In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.

Statistics on registered vulnerabilities

This section contains statistics on registered vulnerabilities. The data is taken from cve.org.

Let us consider the number of registered CVEs by month for the last five years up to and including the third quarter of 2025.

Total published vulnerabilities by month from 2021 through 2025 (download)

As can be seen from the chart, the monthly number of vulnerabilities published in the third quarter of 2025 remains above the figures recorded in previous years. The three-month total saw over 1000 more published vulnerabilities year over year. The end of the quarter sets a rising trend in the number of registered CVEs, and we anticipate this growth to continue into the fourth quarter. Still, the overall number of published vulnerabilities is likely to drop slightly relative to the September figure by year-end

A look at the monthly distribution of vulnerabilities rated as critical upon registration (CVSS > 8.9) suggests that this metric was marginally lower in the third quarter than the 2024 figure.

Total number of critical vulnerabilities published each month from 2021 to 2025 (download)

Exploitation statistics

This section contains exploitation statistics for Q3 2025. The data draws on open sources and our telemetry.

Windows and Linux vulnerability exploitation

In Q3 2025, as before, the most common exploits targeted vulnerable Microsoft Office products.

Most Windows exploits detected by Kaspersky solutions targeted the following vulnerabilities:

• CVE-2018-0802: a remote code execution vulnerability in the Equation Editor component
• CVE-2017-11882: another remote code execution vulnerability, also affecting Equation Editor
• CVE-2017-0199: a vulnerability in Microsoft Office and WordPad that allows an attacker to assume control of the system

These vulnerabilities historically have been exploited by threat actors more frequently than others, as discussed in previous reports. In the third quarter, we also observed threat actors actively exploiting Directory Traversal vulnerabilities that arise during archive unpacking in WinRAR. While the originally published exploits for these vulnerabilities are not applicable in the wild, attackers have adapted them for their needs.

• CVE-2023-38831: a vulnerability in WinRAR that involves improper handling of objects within archive contents We discussed this vulnerability in detail in a 2024 report.
• CVE-2025-6218 (ZDI-CAN-27198): a vulnerability that enables an attacker to specify a relative path and extract files into an arbitrary directory. A malicious actor can extract the archive into a system application or startup directory to execute malicious code. For a more detailed analysis of the vulnerability, see our Q2 2025 report.
• CVE-2025-8088: a zero-day vulnerability similar to CVE-2025-6128, discovered during an analysis of APT attacks The attackers used NTFS Streams to circumvent controls on the directory into which files were unpacked. We will take a closer look at this vulnerability below.

It should be pointed out that vulnerabilities discovered in 2025 are rapidly catching up in popularity to those found in 2023.

All the CVEs mentioned can be exploited to gain initial access to vulnerable systems. We recommend promptly installing updates for the relevant software.

Dynamics of the number of Windows users encountering exploits, Q1 2023 — Q3 2025. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

According to our telemetry, the number of Windows users who encountered exploits increased in the third quarter compared to the previous reporting period. However, this figure is lower than that of Q3 2024.

For Linux devices, exploits for the following OS kernel vulnerabilities were detected most frequently:

• CVE-2022-0847, also known as Dirty Pipe: a vulnerability that allows privilege escalation and enables attackers to take control of running applications
• CVE-2019-13272: a vulnerability caused by improper handling of privilege inheritance, which can be exploited to achieve privilege escalation
• CVE-2021-22555: a heap overflow vulnerability in the Netfilter kernel subsystem. The widespread exploitation of this vulnerability is due to its use of popular memory modification techniques: manipulating “msg_msg” primitives, which leads to a Use-After-Free security flaw.

Dynamics of the number of Linux users encountering exploits, Q1 2023 — Q3 2025. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

A look at the number of users who encountered exploits suggests that it continues to grow, and in Q3 2025, it already exceeds the Q1 2023 figure by more than six times.

It is critically important to install security patches for the Linux operating system, as it is attracting more and more attention from threat actors each year – primarily due to the growing number of user devices running Linux.

Most common published exploits

In Q3 2025, exploits targeting operating system vulnerabilities continue to predominate over those targeting other software types that we track as part of our monitoring of public research, news, and PoCs. That said, the share of browser exploits significantly increased in the third quarter, matching the share of exploits in other software not part of the operating system.

Distribution of published exploits by platform, Q1 2025 (download)

Distribution of published exploits by platform, Q2 2025 (download)

Distribution of published exploits by platform, Q3 2025 (download)

It is noteworthy that no new public exploits for Microsoft Office products appeared in Q3 2025, just as none did in Q2. However, PoCs for vulnerabilities in Microsoft SharePoint were disclosed. Since these same vulnerabilities also affect OS components, we categorized them under operating system vulnerabilities.

Vulnerability exploitation in APT attacks

We analyzed data on vulnerabilities that were exploited in APT attacks during Q3 2025. The following rankings draw on our telemetry, research, and open-source data.

TOP 10 vulnerabilities exploited in APT attacks, Q3 2025 (download)

APT attacks in Q3 2025 were dominated by zero-day vulnerabilities, which were uncovered during investigations of isolated incidents. A large wave of exploitation followed their public disclosure. Judging by the list of software containing these vulnerabilities, we are witnessing the emergence of a new go-to toolkit for gaining initial access into infrastructure and executing code both on edge devices and within operating systems. It bears mentioning that long-standing vulnerabilities, such as CVE-2017-11882, allow for the use of various data formats and exploit obfuscation to bypass detection. By contrast, most new vulnerabilities require a specific input data format, which facilitates exploit detection and enables more precise tracking of their use in protected infrastructures. Nevertheless, the risk of exploitation remains quite high, so we strongly recommend applying updates already released by vendors.

C2 frameworks

In this section, we will look at the most popular C2 frameworks used by threat actors and analyze the vulnerabilities whose exploits interacted with C2 agents in APT attacks.

The chart below shows the frequency of known C2 framework usage in attacks on users during the third quarter of 2025, according to open sources.

Top 10 C2 frameworks used by APT groups to compromise user systems in Q3 2025 (download)

Metasploit, whose share increased compared to Q2, tops the list of the most prevalent C2 frameworks from the past quarter. It is followed by Sliver and Mythic. The Empire framework also reappeared on the list after being inactive in the previous reporting period. What stands out is that Adaptix C2, although fairly new, was almost immediately embraced by attackers in real-world scenarios. Analyzed sources and samples of malicious C2 agents revealed that the following vulnerabilities were used to launch them and subsequently move within the victim’s network:

• CVE-2020-1472, also known as ZeroLogon, allows for compromising a vulnerable operating system and executing commands as a privileged user.
• CVE-2021-34527, also known as PrintNightmare, exploits flaws in the Windows print spooler subsystem, also enabling remote access to a vulnerable OS and high-privilege command execution.
• CVE-2025-6218 or CVE-2025-8088 are similar Directory Traversal vulnerabilities that allow extracting files from an archive to a predefined path without the archiving utility notifying the user. The first was discovered by researchers but subsequently weaponized by attackers. The second is a zero-day vulnerability.

Interesting vulnerabilities

This section highlights the most noteworthy vulnerabilities that were publicly disclosed in Q3 2025 and have a publicly available description.

ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass

ToolShell refers to a set of vulnerabilities in Microsoft SharePoint that allow attackers to bypass authentication and gain full control over the server.

• CVE-2025-49704 involves insecure deserialization of untrusted data, enabling attackers to execute malicious code on a vulnerable server.
• CVE-2025-49706 allows access to the server by bypassing authentication.
• CVE-2025-53770 is a patch bypass for CVE-2025-49704.
• CVE-2025-53771 is a patch bypass for CVE-2025-49706.

These vulnerabilities form one of threat actors’ combinations of choice, as they allow for compromising accessible SharePoint servers with just a few requests. Importantly, they were all patched back in July, which further underscores the importance of promptly installing critical patches. A detailed description of the ToolShell vulnerabilities can be found in our blog.

CVE-2025-8088: a directory traversal vulnerability in WinRAR

CVE-2025-8088 is very similar to CVE-2025-6218, which we discussed in our previous report. In both cases, attackers use relative paths to trick WinRAR into extracting archive contents into system directories. This version of the vulnerability differs only in that the attacker exploits Alternate Data Streams (ADS) and can use environment variables in the extraction path.

CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools

Details about this vulnerability were presented by researchers who claim it was used in real-world attacks in 2024.

