Multiple Vulnerabilities in SonicWall SonicOS Could Allow for Authentication Bypass – PATCH: NOW

ultiple vulnerabilities have been discovered in SonicWall SonicOS that could allow for authentication bypass. SonicOS is SonicWall’s operating system designed for their firewalls and other security devices.  Successful exploitation of the most severe of these vulnerabilities could allow for authentication bypass on the affected system. Depending on the privileges associated with the system, an attacker could then; view, change, or delete data.

THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the wild

SYSTEMS AFFECTED:

  • Gen6 Hardware Firewalls versions prior to 6.5.5.1-6n
  • Gen7 Firewalls versions prior to 7.1.3-7015
  • Gen7 NSv versions prior to 7.0.1-5165
  • TZ80 versions prior to 8.0.0-8037

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in SoincWall products, the most severe of which could allow for authentication bypass. Details of the vulnerabilities are as follows:
Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):

  • An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication. (CVE-2024-53704)
  • Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. (CVE-2024-40762)

Details of lower severity vulnerabilities:

  • A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. (CVE-2024-53705)
  • A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution. (CVE-2024-53706)

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by SoincWall to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
     
  • Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
    • Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
    • Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 13.10:  Performing Application Layer Filtering:  Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

REFERENCES:

SonicWall:?
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53706

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Photoshop 2025 26.1 and earlier versions
  • Photoshop 2024 25.12 and earlier versions
  • Adobe Substance 3D Stager 3.0.4 and earlier versions
  • Adobe Illustrator on iPad 3.0.7 and earlier versions
  • Adobe Animate 2023 23.0.9 and earlier versions
  • Adobe Animate 2024 24.0.6 and earlier versions
  • Adobe Substance 3D Designer 14.0 and earlier versions

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows
 

Tactic: Execution (TA0002)
Technique: Exploitation for Client Execution (T1203): 

Adobe Photoshop:

  • Uncontrolled Search Path Element (CVE-2025-21127)
  • Integer Underflow (Wrap or Wraparound) (CVE-2025-21122)


Adobe Substance 3D Stager:

  • Out-of-bounds Read (CVE-2024-47449)


Adobe After Effects:

  • Stack-based Buffer Overflow (CVE-2025-21128)
  • Heap-based Buffer Overflow (CVE-2025-21129)
  • Out-of-bounds Write (CVE-2025-21130, CVE-2025-21131, CVE-2025-21132)
     

Adobe Illustrator on iPad:

  • Integer Underflow (Wrap or Wraparound) (CVE-2025-21133, CVE-2025-21134)
     

Adobe Animate:

  • Integer Underflow (Wrap or Wraparound) (CVE-2025-21135)
     

Adobe Substance 3D Designer:

  • Out-of-bounds Write (CVE-2025-21136, CVE-2025-21138)
  • Heap-based Buffer Overflow (CVE-2025-21137, CVE-2025-21139)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights


RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
    • Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
    • Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
    • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
  • Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
    • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
    • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
    • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Adobe:
https://helpx.adobe.com/security/Home.html
https://helpx.adobe.com/security/products/photoshop/apsb25-02.html
https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html
https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-04.html
https://helpx.adobe.com/security/products/animate/apsb25-05.html
https://helpx.adobe.com/security/products/substance3d_designer/apsb25-06.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21139 

