My information Resource (blog.mir.net)

A cryptographic accordion is a tweakable block cipher mode that is itself a cipher on variable-length input. NIST proposes to develop three general-purpose accordions:

• Acc128 to support typical usage (birthday bounds) with the Advanced Encryption Standard (AES)
• Acc256 to support typical usage with a 256-bit block cipher (possibly Rijndael-256)
• BBBAcc to support extended usage (beyond-birthday-bound) with AES

In particular, NIST proposes to develop variants of the HCTR2 technique for these accordions.

NIST invites public comments through August 6, 2025. Please submit them to ciphermodes@nist.gov with the subject line “Comments on Accordion Development.” Comments received in response to this request will be posted on the publication page for a future NIST Special Publication (SP) 800-197A. Submitters’ names and affiliations (when provided) will be included, though contact information will be removed.

Read More

The Federal Bureau of Investigation (FBI) released this FBI Liaison Alert System (FLASH) to disseminate indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with 5Socks and Anyproxy cyber criminal services’ targeting malware that affects end-of-life (EOL) routers.

Threat actors exploit known vulnerabilities to compromise EOL routers, install malware, and use the routers in a botnet they control to launch coordinated attacks or sell access to the devices as proxy services. The FBI recommends users replace compromised devices with newer models or prevent infection by disabling remote administration and rebooting the router.

This FBI FLASH provides technical details, IOCs, recommended mitigations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

Since 2019, GuLoader has been active as a downloader, spreading through spam campaigns with malicious attachments. To evade detection, it downloads encrypted payloads typically from genuine file-sharing websites, such as Google Drive or Microsoft OneDrive. Once installed, the malware attempts to establish persistence by modifying system settings, creating registry entries, and adding itself to startup items.

Since the beginning of 2025, the NJCCIC’s email security solution has observed multiple GuLoader campaigns alternately delivering Snake Keylogger and Remcos remote access tool (RAT) to gain remote access, exfiltrate data, and deploy ransomware. The latest wave of GuLoader campaigns delivers Remcos RAT. It incorporates various themes such as new orders, quotations, purchase orders, invoices, product inquiries, scheduled shipments, packages out for delivery, and updated statements of accounts. These messages contain attached SCR, RAR, ZIP, or ARJ compressed executables that leverage GuLoader to download and install Remcos RAT. Once installed, Remcos RAT logs keystrokes online and offline, captures video and pictures via camera and microphone, and more.

Recommendations

Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders. Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources. Navigate to official websites by typing official website URLs into browsers manually and only submit account credentials and sensitive information on official websites. Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Run updated and reputable anti-virus or anti-malware programs. Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.

The NJCCIC observed an uptick in employment scams that target and exploit individuals seeking employment. Threat actors first perform reconnaissance on their targets, gathering information from various sources, such as past data breaches, publicly disclosed data, social media profiles, and data purchased on the dark web. They communicate with their targets via emails, text messages, WhatsApp, or Telegram to initiate conversations about purported job opportunities created from legitimate job postings. They may also create and post fraudulent job postings or profiles through trusted professional online employment boards and websites, such as LinkedIn, CareerBuilder, Indeed, and Monster, or via social media platforms like Facebook. They typically impersonate legitimate employers and recruiters and spoof legitimate domains. The threat actors express interest in the target’s compatibility for a vacant position and attempt to ascertain the target’s willingness to explore the opportunity further.

The NJCCIC’s email security solution detected an employment scam in which threat actors use the legitimate Xero platform to create a trial organization to quickly send large amounts of spam emails before they are detected and shut down. In the above campaign, the threat actors impersonate Coca-Cola and incorporate their branding. The email contains a link with the Coca-Cola name in the URL, but it does not direct to Coca-Cola’s official website. Instead, it directs the target to a malicious website that prompts them to update their browser. If clicked and installed, sensitive information and devices may be at risk.

Threat actors also impersonate legitimate employers and recruiters through multiple random text messages in the hope that their target is an interested job seeker. In the above campaign, the text message outlines the position’s benefits, including remote work, flexible hours, and a potential average daily pay ranging from $300 to $900 or more. To avoid detection, they often request to continue the conversation on a chat platform like WhatsApp or Telegram. Legitimate employers do not typically request that applicants communicate or send information through instant messaging platforms.

The NJCCIC also received multiple reports of threat actors creating fake profiles on LinkedIn, impersonating employers and recruiters, and sending direct messages to potential victims regarding fraudulent job postings. The emails request interested targets to provide their email addresses and resumes. If there is no response, the threat actors sometimes attempt to contact their targets via email and phone.