At the core of the vulnerability lies the fact that an attacker can substitute the command used to launch the Service Discovery component of the VMware Aria tooling or the VMware Tools utility suite. This leads to the unprivileged attacker gaining unlimited privileges on the virtual machine. The vulnerability stems from an incorrect regular expression within the get-versions.sh script in the Service Discovery component, which is responsible for identifying the service version and runs every time a new command is passed.

Conclusion and advice

The number of recorded vulnerabilities continued to rise in Q3 2025, with some being almost immediately weaponized by attackers. The trend is likely to continue in the future.

The most common exploits for Windows are primarily used for initial system access. Furthermore, it is at this stage that APT groups are actively exploiting new vulnerabilities. To hinder attackers’ access to infrastructure, organizations should regularly audit systems for vulnerabilities and apply patches in a timely manner. These measures can be simplified and automated with Kaspersky Systems Management. Kaspersky Symphony can provide comprehensive and flexible protection against cyberattacks of any complexity.

Goldman Sachs has agreed to acquire Innovator Capital Management for about $2 billion, bringing a provider of defined-outcome exchange-traded funds, including a Bitcoin-linked product, into the bank’s asset-management unit.

The deal, expected to close in the second quarter of 2026, is set to add roughly $28 billion in assets under supervision to Goldman’s asset-management arm.

That division reported $3.45 trillion in supervised assets at the end of the third quarter.

Goldman to Expand Defined-Outcome ETFs With Options Strategy Push

Goldman said the purchase would expand its lineup of active and defined-outcome ETFs, products that rely on options strategies to cap losses and preset how much of an asset’s upside investors can capture over a set period.

Innovator has drawn attention in crypto circles through its structured Bitcoin exposure. Launched in February, the firm’s QBF ETF uses FLEX options tied to Bitcoin ETFs or the Cboe Bitcoin US ETF Index to track part of Bitcoin’s performance while limiting quarterly losses to 20%.

The current design allows investors to capture 71% of any positive price move over a quarter. As of Friday, QBF held about $19.3 million in market value, according to Innovator.

The acquisition highlights how quickly Goldman’s stance on digital assets has shifted. In 2020, the bank publicly warned clients away from cryptocurrencies.

Since then, it has steadily ramped up its activity across the sector. Between 2020 and 2024, Goldman participated in 18 investments in blockchain firms, ranking it among the most active global backers of early-stage crypto companies.

Its exposure via ETFs has grown as well. In the second quarter of 2024, the bank bought around $419 million in Bitcoin ETF shares, according to CoinShares’ analysis of regulatory filings.

By the fourth quarter, disclosures showed nearly $1.28 billion in the iShares Bitcoin Trust and $288 million in Fidelity’s Wise Origin Bitcoin Fund. The bank also lifted its Ethereum ETF holdings to $476 million.

In July, Goldman Sachs and Bank of New York Mellon launched a system allowing institutional clients to access tokenized money market funds.

The offering targets the $7.1 trillion market, uses Goldman’s blockchain platform to record fund ownership, and is integrated with BNY’s custody services.

Vanguard Opens Platform to Crypto-Linked ETFs

As reported, Vanguard has opened its US brokerage platform to crypto-focused ETFs and mutual funds, ending years of resistance to digital assets.

Clients can now trade third-party funds holding Bitcoin, Ether, XRP and Solana, provided the products meet regulatory standards, according to Bloomberg.

The shift matters because of Vanguard’s scale. With about $11 trillion under management and more than 50 million clients, millions of investors who previously could not buy spot Bitcoin ETFs through their Vanguard accounts now have a direct route into crypto-linked products.

The firm will treat these funds similarly to other “non-core” assets such as gold.

The post Goldman Sachs to Acquire Bitcoin ETF Issuer Innovator in $2B Deal appeared first on Cryptonews.

Read more of this story at Slashdot.

The Good | Former GM of DoD Contractor Pleads Guilty to Selling U.S. Cyber Secrets

Peter Williams, a former general manager at U.S. defense contractor L3Harris Trenchant, has pleaded guilty in U.S. federal court to two counts of stealing and selling classified cybersecurity tools and trade secrets to a Russian exploit broker.

Between 2022 and 2025, Williams stole at least eight restricted cyber-exploit components that were developed for the U.S. government and select allied partners. The DoJ stated that these tools, valued at $35 million, were part of Trenchant’s sensitive research and were never intended for foreign sale. Williams sold them for at least $1.3 million in cryptocurrency, signing formal contracts with the Russian intermediary for the initial sale of the components as well as a promise to provide follow-on technical support. Williams used the illicit proceeds to purchase luxury items, according to court filings.

Trenchant, L3Harris Technologies’ cyber capabilities arm, develops advanced offensive and defensive tools used by government agencies within the Five Eyes intelligence alliance. According to the DoJ, Williams abused his privileged access at Trenchant Systems to siphon the data, giving various customers of the broker, including the Russian government and other foreign cyber threat actors, an edge in targeting U.S. citizens, businesses, and critical infrastructure.

While the court reports did not name the broker, prior reporting suggests it may be Operation Zero, a Russian platform known for buying and reselling zero-day exploits, often rewarding developers with large cryptocurrency payouts.

Williams now faces up to 10 years in prison and fines of $250,000 or twice the profit gained. As international cyber brokers expand in their roles as international arms dealers, law enforcement officials reaffirm their hard stance against malicious insiders abusing their positions of trust.

The Bad | New “Brash” Flaw Crashes Chromium Browsers with Timed Attacks

Security researcher Jose Pino has disclosed a severe vulnerability in Chromium’s Blink rendering engine that allows attackers to crash Chromium-based browsers within seconds. Pino has named the vulnerability “Brash” and attributes it to an architectural oversight that fails to rate-limit updates to the document.title API. Without the rate-limiting, an attacker can generate millions of document object model (DOM) mutations per second by repeatedly changing the page title, overwhelming the browser, and consuming CPU resources until the UI thread becomes unresponsive.

The Brash exploit occurs in three phases. First, the attacker prepares a hash seed by loading 100 unique 512-character hexadecimal strings into memory to vary title updates and maximize the impact of the attack. Then, the attacker launches burst injections that perform three consecutive document.title updates in a row, which in default test settings inject roughly 24 million updates per second using a burst size of 8,000 and a 1 ms interval. Lastly, the sustained stream of updates saturates the browser’s main thread, forcing both the tab and the browser to hang or crash and requiring forced termination.

Brash can be scheduled to run at precise moments, enabling a logic-bomb style attack that remains dormant until a timed trigger activates. This increases the danger since attackers can control when the large-scale disruption will occur. Hypothetically, a single click on a specially crafted URL can detonate the attack with millisecond accuracy and little initial indication.

The vulnerability affects Google Chrome and all Chromium-based browsers, including Microsoft Edge, Brave, Opera, Vivaldi, Arc, Dia, OpenAI ChatGPT Atlas, and Perplexity Comet. WebKit-based browsers such as Mozilla Firefox and Apple Safari are not vulnerable to Brash as well as any iOS third-party browsers.

The Ugly | Hacktivists Manipulate Canadian Industrial Systems, Triggering Safety Risks

The Canadian Centre for Cyber Security has issued a warning that hacktivists have breached multiple critical infrastructure systems across Canada, altering industrial controls in ways that could have created dangerous conditions. The alert highlights rising malicious activity that targets internet-exposed Industrial Control Systems (ICS) and urges firms to shore up their security measures to prevent such attacks.

The bulletin cites three recent incidents. In the first, a water treatment facility experienced tampering with water pressure controls, degrading service for the local community. Following that, a Canadian oil and gas company had its Automated Tank Gauge (ATG) manipulated, triggering false alarms. In a third breach, a grain drying silo on a farm had temperature and humidity settings altered, creating potentially unsafe conditions if the changes had gone undetected.

Authorities believe these attacks were opportunistic rather than being technically sophisticated, and intended to attract media attention, underme public trust, and harm the reputation of Canadian authorities. Hacktivists have been known to collaborate with advanced persistent threat (APT) groups to amplify the reach of disruptive acts and cause public unrest.

Although none of the targeted facilities suffered damage, the incidents underline inherent risks in poorly protected ICS, including programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, human-machine interfaces (HMIs), and industrial IoT devices.

The Cyber Centre recommends that organizations inventory and secure internet-accessible ICS devices, remove direct internet exposure where possible, implement VPNs with multi-factor authentication (MFA), maintain regular firmware updates, and conduct regular penetration testing. Resources like the Cyber Security Readiness Goals (CRGs) can offer guidance for critical infrastructure firms and officials remind organizations that suspicious activity should be reported via My Cyber Portal or to local authorities to reduce risks of future compromise.