Critical Patches Issued for Microsoft Products, January 14, 2025 – PATCH: NOW

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • .NET
  • .NET and Visual Studio
  • .NET, .NET Framework, Visual Studio
  • Visual Studio
  • Microsoft Office Access
  • Power Automate
  • Windows MapUrlToZone
  • Active Directory Federation Services
  • Windows Recovery Environment Agent
  • Windows Connected Devices Platform Service
  • Windows Virtual Trusted Platform Module
  • Windows Boot Loader
  • Windows BitLocker
  • Windows Boot Manager
  • Windows Mark of the Web (MOTW)
  • Windows Kerberos
  • Windows Message Queuing
  • Windows Telephony Service
  • Line Printer Daemon Service (LPD)
  • Windows Remote Desktop Services
  • Windows Digital Media
  • IP Helper
  • Windows PrintWorkflowUserSvc
  • Windows WLAN Auto Config Service
  • Windows Cloud Files Mini Filter Driver
  • Windows COM
  • Windows Event Tracing
  • Windows Installer
  • Windows Direct Show
  • Microsoft Windows Search Component
  • Active Directory Domain Services
  • Microsoft Digest Authentication
  • Windows SPNEGO Extended Negotiation
  • BranchCache
  • Windows OLE
  • Windows UPnP Device Host
  • Windows Geolocation Service
  • Windows DWM Core Library
  • Reliable Multicast Transport Driver (RMCAST)
  • Windows Themes
  • Windows NTLM
  • Windows Smart Card
  • Windows Security Account Manager
  • Windows SmartScreen
  • Microsoft Brokering File System
  • Windows Kernel Memory
  • Internet Explorer
  • Windows Hyper-V NT Kernel Integration VSP
  • Windows Cryptographic Services
  • Windows Win32K – GRFX
  • Windows Hello
  • Windows Web Threat Defense User Service
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office Outlook
  • Microsoft AutoUpdate (MAU)
  • Microsoft Office Outlook for Mac
  • Microsoft Office Word
  • Windows Virtualization-Based Security (VBS) Enclave
  • Windows Client-Side Caching (CSC) Service
  • Azure Marketplace SaaS Resources
  • Microsoft Graphics Component
  • Microsoft Purview
  • Microsoft Office OneNote
  • Microsoft Azure Gateway Manager

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low
 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan

Multiple Vulnerabilities in Ivanti Avalanche Could Allow for Authentication Bypass – PATCH: NOW

Multiple Vulnerabilities have been discovered in Ivanti Avalanche, the most severe of which could allow for authentication bypass. Ivanti Avalanche is a mobile device management system. Network security features allow one to manage wireless settings (including encryption and authentication) and apply those settings on a schedule throughout the network. Successful exploitation could allow for a remote unauthenticated attacker to bypass authentication. Depending on the privileges associated with the logged-on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • Ivanti Avalanche versions prior to 6.4.7
     

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium 

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low
 

TECHNICAL SUMMARY:
Multiple Vulnerabilities have been discovered in Ivanti Avalanche, the most severe of which could allow for authentication bypass. Details of these vulnerabilities are as follows: 

TacticInitial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

  • Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. (CVE-2024-13181 and CVE-2024-13179)
  • Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. (CVE-2024-13180)

Successful exploitation could allow for a remote unauthenticated attacker to bypass authentication. Depending on the privileges associated with the logged-on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
 

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Ivanti to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization. 
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
    • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:Ivanti: 
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13179

Border Gateway Protocol Security and Resilience | NIST Releases Public Draft of SP 800-189 Revision 1

In recent years, numerous Internet routing incidents — such as Border Gateway Protocol (BGP) prefix hijacking, and route leaks — have resulted in denial of service (DoS), unwanted data traffic detours, and performance degradation. Large-scale distributed denial-of-service (DDoS) attacks on servers using spoofed Internet Protocol (IP) addresses and reflection amplification in the data plane have resulted in significant disruptions of services and damages.

NIST has released the initial public draft (IPD) of Revision 1 of NIST Special Publication (SP) 800-189, Border Gateway Protocol Security and Resilience. This document provides technical guidance and recommendations to improve the security and resilience of Internet routing based on BGP. Technologies recommended in this document for securing Internet routing include Resource Public Key Infrastructure (RPKI), Route Origin Authorization (ROA), ROA-based route origin validation (ROA-ROV), and prefix filtering. Additionally, the technologies recommended for mitigating DDoS attacks focus on the prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies are also recommended as part of the overall security mechanisms, such as remotely triggered black hole (RTBH) filtering and flow specification (Flowspec).

While this document is intended to guide information security officers and managers of federal enterprise networks, it also applies to the network services of hosting providers (e.g., cloud-based applications and service hosting) and Internet service providers (ISPs) that support federal IT systems. This guidance may also be useful for enterprise and transit network operators and equipment vendors in general.

The public comment period ends February 25, 2025. See the publication details for a copy of the document.

Read More

NIST Proposes to Standardize a Wider Variant of AES

The Advanced Encryption Standard (AES) specifies a subset of the Rijndael block cipher family with 128-bit blocks that was submitted to the NIST AES development effort. While this block size remains sufficient for many applications, the increasing demand for processing large volumes of data highlights the potential advantages of a larger block size. This need was pointed out in the public comments received for (Special Publication) SP 800-38A, acknowledged in NIST Internal Report 8459, and further reinforced during two NIST public workshops on block cipher modes of operation.