Once contact with a target in these employment scams is established, the threat actors often request information as part of the application process or job offer. They intend to steal personally identifiable information (PII) or monetary funds, potentially committing identity theft and launching other cyberattacks. They may conduct fake online interviews to inquire about work experience, salary expectations, and other typical employment concerns. Threat actors may ask for personal information or request their target to pay processing or application fees, training, or background checks. They may also send fraudulent invoices for equipment, with instructions to pay using cash, Zelle, or PayPal and a promise of reimbursement. In some instances, they also partake in fraudulent check scams via mail to cover all or a portion of the job-related fees or expenses. Until the fraudulent check supposedly clears, threat actors pressure their targets to start the job immediately and insist they front the money, resulting in monetary losses.

Key suspicious indicators of employment scams include vagueness from the purported employer or recruiter about the position, the job sounding “too good to be true,” and upfront requests for personal and financial information, such as a Social Security number, a driver’s license number, or banking information for direct deposits. Threat actors may also create urgency to respond or accept a job offer. Using unofficial communication methods, including personal email accounts, non-company email domains, teleconferencing applications, and apps like WhatsApp, Telegram, Signal, or Wire, are also red flags.

Besides targeting job seekers, threat actors also target corporate human resources departments and recruiters to steal account credentials and funds. They abuse legitimate message services and job platforms to apply for real jobs. Researchers discovered the financially motivated Venom Spider threat group sending spearphishing emails to the hiring manager or recruiter. These emails contain links directing them to download the purported resume from an external website. The threat actors insert a CAPTCHA box to create legitimacy and bypass security controls. They then drop a backdoor called More_eggs and use server polymorphism to deliver the payloads and evade detection and analysis.

Recommendations

Refrain from clicking links and opening attachments from unknown senders, and exercise caution with communications from known senders. Examine potential offers by contacting the company’s human resources department directly via official contact information and researching potential employers online to determine if others have reported a scam. Navigate to websites directly for authentic job postings by manually typing the URL into a browser instead of clicking on links delivered in communications to ensure the visited websites are legitimate. Refrain from contacting or clicking on unknown telephone numbers found in unsolicited messages or pop-up notifications. Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds. Review additional information on job scams on the FTC’s website. Report malicious cyber activity to the FTC, the FBI’s IC3, and the  NJCCIC. If victimized, report the scam directly to the respective employer or employment listing service. If PII compromise is suspected or detected, contact your local law enforcement department and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources.

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Visual Studio Code
• Windows Kernel
• .NET, Visual Studio, and Build Tools for Visual Studio
• Remote Desktop Gateway Service
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Windows Secure Kernel Mode
• Windows Hardware Lab Kit
• Azure DevOps
• Microsoft Edge (Chromium-based)
• Microsoft Dataverse
• Azure Automation
• Windows Trusted Runtime Interface Driver
• Windows Routing and Remote Access Service (RRAS)
• Windows Virtual Machine Bus
• Windows Installer
• Windows Drivers
• Windows File Server
• Windows Media
• Universal Print Management Service
• UrlMon
• Windows LDAP – Lightweight Directory Access Protocol
• Role: Windows Hyper-V
• Windows SMB
• Windows Deployment Services
• Windows Remote Desktop
• Active Directory Certificate Services (AD CS)
• Windows Fundamentals
• Microsoft Brokering File System
• Web Threat Defense (WTD.sys)
• Azure Storage Resource Provider
• Azure File Sync
• Microsoft PC Manager
• Microsoft Office SharePoint
• Microsoft Office Excel
• Microsoft Office PowerPoint
• Microsoft Office
• Windows Common Log File System Driver
• Azure
• Windows Win32K – GRFX
• Microsoft Scripting Engine
• Windows DWM
• Visual Studio
• Microsoft Office Outlook
• Windows NTFS
• Windows Ancillary Function Driver for WinSock
• Microsoft Power Apps

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
     
• Apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
     
• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
     
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:

https://msrc.microsoft.com/update-guide/releaseNote/2025-May

https://msrc.microsoft.com/update-guide

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

Multiple vulnerabilities have been discovered in Fortinet Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, threat actors could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Fortinet has observed exploitation of CVE-2025-32756 in the wild on FortiVoice.