Companies face more sophisticated, unpredictable cyber threats. Zero Day vulnerabilities are among the greatest risks, as these software flaws are unknown and exploited before a fix is available, potentially compromising thousands of organizations.

Stopping zero-day attacks is a top priority for security teams, requiring faster identification, detection, and mitigation to prevent damage. But how do these attacks work, and what practices really help?

Introducing the Problem: What Is a Zero-Day Attack?

A zero-day vulnerability is a hidden security flaw unknown to vendors or developers. Without an immediate fix, systems remain exposed to attacks. These vulnerabilities are particularly dangerous and pose complex risk-management challenges. Adversaries can exploit them before the flaw becomes public or is patched, causing significant harm. The term “zero-day” reflects that defenders have had zero days to prepare.

Within this definition, another concept matters: the zero-day exploit. Although related, vulnerability and exploit are different—and recognizing that difference is critical.

Zero-Day Exploit Definition: What They Are and How They Work

A Zero Day exploit is the tool hackers use to leverage a vulnerability. They can be highly damaging and difficult to defend against and are often sold on the dark web, making them valuable and dangerous.

When an attacker discovers a vulnerability unknown to anyone else, they develop specific code to exploit it and integrate it into malware. Once that code executes on the system, it can give the attacker control or access to sensitive information.

There are several ways to exploit a Zero Day vulnerability. One of the most common is through phishing: emails with infected attachments or links containing the hidden exploit. By clicking or opening the file, the malware activates and compromises the system without the user noticing.

A well-known case was the attack on Sony Pictures Entertainment in 2014.^[1] Cybercriminals used a Zero Day exploit to leak confidential information such as unreleased movie copies, internal emails, and private documents.

Which Systems Are Most Targeted for Zero-Day Exploitation?

Threat actors frequently target high-value systems and supply chains. Common targets include:

• Operating Systems: Windows, macOS, Linux.
• Web Browsers: Engines, plugins, and extensions (Chromium, Firefox, Brave, etc.).
• Office Suites: Microsoft Office, Google Workspace.
• Mobile OS: iOS and Android.
• CMS Platforms: WordPress, Joomla, Drupal (core, plugins, themes).
• Network/IoT Devices: Routers, firewalls, connected devices.
• Enterprise Apps: ERP/CRM like SAP and Oracle.

Techniques to Identify Zero-Day Vulnerabilities

Facing Zero Day vulnerabilities requires a combination of technological foresight and constant monitoring of the digital environment. In this scenario, having a trusted partner can make a difference, helping organizations reduce risks and proactively strengthen their security posture. Various techniques also help detect and neutralize potential Zero Day attacks.

1. Vulnerability Scanning

   Periodic scans of systems and network vulnerabilities identify potential weaknesses, such as flaws in unknown software providers. Early detection allows rapid mitigation through patching and other security updates.

2. Behavioral Anomaly Detection

   Monitoring network and system behavior can detect anomalies indicating deviations from normal operation. Abnormal network traffic, unusual resource usage, or unauthorized access attempts may indicate Zero Day exploitation attempts. 

3. Signature-Less Analytics

   Advanced threat detection methods, like anomaly detection and machine learning algorithms, allow for identifying suspicious behavior without relying on known attack signatures.

4. Threat Intelligence

   Threat intelligence channels and information-sharing communities provide relevant data on emerging threats and Zero Day vulnerabilities. Organizations can proactively monitor associated vulnerability indicators, enabling timely defensive actions.

5. Sandboxing & Emulation

   Sandboxing and emulation techniques allow for analyzing suspicious files or executables in isolated environments. Behavioral analysis in a controlled setting helps detect potential Zero Day exploits early.

6. User Behavior Analytics (UBA)

   UBA solutions can detect anomalies indicating Zero Day attacks, such as unusual login locations or unauthorized privilege escalation. Essentially, they monitor user activity and access patterns.

7. Continuous Monitoring & IR Readiness

   Robust monitoring practices and incident response procedures enable rapid detection, investigation, and mitigation of Zero Day attacks. Periodic security audits, penetration testing, and simulation exercises improve organizational readiness against threats.

Strengthening Defenses Against Zero-Day Vulnerabilities

It is clear that implementing comprehensive security strategies is essential. Measures combining continuous monitoring, proactive detection, and automated response allow organizations to anticipate attacks and significantly reduce risks.

Integrating advanced solutions helps protect critical systems before vulnerabilities are exploited. Adopting a Zero Trust approach is crucial for minimizing risks associated with Zero Day vulnerabilities. This security philosophy, which continuously validates every access and privilege, ensures that even if an exploit enters, its impact is effectively contained.

With the support of experts and specialized tools, organizations can strengthen their cybersecurity posture, maintain operational continuity, and protect sensitive information. While this process is not simple, in a technology-driven world, both for better and worse, it has become a priority.

References
1. Alex Altman. (2014, Dec 22). “No Company Is Immune to a Hack Like Sony’s.” Time.

If you want to make the most of The Field We Now Call AI, look to trading. Specifically, the tech-driven sort.

People who’ve read my other work, or who have had the misfortune of speaking with me one-on-one, have already heard this line. My long-running half-joke is that my AI consulting is based on best practices I picked up from trading way back when.

I say this with good reason. Modern trading—for brevity, I’ll lump algo(rithmic), electronic, quant(itative) finance, and any other form of Throwing Computers at the Stock Market under the umbrella of “algo trading”—applies data analysis and mathematical modeling to business pursuits. It’s full of hard-learned lessons that you can and should borrow for data work in other domains, even if your industry exists far afield of the financial markets. You can always ask, “How would algo trading handle this modeling issue/account for errors in this data pipeline/connect this analysis work to the business model?”

More recently I’ve been thinking about algo trading’s origin story. Which has led me to ask:

What can the computerization of Wall Street tell us about the rise of AI in other domains?

The short version is that the computers arrived and trading changed forever. But the truth is far more nuanced. Companies that internalize the deeper lessons from that story are poised to win out with AI—all of data science, ML/AI, and GenAI.

Let’s start with an abbreviated, slightly oversimplified history of technology in trading.

An Abbreviated History of the Delightful Chaos

At its core, trading is a simple matter of buy low, sell high: buy some shares of stock; wait for their price to go up; sell those shares; profit.

This is when you’ll point out that there are more complicated approaches which juggle shares from multiple companies…and that short-selling reverses the order to “sell high, buy low”…plus you have derivatives and all that… And I would agree with you. Those products and techniques certainly exist! But deep down, they are all expressions of “buy low, sell high.”

The mechanics of trading amount to strategy, matching, and execution:

Your trading strategy defines what shares you’ll buy, when to buy them, and when to sell. It can be as innumerate as “buy when the CEO wears black shoes, sell when they wear brown shoes.” It can involve deep industry research that tells you to move when the price exceeds some value X. Maybe you plot some charts to look for trends. Or you take that charting to the next level by building crazy mathematical models. However you devise your trading strategy, it’s all about the numbers: how many shares and at what price. You’re watching movements of share prices and you’re reacting to them, usually with great haste.

On the other side of strategy we have order matching and trade execution. Here’s where you pair up people who want to buy or sell, and then place those orders, respectively. In the olden days, matching and execution took place through “open outcry” or “pit” trading: people in a large, arena-like room (the pit) bought and sold shares through shouting (hence “outcry”) and hand signals (occasionally, the “catching hands” kind of signal). You watched prices on big screens and took orders by phone. Your location in the pit was key, as was your height in some cases, because you needed the right people to see you at the right time. Pit traders will tell you that it was loud and frenetic—like a sports match, except that every action involved money changing hands. Oh yes, and a lot of this was recorded on paper tickets. Messy handwriting and mishearing things led to corrections after-hours.

Computerization of these activities was a three-decade process—a slow start but a rousing finish. It began in the 1970s with early-day NASDAQ publishing prices electronically. (To drive the point home, note that the last two letters stand for “Automated Quotation.” You now have extra trivia for your next party conversation. You’re welcome.) Then came the UK’s 1986 “Big Bang” shift to electronic trading. Things really picked up in the 1990s through the early 2000s, which saw much wider-scale use of electronic quoting and orders. Then came decimalization and REG-NMS, which further encouraged computerized order matching and execution.

Combined, this led to a world in which you could get up-to-the minute share price data, find a counterparty with which to trade, and place orders—all without heading to (or calling someone in) the pit. Without hand signals. Without jumping up and down to be seen. Without the risk of fisticuffs.