In August 2024, NIST indicated its interest in vetting another Rijndael variant for approval: Rijndael with 256-bit blocks (i.e., Rijndael-256) with a single key size of 256-bits. NIST plans to develop a draft standard for Rijndael-256 over the next year and requests public comments on this plan by June 25, 2025, especially for the following categories:

  • Security analysis, including any new cryptanalytic results related to the 256-bit block size
  • Performance and efficiency, particularly in environments with hardware support for AES

Comments may be submitted to [email protected] with “Comments on Rijndael-256” in the subject line. Comments received in response to this request will be posted on this site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

Read More

DPRK APT Exhibits a Dangerous Shift, Targeting Nuclear Industry with New Malware

The North Korean (DPRK)-linked Lazarus Group recently shifted its focus to the nuclear industry, indicating a concerning shift from its previous tactics of primarily targeting defense, aerospace, and cryptocurrency, among others. The Lazarus Group has historically distributed malware through fake job opportunities in a campaign known as “DeathNote” or “Operation DreamJob.” The group created fake job postings that targeted potential employees with appealing career opportunities. They sent malicious files disguised as job assessments, which allowed them to gain access to victims’ systems. During the interview process, candidates were provided with fraudulent job assessments that contained ZIP archives filled with malicious executables or trojanized tools. The ZIP file also contained the malicious file vnclang.dll, a loader identified as MISTPEN malware based on its communication with the command and control (C2) server. Additional payloads included RollMid, CookieTime, and a new LPEClient  variant. If executed, these trojans could grant threat actors unauthorized access to the compromised devices, enabling data theft or disruption of operations.
The group’s methods continue to evolve, employing advanced tools like the Ranid downloader, a new backdoor known as “RustyAttr,” and a new plugin-based malware known as “CookiePlus” that operates in memory for obfuscation. Analysts found that CookiePlus was initially disguised as ComparePlus, an open-source Notepad++ plugin, but has shifted to impersonating other open-source projects like DirectX-Wrappers.
Image Source: SecureList
In October, the Lazarus group refined its tactics by exploiting vulnerabilities, including a Google Chrome zero-day, to target cryptocurrency investors through a deceptive NFT game. In November, analysts detected a new malware variant known as OtterCookie, in addition to previously identified threats such as BeaverTail and InvisibleFerret. The OtterCookie downloader has been noted for its ability to download JSON data remotely and execute cookie properties as JavaScript. It often downloads and executes JavaScript following a 500 HTTP status code that triggers a catch block.
Threat actors likely began using OtterCookie in September; however, the November version incorporates Socket.IO for executing shell commands and gathering cryptocurrency wallet keys from various file types, transmitting this data remotely. It also utilizes the clipboardy library to extract clipboard information, a feature not present in September’s version.
South Korean officials recently sanctioned 15 DPRK nationals and the Chosun Geumjeong Economic Information Technology Exchange Corporation for violations of established economic sanctions. The individuals are allegedly tied to DPRK’s 313th General Bureau, part of the DPRK’s Ministry of Munitions Industry, which oversees Pyongyang’s weapons production, research and development, and ballistic missile programs. The individuals and others are known to be dispatched to China, Russia, Southeast Asia, Africa, and other countries as employees of regime-affiliated organizations such as the Ministry of Defense, disguising their identities and receiving work from IT companies around the world, some facilitating cyberattacks and stealing cryptocurrency.
A 2024 report (PDF) by a United Nations panel stated that it is investigating at least 58 cyberattacks by DPRK operatives against cryptocurrency companies between 2017 and 2023, with the incidents yielding an estimated $3 billion in stolen gains. The panel also investigated reports of numerous DPRK nationals working overseas in the restaurant and construction industries, in addition to the IT industry.
South Korea emphasized that these actions jeopardize the overall cybersecurity landscape and pose a significant threat to global peace and security. Specifically, these activities are being utilized to fund North Korea’s nuclear and missile development programs.
Recommendations
Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats as detailed on the NJCCIC Guidance and Best Practices webpage.

Avoid clicking links, responding to, or acting on unsolicited text messages or emails.
Use strong, unique passwords and enable multi-factor authentication (MFA) for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes.