Systems Affected

FortiADC 7.2.0 through 7.2.6 FortiADC 7.4.0 through 7.4.4 FortiADC 7.6.1 FortiADCManager 7.6.0 FortiAIOps 2.0.0 through 2.0.1 FortiAnalyzer 6.2.0 through 6.2.11 FortiAnalyzer 6.4.0 through 6.4.14 FortiAnalyzer 6.4.14 through 6.4.15 FortiAnalyzer 7.0.0 through 7.0.13 FortiAnalyzer 7.2.0 through 7.2.10 FortiAnalyzer 7.4.0 through 7.4.3 FortiAnalyzer 7.4.2 FortiAnalyzer 7.4.3 through 7.4.6 FortiAnalyzer 7.6.0 through 7.6.2 FortiAnalyzer-BigData 6.2 all versions FortiAnalyzer-BigData 6.4 all versions FortiAnalyzer-BigData 7.0 all versions FortiAnalyzer-BigData 7.2 7.2.0 through 7.2.5 FortiAnalyzer-BigData 7.4 7.4.0 FortiAuthenticator 6.6.0 through 6.6.1 FortiCamera 1.1 all versions FortiCamera 2.0 all versions FortiCamera 2.1.0 through 2.1.3 FortiClientEMS 7.4.0 through 7.4.1 FortiClientEMS Cloud 7.4 7.4.0 through 7.4.1 FortiClientMac 7.0 all versions FortiClientMac 7.2.0 through 7.2.8 FortiClientMac 7.4.0 through 7.4.2 FortiClientWindows 7.2.0 through 7.2.1 FortiDDoS 5.7.0 through 5.7.3 FortiDDoS-F 7.0 7.0.0 through 7.0.1 FortiDDoS-F 7.0 7.0.1 through 7.0.4 FortiDeceptor 5.2.0 FortiDeceptor 5.3.0 through 5.3.1 FortiEDR Manager 5.0 all versions FortiEDR Manager 5.1 all versions FortiEDR Manager 5.2 all versions FortiEDR Manager 6.0 all versions FortiEDR Manager 6.2 6.2.0 through 6.2.4 FortiExtender 7.0.0 through 7.0.5 FortiExtender 7.2.0 through 7.2.5 FortiExtender 7.4.0 through 7.4.5 FortiGuest 1.0 all versions FortiGuest 1.1 all versions FortiGuest 1.2.0 through 1.2.1 FortiGuest 1.3.0 FortiMail 6.2 all versions FortiMail 6.4 all versions FortiMail 7.0.0 through 7.0.8 FortiMail 7.2.0 through 7.2.7 FortiMail 7.4.0 through 7.4.4 FortiMail 7.6.0 through 7.6.2 FortiManager 6.2.0 through 6.2.11 FortiManager 6.4.0 through 6.4.15 FortiManager 7.0.0 through 7.0.13 FortiManager 7.2.0 through 7.2.10 FortiManager 7.4.0 through 7.4.6 FortiManager 7.6.0 through 7.6.2 FortiManager Cloud 6.4 all versions FortiManager Cloud 7.0 7.0.1 through 7.0.8 FortiManager Cloud 7.0 7.0.10 FortiManager Cloud 7.0 7.0.12 FortiManager Cloud 7.2 7.2.1 through 7.2.4 FortiNAC-F 7.2 7.2.0 through 7.2.6 FortiNAC-F 7.4 7.4.0 FortiNDR 1.1 all versions FortiNDR 1.2 all versions FortiNDR 1.3 all versions FortiNDR 1.4 all versions FortiNDR 1.5 all versions FortiNDR 7.0.0 through 7.0.6 FortiNDR 7.1 all versions FortiNDR 7.2.0 through 7.2.4 FortiNDR 7.4.0 through 7.4.7 FortiNDR 7.6.0 FortiOS 6.4 all versions FortiOS 7.0.0 through 7.0.14 FortiOS 7.2.0 through 7.2.7 FortiOS 7.4.0 through 7.4.3 FortiOS 7.4.4 through 7.4.6 FortiOS 7.6.0 FortiPortal 7.0.0 through 7.0.9 FortiPortal 7.2.0 through 7.2.5 FortiPortal 7.4.0 FortiProxy 7.6.0 through 7.6.1 FortiRecorder 6.0 all versions FortiRecorder 6.4 all versions FortiRecorder 7.0.0 through 7.0.5 FortiRecorder 7.2.0 through 7.2.3 FortiSandbox 3.2 all versions FortiSandbox 4.0.0 through 4.0.5 FortiSandbox 4.2.0 through 4.2.7 FortiSandbox 4.4.0 through 4.4.6 FortiSIEM 5.3 all versions FortiSIEM 5.4 all versions FortiSIEM 6.1 all versions FortiSIEM 6.2 all versions FortiSIEM 6.3 all versions FortiSIEM 6.4 all versions FortiSIEM 6.5 all versions FortiSIEM 6.6 all versions FortiSIEM 6.7 all versions FortiSIEM 7.0 all versions FortiSOAR 6.4 all versions FortiSOAR 7.0 all versions FortiSOAR 7.2 all versions FortiSOAR 7.3 all versions FortiSOAR 7.4.0 through 7.4.2 FortiSwitch 7.2.0 through 7.2.8 FortiSwitch 7.4.0 through 7.4.3 FortiSwitchManager 7.2.5 FortiVoice 6.0.0 through 6.0.12 FortiVoice 6.4.0 through 6.4.10 FortiVoice 7.0.0 through 7.0.6 FortiVoice 7.2.0 FortiVoiceUCDesktop 3.0 all versions FortiWeb 6.2 all versions FortiWeb 6.3 all versions FortiWeb 6.4 all versions FortiWeb 7.0.0 through 7.0.10 FortiWeb 7.2.0 through 7.2.9 FortiWeb 7.4.0 through 7.4.4 FortiWeb 7.6.0 FortiWLC 8.6.0 through 8.6.7