From there, “pull in price data by computer” and “place orders by computer” logically progressed to “hire rocket scientists who’ll build models to determine trading strategy based on massive amounts of data.” And to top it off, remember that all of this electronic activity was taking place at, well, computer speeds.

Pit traders simply couldn’t keep up. And they were eventually pushed out. Open outcry trading is pretty much gone, and the role of “trader” has shifted to “person who builds or configures machines that operate in the financial markets.”

Understanding the Why

From a distance, it’s easy to write this off as “the computers showed up and the humans were gone. End of story.” Or even “the computers won simply because they were faster.” That’s the scenario AI-hopeful execs have in mind, but it’s far more complicated than that. It helps to understand why the bots took over.

I wrote a short take on this last year:

Trading is a world awash in numbers, analyses, and pattern-finding. In the pre-technology era, humans did this work just fine. But then computers arrived, doing the math better, faster, at a larger scale, and without catching a case of nerves. Code could react to market data changes so quickly that network bandwidth, not processor speed, became the limiting factor. In every aspect of the game—from parsing price data to analyzing correlations to placing orders—humans found themselves outpaced.

I’ll pause here to explain that trading happens in a marketplace. There are other participants, among whom there’s an element of competition (uncovering price shifts before anyone else and then moving the fastest on those discoveries) but also cooperation (as the person buying and the person selling both want to move quickly). That lent itself well to network effects, because once one group started using computers to parse market data and place orders, other groups wanted to join in and so they got their own. The traders who were still dealing in paper and hand signals weren’t so much competing with computers but with other traders who were using computers.

Continuing from that earlier write-up:

To understand what this meant for 1990s-era traders, imagine you’re a chess pro sitting down for a game. Except the board now extends to fifty dimensions and your opponent can make multiple moves without waiting for you to finish your turn. They react to your confused facial expression by explaining: the pieces could always do this; you just weren’t able to move them that way. That was the shift from open-outcry (“pit”) trading to the electronic variety. Human actors were displaced overnight. It just took them another few years to accept.

That sentence in bold gets to the core of why computerization was a runaway success. The desire for speed was always there. The desire for consistency under pressure was always there. The desire to find meaningful patterns in the mountains of pricing data was always there. We just couldn’t do that till computers came along. People figured out that computers could consistently, dispassionately multitask on market matters while crunching massive amounts of data.

From that perspective, computers didn’t really take human jobs—humans were doing jobs that were meant for computers, before computers were available.

Computers and trading made for a perfect marriage.

Well, almost.

It’s Not All Roses

All of these computers jockeying for position, operating at machine speeds, introduced new opportunities but also new risk exposures. New problems cropped up, notable for both their magnitude and ubiquity: high-speed cheating, like order spoofing; flash crashes; bots going out of control… Traders and exchanges alike implemented new testing and safety procedures—layers upon layers of risk management practices—as a matter of survival. It was the only way to reap the rewards of using bots while closing off sources of ruin.

Tech-related incidents still happen, like the 2012 Knight Capital meltdown. And bad actors still get away with things now and then. But when you consider the size and scale of the model-driven, electronically traded financial markets, the problems are relatively few. Especially since every incident is taken as a learning experience, leading traders and exchanges to institute new policies that discourage similar problems from cropping up down the road.

Frankly, the most notorious incidents in finance—like the 2008 mortgage crisis or the self-destruction of hedge fund LTCM—were rooted not in technology but in human nature: greed, hubris, and people choosing to oversimplify or misinterpret risk metrics like VaR. The computerization of trading has mostly been positive.

Learning from the Lessons

That trip through trading history brings us right back to where I started this piece:

If you want to make the most of The Field We Now Call AI, look to trading. Specifically, the tech-driven sort.

The move from the pits to computerized trading holds lessons for today’s world of AI. If you’re an executive who dreams of replacing human headcount with AI bots, you’d do well to consider the following:

Give the machines machine jobs. Notice how traders and exchanges applied computers to the work that was amenable to automation—matching, execution, market data, all that. The same holds for AI. That manual task may annoy you, but if AI isn’t capable of handling it just yet, it must remain a manual task.

Machines give you “faster”; you still need to figure out “better.” Does the AI solution provide an appreciable improvement over the manual approach? You’ll need to run tests—the kind where there is an objective, observable, independently verifiable definition of success—to figure this out. Importantly, you’ll need to run these tests before modifying your org chart.

The machines’ speed will multiply the number and scale of any errors. This includes the error of using AI where it’s a poor fit. Avoid doing the wrong thing, just faster.

This is of special concern in light of the wider adoption of AI-on-AI interactions, such as agents. One bot going out of control is bad enough. Multiple bots going out of control, while interacting with each other, can lead to a meltdown.

Technology still requires human experience. While bots have taken over the moment-to-moment stock market action, they’re built by teams of experts. The computers are useless unless backed up by your team’s collective domain knowledge, expertise, and safety practices.

Tune your risk/reward trade-off. Yes, you’ll want to develop controls and safeguards to protect yourself from the machines going off the rails. And you’ll need to think about this at every stage of the project, from conception to R&D to deployment and beyond. Yes.

Yes, and, you’ll want to think beyond your downside exposures to consider your upside gain. Well-placed AI can bring about massive returns on investment for your company. But only if you choose the AI projects for which the risk/reward trade-off plays in your favor.

You’re only in competition with yourself. Traders try to get ahead of each other, to detect price movements and place their orders before anyone else. And they place trades with one another, each taking a different side of the same bet (and hunting for counterparties who will make bad bets). But in the end, as a trader, you’re only in competition with yourself: “How did I do today, compared to yesterday? How do I avoid mishaps today, so I can do this again tomorrow?”

The same holds for your use of AI. Executives are under pressure—whether from their investors, their board, or simple FOMO as they read about what other companies are doing—to apply AI anywhere, everywhere. It’s best to look inside and figure out what AI can do for you, instead of trying to copycat the competition or using AI for AI’s sake.

What if…?

I opened with a question about algo trading, so it’s fitting that I close on one. To set the stage:

In the early days of data science—a good 15 years before GenAI came around—I hypothesized that traders and quants would do well in this field. It was a smaller and calmer version of what they were already doing, and they had internalized all kinds of best practices from their higher-stakes environment. “If Wall Street pay ever sinks low enough that those people leave,” I mused, “the data field will definitely change.”

Wall Street comp never sank far enough for that to happen. Which is good for the folks who still work in that field. But it also means I never got to thoroughly test my hypothesis. I still wonder, though:

What if more people with algo trading experience had entered the data science field early, and had spread their influence?

Imagine if, in the early to mid-2010s, a good portion of corporate data departments were built and staffed by former traders, quants, and similar finance professionals. Would we still see the meteoric rise of GenAI? Would companies be just as excited to throw AI at every possible problem? Or would we see a smaller, more focused, more effective use of data analysis in the pursuit of profit?

In the most likely alternate reality, the companies that genuinely need AI are doing well at it. Those that would have passed up on AI in our timeline come much closer to reaching their full AI potential here. In both cases the data team is deeply connected to, and focused on, the business mission. They adhere to metrics that allow them to track model performance. To that point, the use of those AI models is based on what those systems are capable of doing rather than what someone wishes they could do.

Importantly, these quant-run shops exhibit a stronger appreciation of risk-taking and risk management. I use those terms in the finance sense, which involves fine-tuning one’s risk/reward trade-off. You don’t just close off the downsides of using automated decision making; you aggressively pursue additional opportunities for upside gain. That involves rigorous testing during the R&D phase, plus plenty of human oversight once the models are running in production. It’s very much a matter of discipline. (Compare that to our timeline, in which the Move Fast and Break Things mindset has bolstered the Just Go Ahead and Do It approach.)

Interestingly enough, this alternate timeline still sports plenty of companies that use solely AI for the cool factor. There are just no quants or traders in those AI departments. Those people are finely attuned to using data in service of the business goal, so a frivolous use of AI sends them running for the exit. If they even join the company in the first place.

All in all, the companies in the alternate timeline that need AI are doing quite well. Those that don’t need AI, they’re still making the snake oil vendors very happy.

Today’s GenAI hype machine would certainly disagree with me. But I’ll point out that the GenAI hype doesn’t hold a candle to the tangible, widespread impact of the computerization of trading.

Food for thought.