Keep systems up to date and apply patches after appropriate testing. Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.

Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).

Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments.

If seeking employment, confirm the legitimacy of requests by contacting the careers section of a company’s official website or by calling the company’s human resources department to verify if the job offer is legitimate.

Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds.

Report cyber incidents to the FBI’s IC3 and the NJCCIC.

Studies Show Increase in Ransomware Targeting Critical Infrastructure During Holiday Season

Image Source: Semperis

Ransomware attacks pose a significant threat year-round; however, they increase significantly during the busy holiday season. Cybercriminals often prepare to launch disruptive cyberattacks targeting multiple sectors, hiding in networks and waiting for the perfect moment to inflict maximum damage and compromise data without detection. A recent study revealed that 86 percent of surveyed organizations that fell victim to ransomware attacks across the United States, United Kingdom, France, and Germany were specifically targeted during holidays or weekends.

Additionally, threat actors consistently target critical infrastructure using advanced tactics to exploit critical operational IT systems. Campaigns notably prioritized industries and organizations with limited downtime, such as healthcare, financial services, and industrial operations. By focusing on environments where operational disruption can lead to cascading impacts, threat actors increase the likelihood of ransom payout, leveraging the criticality of uninterrupted services to pressure victims. 

For example, a ransomware incident recently impacted Rhode Island’s RIBridges, a government system that manages many of the state’s social services programs. Hundreds of thousands of residents’ personal information—such as names, addresses, dates of birth, Social Security numbers, and banking details—was likely compromised.

Brain Cipher ransom note. Image Source: WatchGuard

The ransomware group Brain Cipher is believed to have launched the attack on or before December 5. Brain Cipher is a ransomware operation that utilizes the leaked LockBit 3.0 (Black) builder for its encryptor. The group first became known after extorting the Indonesian government in mid-June 2024 and demanded an $8 million ransom.

Recent reports highlighted significant deficiencies in the state’s cybersecurity measures that required urgent attention, including insufficient resources to manage operations’ complexity and slow progress in risk mitigation. It also stressed the need to improve response capabilities for data breaches and mentioned a lack of specific insurance coverage for cybersecurity risks.

Furthermore, on November 21, the supply chain management firm Blue Yonder reported significant disruptions to its services due to a ransomware attack, specifically impacting grocery store chains in the UK. The managed services environment includes the Software as a Service (SaaS) platforms and cloud-hosted solutions for supply chain operations. Blue Yonder, a subsidiary of Panasonic and an Arizona-based cloud services provider that serves grocery stores, Fortune 500 firms, and a range of multinational corporations, generates over $1 billion in annual revenue. The company provides AI-driven supply chain solutions to prominent clients, including DHL, Starbucks, Walgreens, Kroger, Ford, and Tesco. This attack was likely calculated to coincide with the Thanksgiving holiday and disruptions in the supply chain could have left many grocery stores with empty shelves.

The Termite ransomware group claimed responsibility for this attack. They assert that they have stolen 680GB of data, which includes over 16,000 email lists intended for future attacks and more than 200,000 insurance documents. The group has claimed 10 victims worldwide, primarily focusing on Europe and North America. Targeted sectors include government agencies, education, disability support services, oil and gas, water treatment, and automotive manufacturing.

Ransomware Incidents by Sector: Q2 vs. Q3 2024. Image Source: Dragos

According to Dragos’ 2024 Third Quarter (Q3) Industrial Ransomware Analysis report, analysts observed the emergence of several new and established ransomware groups impacting industrial organizations. Several recent vulnerabilities were identified as initial access vectors used by threat actors targeting government and critical infrastructure sectors. Additionally, vulnerable remote and virtual private network (VPN) applications were exploited for initial access and post-compromise. 

Image Source: Corvus Insurance

Approximately 30 percent of ransomware incidents during the third quarter were linked to vulnerabilities in VPN appliances, such as CVE-2024-40766, which impacts SonicWall SSL VPNs, or poorly managed credentials.  Ransomware groups have also combined vulnerability exploitation with credential-based attacks to bypass multi-factor authentication (MFA) protections. They employ credential stuffing, pass-the-hash attacks, and brute force techniques. Compromised credentials, often sourced from Initial Access Brokers (IABs), have become central to their tactics. In 2023, cybercriminals extorted a record $1.1 billion in ransom payments from organizations worldwide despite the US government’s efforts to disrupt their financial operations.

