposit via Zelle. In another scam, the victim was offered a several million-dollar loan with a reasonable rate and a four percent deposit. Once the victims paid the deposits, the so-called lenders stole their information and funds and never responded to the victims’ subsequent inquiries. Threat actors can use this stolen information to impersonate victims, apply for loans or lines of credit, access bank accounts, and steal additional funds.
Threat actors typically initiate their cyberattacks by performing reconnaissance against an organization’s people, processes, and technology. They primarily seek to exploit vulnerabilities in people and software to gain initial access. The threat actors then attempt to access internal systems. VPNs and firewalls are often targeted by threat actors as they serve as primary gateways to these internal systems and networks and provide remote access to organizations. Successful cyberattacks can have cascading impacts, including operational disruptions, financial losses, and the loss of confidentiality, integrity, and availability of data and information systems.
Credentials (usernames and passwords) provide a way to authenticate users and control access to online accounts, email systems, network resources, and more. Threat actors attempt to harvest or steal these credentials and gain initial access primarily through phishing and other methods, such as keylogging malware, brute force attacks, man-in-the-middle (MITM) attacks, and credential stuffing attacks. The convenient practice of password reuse across multiple accounts is risky behavior that can result in account compromises. Credential harvesting and password reuse allow threat actors to easily compromise accounts, escalate privileges, exploit vulnerabilities, move laterally within a network, deploy malware, and access data. As highlighted by recent Medusa and Hellcat ransomware attacks, users are advised to activate MFA for all accounts and services, including email and VPNs.
Threat actors also attempt to exploit software vulnerabilities, especially in VPNs and firewalls and other edge devices, to infiltrate systems and networks. Multiple security advisories were issued during the first quarter of 2025, including the Ivanti Connect Secure, Policy Secure, and ZTA Gateways remote code execution vulnerability, the Cisco Meraki MX and Z Series AnyConnect VPN denial of service vulnerability, the Fortinet unverified password change vulnerability, and the OpenVPN denial of service vulnerability. Additionally, at least five VPN services have been linked to a sanctioned Chinese firm, inadvertently impacting millions of free VPN users in the United States. There was also a significant surge in Palo Alto Networks scanner activity, suggesting a coordinated effort to test network defenses and exploit vulnerable systems. Furthermore, threat actors exploited two Fortinet vulnerabilities in Fortigate firewall appliances that led to a series of intrusions deploying the SuperBlack ransomware variant.
The combination of weak credentials without MFA and unpatched or misconfigured systems creates a ticking timebomb for organizations to have threat actors compromise accounts and infiltrate perimeter security devices, resulting in cyber incidents such as ransomware and large-scale attacks.
Recommendations
Participate in security awareness training to help better understand cyber threats, provide a strong line of defense, and identify red flags in potentially malicious communications.
Use strong, unique passwords and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.Keep systems up to date and apply patches after appropriate testing.
Utilize network segmentation to isolate valuable assets and help prevent the spread of ransomware and malware.
Enforce the Principle of Least Privilege, disable unused ports and services, and use web application firewalls (WAFs).
Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools.
Encrypt sensitive data at rest and in transit.Establish a comprehensive data backup plan that includes performing scheduled backups regularly, keeping an updated copy offline in a separate and secure location, and testing regularly.