In 2024, the average cost of an insider threat incident reached $17.4 million.[1] When you consider that these types of incidents happen daily, it becomes clear that we’re facing a frequent and expensive danger. So, what is an insider threat? Today, it means much more than a data leak; it’s a strategic vulnerability that can disrupt business continuity.

What Is an Insider Threat in Cybersecurity?

In cybersecurity, the danger doesn’t always come from outside. Insider threats are security risks originating within the organization, caused by someone who works there or has authorized access to its systems and networks. These threats may be intentional or accidental.

According to the Cost of Insider Risks 2025 report, 55% of internal security incidents are caused by employee errors or negligence.^[2] What does that mean? You don’t need to plan a cybercrime to compromise a company’s security; sometimes, a single mistaken click is enough.

One of the biggest dangers of insider threats in cybersecurity is how easily they go unnoticed. Since the actors involved often use valid credentials, they don’t immediately raise red flags. How can these attacks be prevented? By strengthening internal policies, training employees, and implementing vulnerability management tools with proactive monitoring to detect suspicious activity from the inside.

Insider Threats in Action: Understanding Internal Risk Profiles

Spotting an insider threat isn’t always as straightforward as identifying an external hacker. Insider threat detection involves recognizing the different profiles that may pose a risk within the organization. From human error to calculated sabotage, understanding insider threat types is key to building an effective defense.

1. Intentional/Malicious Insider

These are deliberate actions carried out by current or former employees who are dissatisfied with the company. Motivated by this discontent, they may steal sensitive data, sabotage systems, or manipulate critical information. In some cases, they even collaborate with external actors.

These insiders are particularly dangerous because their actions are often well-planned and difficult to detect in time. They may wait for the right opportunity to exploit a system vulnerability, use social engineering techniques, or erase logs to avoid being caught.

In 2018, Tesla experienced a well-known malicious insider incident when a former employee was accused of sabotage.^[3] According to Elon Musk, the employee stole confidential data and modified the code of the manufacturing operating system.

2. Negligent Insider

This threat stems from mistakes or poor practices rather than malicious intent. Often the result of ignorance or carelessness, common examples include falling for phishing scams, overlooking security protocols, or misconfiguring systems.

In 2017, defense contractor Booz Allen Hamilton exposed over 60,000 sensitive files on an unsecured Amazon Web Services (AWS) server.[4] The data included classified information from the U.S. Army Intelligence and Security Command (INSCOM).

3. Compromised / Third‑Party Insider

This category includes external users such as contractors, vendors, or former employees whose legitimate access has been hijacked. They function as insiders because they operate with valid credentials, making it easier to leak data or spread malware from within. In many cases, compromised insiders result from internal negligence.

In March 2025, Royal Mail suffered a massive data breach after attackers accessed its network through an external vendor, Spectos GmbH.[5] Using stolen credentials, they bypassed internal controls and exfiltrated over 144 GB of customer information, including personal data, internal recordings, and mailing lists.

Accepting that the threat may come from within requires a shift in how we approach security, toward a more human-centric, dynamic, and preventive model. Strengthening cyber resilience means going beyond just identifying threats. It involves rethinking assumptions about who poses a risk and why, and building a truly holistic security culture.

Internal Threat Indicators: Signs Worth Investigating

When someone with insider access launches an attack, they may need to hack internal systems or reconfigure hardware or software infrastructure. Recognizing the signs and tools involved is key to identifying insider risk and responding proactively.

Unusual Login Behavior

Most organizations follow predictable login patterns. Remote access from unusual locations or during off-hours can signal trouble. Authentication logs can also reveal strange username activity, like accounts named "test" or "admin," indicating unauthorized access attempts.

Use of Unauthorized Applications

Critical customer and business management systems, as well as financial platforms, should be tightly controlled. These tools must have clearly defined user roles. Any unauthorized access to these applications, or to the sensitive data they contain, can be devastating to a business.

Privilege Escalation Behavior

People with higher-level system access pose an inherent risk. Sometimes, an administrator may begin granting privileges to unauthorized users, or even to themselves, to gain access to restricted data or apps.

Excessive Data Downloads or Transfers

IT teams must stay alert to their network’s regular bandwidth usage and data transfer patterns. Large, unexplained downloads, especially during odd hours or from unusual locations, may signal an internal threat.

Unauthorized Changes to Firewalls and Antivirus Tools

Any time firewall or antivirus configurations are altered, it could indicate insider tampering. These changes are often subtle attempts to weaken system defenses and create an easy path for future malicious activity.

The Threat Is Internal, but so is the Opportunity

Insider threats aren’t just technical failures; they reflect human dynamics, outdated processes, and gaps in security infrastructure. Building effective protection demands a proactive, evolving strategy, one that combines robust tools with prepared teams.

At LevelBlue, our simplified approach to cybersecurity with comprehensive managed security services helps organizations identify abnormal patterns, prevent unauthorized access, and respond to insider threats in real time. Our ecosystem of solutions enables continuous, agile defense, turning every threat into an opportunity for long-term improvement.

References
1. DTEX Systems. (2025, Feb 25). Ponemon Cybersecurity Report: Insider Risk Management Enabling Early Breach Detection and Mitigation.
2. DTEX Systems. (2025, Feb 25). Ponemon Cybersecurity Report: Insider Risk Management Enabling Early Breach Detection and Mitigation.
3. Mark Matousek. (2018, June 18). Elon Musk is accusing a Tesla employee of trying to sabotage the company. Business Insider.
4. Patrick Howell O'Neill (2017, June 1). Booz Allen Hamilton leaves 60,000 unsecured DOD files on AWS server. CiberScoop.
5. Check Red Security. (2025, April 14). When Trusted Access Turns Dangerous: Insider Risks in the Age of Third‑Party Vendors.

Katz Stealer is a feature-rich infostealer marketed and operated as Malware-as-a-Service (MaaS). It was launched in early 2025 and quickly garnered attention within the infostealer landscape.

The stealer includes robust credential and data discovery with theft capabilities as well as modern evasion and anti-analysis features. It is used to exfiltrate a broad range of personal or sensitive information including passwords, cryptocurrency keys, private messaging tokens, browser session data and more.

Katz Stealer is marketed through popular cybercrime forums as well as more broad networks (Telegram and Discord) and provides its subscribers with a web-based management panel. This interface is used to generate custom payloads, manage stolen data and logs, and perform other high-level campaign management. The turnkey nature of the Katz Stealer service, along with accessible pricing, have led to rapid adoption by threat actors across the spectrum of capability. In this post, we provide an overview of Katz Stealer’s general functionality and infrastructure.

Marketing & the MaaS Platform

Katz Stealer operates as a commercially distributed MaaS (Malware-as-a-Service) platform. Similar to RaaS operations, the developers of Katz Stealer offer the service to their “affiliates” or “customers” for an up front fee. Affiliates are provided with access to a web-based management panel, which they can use to generate and configure custom builds of the stealer payloads.

Various payload options can be toggled on or off during the build process, including checks for Virtual Machine hosts and different theft modules. The delivery format of the payload can be configured here as well. In addition, the panel functions as the data back-end for the stealer, allowing stolen victim data to be processed and searched. Attackers are also able to export and package stolen data in multiple ways, making it convenient for extortion purposes.

Katz Stealer is marketed on many web-based crime forums as well as on its own portal site.

The sellers highlight the robustness of support that Katz has for stealing from numerous applications and data types. The following feature set is currently advertised for Katz Stealer:

The stealer is also heavily advertised across Telegram and Discord communities. The sellers accept payment in most stable cryptocurrencies (BTC, XMR). As of this writing, pricing for access to Katz Stealer were as follows:

6 Months – $480.00 USD
3 Months – $270.00 USD
1 Month – $100.00 USD

Infection & Evasion Tactics

Katz Stealer leverages a multi-stage infection chain. Katz campaigns most frequently start with malicious archive files (.gz) delivered to the victim via phishing email or trojanized downloads. These emails (or malicious downloads) contain an obfuscated JavaScript dropper. The JavaScript code is highly obfuscated and subjected to multiple transformations in an effort to evade static analysis.

When executed, the JavaScript dropper launches a PowerShell command, often with the -WindowStyle Hidden flag, to further evade user detection. This PowerShell script downloads what appears to be a harmless image file from a remote server. However, the image is weaponized using steganography. Analysis reveals the image contains a base64-encoded string embedded between specific markers. These markers can vary across samples.

The image below shows an example of a Katz Stealer ‘stego image’ “new_image.jpg”. The markers delineating the base64-encoded sections in this sample (0fad38ab91d5676378265405b4f42d98e475c44c) are <<INICIO>> and <<FIM>>. The script scans the image for these markers, extracts the string, and decodes it entirely in memory, ensuring that no malicious payload is written to disk at this stage.