New Jersey law requires state and local government agencies, public education institutions, and government contractors to report any cyber incidents within 72 hours. This legislation applies to a wide range of entities, including public K-12 schools, public higher education institutions, state law enforcement agencies, counties, municipalities, and more.

Recommendations

  • Refrain from clicking links, responding to, or acting on unsolicited emails.
  • Navigate directly to legitimate websites and verify before submitting account credentials or providing personal or financial information.
  • Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Keep systems up to date and apply patches after appropriate testing.
  • Maintain robust and up-to-date endpoint detection tools on every endpoint.
  • Consider leveraging behavior-based detection tools rather than signature-based tools.
  • Utilize network segmentation to isolate valuable assets and help prevent the spread of ransomware and malware.

FlowerStorm’s Phishing Platform Slow Rise to Power

Image Source: Sophos
After the quick rise and fall of the Rockstar2FA Phishing-as-a-Service (PhaaS) platform, a new phishing platform, dubbed FlowerStorm, was observed filling in the gap left behind in Rockstar’s absence. Rockstar2FA platform had a simple interface that utilized adversary-in-the-middle (AiTM) techniques to allow threat actors to attempt to bypass the two-factor authentication (2FA) of Microsoft 365 accounts by stealing session cookies during a user’s login session. These stolen session cookies allowed threat actors to access user accounts without needing the user’s credentials or codes.
While the two platforms have not definitively been connected, researchers have found enough similarities between the two that suggest a common ancestry. First seen in June 2024, FlowerStorm shares many similar traits as Rockstar2FA, including:
Platforms utilize phishing portals that mimic legitimate login pages. The HTML structure of their phishing pages is highly similar. While the theming had notable differences (automotive vs. botanical), the underlying design structure remained consistent. Credential harvesting methods align closely and support email validation and MFA authentication through their backend. Platforms utilize similar domain registration and hosting habits, mainly using .ru and .com top-level domains and Cloudflare services. At its peak, Rockstar2FA managed over 2,000 domains. After Rockstar2FA’s collapse, FlowerStorm saw rapid growth, which suggests a shared framework.
Recommendations
Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Type official website URLs into browsers manually.
Facilitate user awareness training to include these types of phishing-based techniques.
Maintain robust and up-to-date endpoint detection tools on every endpoint.
Consider leveraging behavior-based detection tools rather than signature-based tools.

Account Activity Credential Phishing Schemes

Authentic notifications from financial institutions via email and text messaging can help inform users of account activity, such as balances and transactions. However, if a user has consented to receive such notifications, it may be challenging to determine if a notification is legitimate, as threat actors continue to develop persuasive messages purportedly from trustworthy sources that claim to involve credit card or bank account activity. Threat actors create a sense of urgency and panic and may imply that the account security is at risk. They encourage their target to take immediate action, such as divulging information or clicking on a link to a website that looks identical to the legitimate login page.
The NJCCIC’s email security solution identified a credential phishing scheme impersonating Capital One. Although Capital One is referenced in the sender’s display name and username, it is not part of the sender’s domain name, which is a red flag. The messages include a subject line, “Do you recognize this transaction?”, display a fraudulent or unauthorized charge, and contain links that, if clicked, direct targets to a website spoofing the CapitalOne portal to harvest account credentials.
Additionally, it prompts the target to enter their SMS code as part of the SMS phone verification to add a sense of legitimacy. There is also a notation that the code might be slightly delayed due to the target’s mobile network. If entered, the account credentials and SMS code are sent to the threat actors in the background to commit further malicious activity.
Furthermore, the New York State Police recently issued a public warning about increased scams targeting bank account holders. Threat actors convince their targets that they have unauthorized charges or that money was accidentally deposited into their bank account. Financial institutions will never request personal or confidential information, such as account credentials, via notifications or ask to click on a link to verify one’s identity or gain access to the computer.
Recommendations
Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
Exercise caution with communications from known senders.
Confirm requests from senders via contact information obtained from verified and official sources.
Type official website URLs into browsers manually and only submit account credentials on official websites.
Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
If the account has been compromised, log out of all devices, revoke any access tokens, and reset passwords. Report suspicious or fraudulent communications to the financial institution.