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Fortinet to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References Fortinet: https://www.fortiguard.com/psirt/FG-IR-24-381 https://www.fortiguard.com/psirt/FG-IR-24-025 https://www.fortiguard.com/psirt/FG-IR-24-388 https://www.fortiguard.com/psirt/FG-IR-24-548 https://www.fortiguard.com/psirt/FG-IR-24-380 https://www.fortiguard.com/psirt/FG-IR-25-016 https://www.fortiguard.com/psirt/FG-IR-23-167 https://www.fortiguard.com/psirt/FG-IR-23-490 https://www.fortiguard.com/psirt/FG-IR-24-258 https://www.fortiguard.com/psirt/FG-IR-24-552 https://www.fortiguard.com/psirt/FG-IR-25-122 https://www.fortiguard.com/psirt/FG-IR-25-254 https://www.fortiguard.com/psirt/FG-IR-24-472 https://www.fortiguard.com/psirt/FG-IR-24-023

Multiple vulnerabilities have been discovered in Ivanti Endpoint Manager Mobile, the most severe of which could allow for remote code execution. Ivanti Endpoint Manager Mobile (EPMM) is a unified endpoint management solution that enables organizations to securely manage and monitor mobile devices, applications, and content across multiple platforms from a centralized interface. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

THREAT INTELLEGENCE:
There are a limited number of customers whose solution has been exploited at the time of disclosure.

SYSTEMS AFFECTED:

• Ivanti Endpoint Manager Mobile 11.12.0.4 and prior
• Ivanti Endpoint Manager Mobile 12.3.0.1 and prior
• Ivanti Endpoint Manager Mobile 12.4.0.1 and prior
• Ivanti Endpoint Manager Mobile 12.5.0.0 and prior

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Ivanti Endpoint Manager Mobile, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system. (CVE-2025-4428) 

Details of lower severity vulnerabilities:

• An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials. Exploitation of this vulnerability can lead to exploitation of CVE-2025-4428 (CVE-2025-4427)

Successful exploitation of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate updates provided by Ivanti to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Ivanti:
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
 
Tenable:
https://www.tenable.com/blog/cve-2025-4427-cve-2025-4428-ivanti-endpoint-manager-mobile-epmm-remote-code-execution
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4428
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4427

A vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are currently no reports of this vulnerability being exploited in the wild. 

SYSTEMS AFFECTED:

• Chrome prior to 136.0.7103.113/.114 for Windows and Mac
• Chrome prior to 136.0.7103.113 for Linux 

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:

A vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Details of the vulnerability are as follows: 

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

• Insufficient policy enforcement in Loader. (CVE-2025-4664)
• Incorrect handle provided in unspecified circumstances in Mojo. (CVE-2025-4609)

Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

RECOMMENDATIONS:
We recommend the following actions be taken: 

• Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. 
     
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. 
     
• Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing) 
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™. 
     
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway. 
     
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
     

REFERENCES:

Google:
https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html 

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4609

This Joint Cybersecurity Advisory highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This campaign includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine.

Since 2022, Western logistics entities and technology companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names. The threat actors’ cyber espionage-oriented campaign, targeting logistics entities and technology companies, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This joint advisory provides target description, initial access TTPs, IOCs, mitigation techniques, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this Joint Cybersecurity Advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware.

LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple US critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.

This joint advisory technical details, IOCs, TTPs, mitigation recommendations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

The FBI and CISA encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.