Once the payload is decoded, Katz Stealer leverages a User Account Control (UAC) bypass by abusing cmstp.exe, a legitimate Windows utility, to gain elevated privileges. It then establishes persistence by creating a scheduled task, ensuring that the malware survives system reboots.

The third stage Katz Stealer payload is the .NET loader responsible for final geofencing and anti-analysis checks prior to further execution. Katz Stealer checks the local system’s locale settings, keyboard layout and default language settings in an effort to exclude use within the CIS (Commonwealth of Independent States) such as Russia, Belarus and other former Soviet Union states.

Additionally, the malware performs a series of checks to determine if it is being executed within a virtual or sandbox/analysis environment. It reads various BIOS identifiers from the Windows registry looking for strings related to common VM platforms (e.g., VirtualBox, VMWare). Default resolution and system uptime are also checked as these are valuable for indicating analyst or researcher environments.

The next stage of the infection spawns the main Katz Stealer module, via process hollowing, within MSBuild.exe (Microsoft Build Engine). First, Katz Stealer drops a dummy INF file, then invokes cmstp.exe to execute. This is a well-established UAC bypass technique, and it allows attackers to fully bypass UAC while avoiding prompts of additional user interaction.

The malware also establishes persistence at this time by creating a scheduled task. The task is set to trigger upon every system restart. The main module is executed within MSBuild.exe via process hollowing. The prior-stage loader spawns an instance of MSBuild.exe, reserving a section of memory to implant and execute the main Katz Stealer module. Running in this context, elevated and within the privileged memory space of MSBuild.exe, the malware is able to operate with SYSTEM-level access hidden from surface-level detection tools.

Once active, Katz Stealer injects itself into target processes to begin harvesting data. Katz is heavily focused on browser data, and multiple browsers are supported. Rather than intercepting existing user browser sessions, Katz launches the targeted browser processes in headless mode, which ensures it remains hidden from the user. A specialized DLL (written to disk by the dropper in %temp%) is injected into the headless browser process, allowing the malware to fully access sensitive browser data in an elevated context.

Infostealer Features

Katz Stealer is capable of stealing files, tokens and credentials from nearly every common application or service that a typical user might have. The infostealer can harvest data from all commonly used web browsers (Chrome, Edge, Brave, Firefox and various Chromium/Gecko-offshoots). Saved passwords, login session cookies, saved session tokens, autofill data (including stored credit card CVV data) are all targeted. Katz also has the ability to decode encrypted browser data in some cases, as detailed in the next section.

Messaging and gaming platforms are also targeted, including the harvesting of gaming session tokens and user account data from secure messenger platforms (e.g., Discord, Telegram), along with credentials for well-known gaming sites and communities like Steam.

In addition, Katz Stealer targets a wide range of Email, FTP, and VPN clients. The malware parses and extracts stored messages and credentials from Outlook, Windows Live Mail, Foxmail, Eudora and other mail clients. Katz extracts and logs any configuration files and stored credentials related to VPN clients, FTP Software and known WiFi networks.

Katz Stealer also has the ability to capture screenshots (scheduled or ad-hoc), audio and video. It monitors clipboard activity for strings that resemble passwords, passkeys and cryptocurrency wallet addresses. Attackers often combine these features to capture one-time passcodes or other time-sensitive info displayed on the screen of the targeted system(s). Finally, Katz Stealer is heavily focused on cryptocurrency wallets. Private keys, wallet files, and discovered seed phrases are all captured for a wide array of cryptocurrency wallets.

Browser Injection Process and Encryption Bypass

Data stored by web browsers (passwords, autofill data, cookies) are a primary target for Katz Stealer. The malware is able to bypass some modern browser security measures. Once the Katz Stealer DLL is injected into a browser process, the infostealer can extract sensitive data using the browser’s own security context and available APIs.

This allows Katz Stealer to bypass some encryption barriers that attempt to obfuscate sensitive data. For Chromium-based browsers, Google has introduced (in 2024) ABE (Application Bound Encryption), which ties the decryption of stored passwords and cookies to the logged-in OS user. Katz Stealer is able to defeat this by programmatically masquerading as the browser once injected. The malware locates the browser’s “Local State” file (which is responsible for storing the master encryption key for the logged-in user’s browser session data) and uses the Windows cryptography API to decrypt that key.

With the plaintext master key now available, the malware can subsequently decrypt all saved passwords and cookies from the browser’s SQLite databases. These extracted keys are saved to disk as text files (e.g., decrypted_chrome_key.txt) in the current user’s %APPDATA% folder.

These stored files can be called upon for later use should the infostealer need to decrypt further or new browser session data. This technique appears to be borrowed (at least partially) from the open-source project ChromeKatz, which allows the dumping of Chrome credentials via similar methods of impersonation within the browser.

For Firefox and other Mozilla/Gecko-based browsers, Katz Stealer locates Firefox’s profile directories and harvests the core files that contain all the browser user and session information. This includes saved usernames and passwords (logins.json) along with the databases that hold decryption keys for all the local logins (key4.db). By collecting all the raw logins, keys, and session data, the attacker can crack or decrypt the passwords offline.

Cryptocurrency Theft Features

Katz Stealer searches the victim’s filesystem for any files related to modern desktop cryptocurrency wallet applications. The malware targets data from multi-coin wallets like Exodus and Coinomi, as well as specific wallet data pertaining to Dash, Dogecoin, Litecoin, Monero (XMR), Bitcoin and Ethereum. The stealer uses a combination of known file paths, folder names, and extensions to locate relevant data. Once identified, the malware copies wallet files, private keys, and backed-up seed phrases to its own temporary folder.

Katz Stealer is also capable of stealing data from individual crypto-based browser extensions. Katz Stealer contains over 150 specific browser extension “IDs” which correspond to cryptocurrency wallet extensions (e.g., MetaMask, Phantom, Binance). The malware scans the browser’s extension data for these IDs, and when found, gathers all relevant files and data such as extension logs, wallet vault files, and any cached seed phrases. For more hardened browsers like Brave, Katz contains tailored code which can locate Brave’s wallet data as well, and process it directly.

C2 and Network Behavior

Once a victim is successfully infected, Katz Stealer establishes an active and persistent C2 channel. Each instance of the stealer contains a hardcoded C2 IP address. Upon infection, the malware calls out to the C2 and identifies itself via a campaign-unique ID.

The malware continues to beacon out to the C2 server to ensure a consistent and available connection. In the event the C2 is unreachable, the implant continues to beacon to the C2 until connectivity can be established, or some sort of termination command is received. Most analyzed Katz stealer samples contain hardcoded C2 IP addresses as opposed to more ‘resilient’ options like DNS-centric C2 communications.

The bulk of C2 communications within Katz Stealer are IP-based with the use of HTTP/HTTPs for the primary functions. There are multiple attacker-controlled domains used to control the main malware infrastructure and host the MaaS components with the management panels.

Katz Stealer is not a ‘one shot’ infostealer; it is designed to continually exfiltrate the victim’s data. The malware not only extracts data found on a targeted system at the point of infection but also as data updated, changed, or freshly introduced. Credentials, tokens, and plain text data may be sent line-by-line via HTTP Post to the C2 servers. Larger data blocks like screenshots, audio-visual data and cryptocurrency wallets are transferred via similar methods, but broken up into chunks which are then reconstructed on the server side.

Once the malware operators have determined that the stealer has harvested all targeted and desired data, they are able to invoke steps to remove traces of the incident. The malware removes all temporary files and folders used to store locally harvested data; any output logs or temporary data files are wiped and all injected processes are terminated, removing the malicious code from memory.

Conclusion

Katz Stealer represents a potent combination of credential theft and modern malware design. It has multi-faceted stealing abilities across browsers, messaging systems and cryptodata, along with stealthy delivery methods (in memory staging, pseudo-steganography, process injection and hollowing). This feature set, and low barrier of entry are resulting in a notable increase in Katz Stealer use and an overall rise in the adoption of this tool as a viable infostealing platform.

However, Katz Stealer still relies on social engineering and user interaction to enable a successful compromise. This is a malicious mix of old and new. The SentinelOne Singularity is capable of detecting and preventing malicious behaviors and artifacts associated with Katz Stealer.

Indicators of Compromise

Files SHA-1
0076795b220fa48c92b57994b015119aae8242ca
0c1f2ee0328e0ed7e4ec84ef452bffa1749f5602
17ce22264551bd32959790c4c2f57bec8304e2ce
1976a1a05a6a47ac33eb1cfc4e5a0eb11863f6eb
1b6b072df8f69a47fd481fa9be850c0063fd5b93
1d5ef46357eb2298b1c3c4faccbaafa729137613
1ee406eb68ab92bad77cf53df50c4ce6963e75fd
26e089bed61c0d89e5078f387bd55dd5895d4fc0
29daa866c85fc1e302c40a73bc2a0772aa285295
2f2ced67e87101f4d1275456f0861209809492fc
3cf4f3ababa912e0e6bb71ab5abb43681d8e7ecc
47ea1c41f79f775f0631191ee72852c1bfb61a7e
4e69cb16a3768733d94bb1b5d8f1556d0bddd09b
4eeda02db01cdf83948a83235c82e801522efa54
5179dbf5e9fd708f6e6df8b4913f21c3b78d5529
5492947d2b85a57f40201cd7d1351c3d4b92ae88
571b3681f7564236b7527d5b6fe14117f9d4de6d
5de014856702b9f1570944e8562ce283f7cd0a64
6351b5505dc671d143d5970eb08050d2f7344149
680984e43b76aa7a58ed9b617efe6afcb1f04bb7
6d88a5f0021278c2c3a56c177f39f4a31f286032
76bb7ffe523f594308ecd482db4f32047905c461
80f1b8b27833db614d3f7c2a389aceb033b8ce80
82dc7c0ca39f114c333caae9a6931a2a1c487ee5
8c2422ebab77a0de81d2e46e1326d8912b099018
9becb041aedc7c6aafeb412b4b91788e1df65b38
9c60a2b4764b7b5e3a6c7f20036490a539996d8a
a0717a486b4e037871c4657cf353cd298f13601f
b3d574dfb561f5439930e2a6d10917f3aa58c341
b40e56439d4dcdc238b8254adbd8862c73ca34bc
b61f92613dc911609b78a1e83c5baadc7e289dbc
b744179d3304d1e977e680502d201b7df49cb188
bbf2a5fdb039366b3f9eca603bf08ae92c43c0ef
cc800e4977d76c38656f3f60c5ed5f02df6a2f7b
ce19aa5eb7fce50dd94b5f740d162f8d9b057fde
da5ed6b939f51370709f66cbf0d8201ec8cd58b0
dffc1167399631ed779b5698d0ac2d9ea74af6c8
dffddd2fb7b139d2066284c5e0d16909f9188dc2
e26d65d8c25b0be7379e4322f6ebcadecbb02286
e78f942ca088c4965fcc5c8011cf6f9ee5c2a130
fb4792306f2cf514e56bc86485920b8134954433

Network Communications
172.67.146[.]103
185.107.74[.]40
195.182.25[.]71
31.177.109[.]39
80.64.18[.]219
katz-panel[.]com
katz-stealer[.]com
katzstealer[.]com
pub-ce02802067934e0eb072f69bf6427bf6.r2[.]dev
twist2katz[.]com
Zxczxczxczxc.twist2katz[.]com

OSINT
Usernames:

• Katzadmin
• KatzStealer
• @katzst
• @katzcontact
• @katzadmin

qTOX ID:

 	375AB62BD333F80905E612DB71BEE06660C40F00AAF393FD7F8605DF5761E47670B6578C9410

Introduction

This write-up details the “Cat” machine from Hack The Box, a Medium-rated Linux challenge.

Objective on Cat Machine

The goal is to complete the “Cat” machine by accomplishing the following objectives:

User Flag:

To obtain the user flag, an attacker first exploits a Stored Cross-Site Scripting (XSS) vulnerability in the user registration form, which allows stealing the administrator’s session cookie. With this stolen session, the attacker accesses the admin panel and exploits an SQL Injection flaw to extract sensitive user credentials from the database. After cracking these credentials, SSH access is gained as a regular user, enabling the retrieval of the user flag—a secret token proving user-level access.

Root Flag:

For the root flag, privilege escalation is performed by finding a vulnerable image processing script owned by the root user. The attacker crafts a malicious image payload that executes unauthorised commands with root privileges. This leads to obtaining a root shell—the highest level of system access—allowing capture of the root flag, which confirms full control over the machine.

Reconnaissance and Enumeration on Cat Machine

Establishing Connectivity

I connected to the Hack The Box environment via OpenVPN using my credentials, running all commands from a Parrot OS virtual machine. The target IP address for the Dog machine was 10.10.11.53.

Initial Scanning

To identify open ports and services, I ran an Nmap scan:

nmap -sC -sV 10.10.11.53 -oA initial

nmap -sC -sV 10.10.11.53 -oA initial

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/cat]
└──╼ $ nmap -sC -sV -oA initial -Pn 10.10.11.53
# Nmap 7.94SVN scan initiated Tue Jun 17 10:05:26 2025 as: nmap -sC -sV -oA initial -Pn 10.10.11.53
Nmap scan report for 10.10.11.53
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_  256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://cat.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 17 10:05:33 2025 -- 1 IP address (1 host up) scanned in 7.38 seconds

┌─[dark@parrot]─[~/Documents/htb/cat]
└──╼ $ nmap -sC -sV -oA initial -Pn 10.10.11.53
# Nmap 7.94SVN scan initiated Tue Jun 17 10:05:26 2025 as: nmap -sC -sV -oA initial -Pn 10.10.11.53
Nmap scan report for 10.10.11.53
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_  256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://cat.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 17 10:05:33 2025 -- 1 IP address (1 host up) scanned in 7.38 seconds

Analysis:

• Port 22 (SSH): OpenSSH 8.2p1 on Ubuntu 4ubuntu0.11 risks remote code execution if unpatched (e.g., CVE-2021-28041).
• Port 80 (HTTP): Apache 2.4.41, vulnerable to path traversal (CVE-2021-41773), redirects to cat.htb, hinting at virtual host misconfigurations.

Web Enumeration:

Perform directory fuzzing to uncover hidden files and directories.

gobuster dir -u http://cat.htb -w /opt/common.txt

gobuster dir -u http://cat.htb -w /opt/common.txt

Let’s perform directory enumeration with Gobuster to identify any potentially useful resources.

Gobuster Output:

Web Path Discovery (Gobuster):

• /.git Directory: Exposed Git repository risks source code leakage, revealing sensitive data like credentials or application logic.
• /admin.php, /join.php, and Other Paths: Discovered sensitive endpoints may lack authentication, enabling unauthorised access or privilege escalation.

The website features a typical interface with user registration, login, and image upload functionalities, but the presence of an exposed .git directory and accessible admin endpoints indicate significant security vulnerabilities.

Git Repository Analysis with git-dumper

Utilised the git-dumper tool to clone the exposed Git repository by executing the command git-dumper http://cat.htb/.git/ git. Subsequently, employed a Git extraction tool to retrieve critical source code files, including join.php, admin.php, and accept_cat.php, for further analysis.

Within the cloned Git repository, several PHP files were identified, meriting further examination for potential vulnerabilities or insights.

Source Code Analysis and Review on Cat Machine

Source Code Review of accept_cat.php

The accept_cat.php file is intended to let the admin user 'axel' Accept a cat by inserting its name into the accepted_cats table and deleting the corresponding entry from the cats table. The script correctly verifies the user’s session and restricts actions to POST requests, which is good practice. However, it constructs the insertion SQL query by directly embedding the $cat_name variable without any sanitisation or use of prepared statements:

$sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
$pdo->exec($sql_insert);

$sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
$pdo->exec($sql_insert);

This exposes the application to SQL injection attacks, as malicious input in catName could manipulate the query and compromise the database. On the other hand, the deletion query is properly parameterised, reducing risk. To secure the script, the insertion should also use prepared statements with bound parameters. Overall, while session checks and request validation are handled correctly, the insecure insertion query represents a critical vulnerability in accept_cat.php.

Vulnerability Review of admin.php

This admin page lets the user ‘axel’ manage cats by viewing, accepting, or rejecting them. It correctly checks if the user is logged in as ‘axel’ before allowing access and uses prepared statements to fetch cat data from the database safely. The cat details are displayed with proper escaping to prevent cross-site scripting attacks.

However, the page sends AJAX POST requests to accept_cat.php and delete_cat.php without any protection against Cross-Site Request Forgery (CSRF). This means an attacker could potentially trick the admin into performing actions without their consent. Also, based on previous code, the accept_cat.php script inserts data into the database without using prepared statements, which can lead to SQL injection vulnerabilities.

To fix these issues, CSRF tokens should be added to the AJAX requests and verified on the server side. Additionally, all database queries should use prepared statements to ensure user input is handled securely. While the page handles session checks and output escaping well, the missing CSRF protection and insecure database insertion are serious security concerns.

Security Audit of view_cat.php

The view_cat.php script restricts access to the admin user 'axel' and uses prepared statements to safely query the database, preventing SQL injection. However, it outputs dynamic data such as cat_name, photo_path, age, birthdate, weight, username, and created_at directly into the HTML without escaping. This creates a Cross-Site Scripting (XSS) vulnerability because if any of these fields contain malicious code, it will execute in the admin’s browser.

The vulnerable code includes:

Cat Details: <?php echo $cat['cat_name']; ?>
<img src="<?php echo $cat['photo_path']; ?>" alt="<?php echo $cat['cat_name']; ?>" class="cat-photo">
<strong>Name:</strong> <?php echo $cat['cat_name']; ?><br>
<strong>Age:</strong> <?php echo $cat['age']; ?><br>
</code>

Cat Details: <?php echo $cat['cat_name']; ?>
<img src="<?php echo $cat['photo_path']; ?>" alt="<?php echo $cat['cat_name']; ?>" class="cat-photo">
<strong>Name:</strong> <?php echo $cat['cat_name']; ?><br>
<strong>Age:</strong> <?php echo $cat['age']; ?><br>
</code>

To mitigate this, all output should be passed through htmlspecialchars() to encode special characters and prevent script execution. Additionally, validating the image src attribute is important to avoid loading unsafe or external resources. Without these measures, the page remains vulnerable to XSS attacks.

Input Validation Analysis of join.php

The provided PHP code is vulnerable to several security issues, primarily due to improper input handling and weak security practices. Below is an explanation of the key vulnerabilities, followed by the relevant code snippets:

1. Cross-Site Scripting (XSS): The code outputs $success_message and $error_message without sanitisation, making it susceptible to XSS attacks. User inputs (e.g., $_GET['username'], $_GET['email']) are directly echoed, allowing malicious scripts to be injected.

<?php if ($success_message != ""): ?>
   <div class="message"><?php echo $success_message; ?></div>
   <?php endif; ?>
   <?php if ($error_message != ""): ?>
   <div class="error-message"><?php echo $error_message; ?></div>
   <?php endif; ?>

<?php if ($success_message != ""): ?>
   <div class="message"><?php echo $success_message; ?></div>
   <?php endif; ?>
   <?php if ($error_message != ""): ?>
   <div class="error-message"><?php echo $error_message; ?></div>
   <?php endif; ?>

2. Insecure Password Storage: Passwords are hashed using MD5 (md5($_GET['password'])), which is cryptographically weak and easily cracked.

$password = md5($_GET['password']);

$password = md5($_GET['password']);

3. SQL Injection Risk: While prepared statements are used, the code still processes unsanitized $_GET inputs, which could lead to other injection vulnerabilities if not validated properly.
4. Insecure Data Transmission: Using $_GET for sensitive data like passwords, exposing them in URLs risks interception.

To mitigate these, use htmlspecialchars() for output, adopt secure hashing (e.g., password_hash()), validate inputs, and use $_POST for sensitive data.

Workflow Evaluation of contest.php

The PHP code for the cat contest registration page has multiple security flaws due to weak input handling and poor security practices. Below are the key vulnerabilities with relevant code snippets:

Cross-Site Scripting (XSS): The $success_message and $error_message are output without sanitization, enabling reflected XSS attacks via crafted POST inputs (e.g., cat_name=<script>alert(‘XSS’)</script>).

<?php if ($success_message): ?>
    <div class="message"><?php echo $success_message; ?></div>
<?php endif; ?>
<?php if ($error_message): ?>
    <div class="error-message"><?php echo $error_message; ?></div>
<?php endif; ?>

<?php if ($success_message): ?>
    <div class="message"><?php echo $success_message; ?></div>
<?php endif; ?>
<?php if ($error_message): ?>
    <div class="error-message"><?php echo $error_message; ?></div>
<?php endif; ?>

• Weak Input Validation: The regex (/[+*{}’,;<>()\\[\\]\\/\\:]/) in contains_forbidden_content is too permissive, allowing potential XSS or SQL injection bypasses.

$forbidden_patterns = "/[+*{}',;<>()\\[\\]\\/\\:]/";

$forbidden_patterns = "/[+*{}',;<>()\\[\\]\\/\\:]/";

• Insecure File Upload: The file upload trusts getimagesize and uses unsanitized basename($_FILES[“cat_photo”][“name”]), risking directory traversal or malicious file uploads.

$target_file = $target_dir . $imageIdentifier . basename($_FILES["cat_photo"]["name"]);

$target_file = $target_dir . $imageIdentifier . basename($_FILES["cat_photo"]["name"]);

To mitigate, sanitize outputs with htmlspecialchars(), use stricter input validation (e.g., FILTER_SANITIZE_STRING), sanitize file names, restrict upload paths, and validate file contents thoroughly.

User Registration and Login

Clicking the contest endpoint redirects to the join page, which serves as the registration page.

Let’s create a new account by completing the registration process.

The registration process was completed successfully, confirming that new user accounts can be created without errors or restrictions.

Logging in with the credentials we created was successful.

After a successful login, the contest page is displayed as shown above.

Let’s complete the form and upload a cat photo as required.

Successfully submitted the cat photo for inspection.

Exploiting XSS to Steal Admin Cookie for Cat Machine

Initialise the listener.

Injected a malicious XSS payload into the username field.

Let’s create a new account by injecting malicious XSS code into the Username field while keeping all other inputs valid.

Let’s fill out the form with normal inputs as before.

The process may take a few seconds or minutes, depending on the response time. I have attempted multiple times to ensure it works successfully.

Used Firefox Dev Tools to set the cookie and gain access to admin features

Once we obtain the token hash, we need to copy and paste it into Firefox’s inspector to proceed further.

After that, simply refresh the page, and you will notice a new “Admin” option has appeared in the menu bar.

Clicking the Admin option in the menu bar redirects us to the page shown above.

Click the accept button to approve the submitted picture.

Leveraging XSS Vulnerability to Retrieve Admin Cookie for Cat Machine

Used Burp Suite to analyze POST requests.

Use Burp Suite to examine network packets for in-depth analysis.

Test the web application to determine if it is vulnerable to SQL injection attacks.

Attempting to inject the SQL command resulted in an “access denied” error, likely due to a modified or invalid cookie.

SQL Injection and Command Execution

After reconstructing the cookie, the SQL injection appears to function as anticipated.

Successfully executed command injection.

We can use the curl command to invoke the malicious file and execute it. The fact that it’s hanging is promising, indicating potential success.

It was observed that bash.sh has been transferred to the victim’s machine.

Success! A shell was obtained as the www-data user.

Database Enumeration

It’s unusual to find cat.db while searching for the database file.

Transfer the SQL file to our local machine.

We discovered that cat.db is a SQLite 3.x database.

sqlite3 cat.db opens the cat.db file using the SQLite command-line tool, allowing you to interact with the database—run queries, view tables, and inspect its contents.

The cat.db database contains three tables: accepted_cats, cats, and users, which likely stores approved cat entries, general cat data, and user information, respectively.

Immediate cracking is possible for some obtained hashes.

The screenshot shows the hashes after I rearranged them for clarity.

Breaking Password Security: Hashcat in Action

We need to specify the hash mode, which in this case could be MD5.

We successfully cracked the hash for the user Rosa, revealing the password: soyunaprincesarosa.

Boom! We successfully gained access using Rosa’s password.

The access.log file reveals the password for Axel.

The user Axel has an active shell account.

The credentials for Axel, including the password, were verified successfully.

Access is achievable via either pwncat-cs or SSH.

Executing the appropriate command retrieves the user flag.

Escalate to Root Privileges Access on Cat Machine

Privilege Escalation

The Axel user does not have sudo privileges on the cat system.

Email Analysis

We can read the message sent from Rosa to Axel.

The emails are internal updates from Rosa about two upcoming projects. In the first message, Rosa mentions that the team is working on launching new cat-related web services, including a site focused on cat care. Rosa asks Axel to send details about his Gitea project idea to Jobert, who will evaluate whether it’s worth moving forward with. Rosa also notes that the idea should be clearly explained, as she plans to review the repository herself. In the second email, Rosa shares that they’re building an employee management system. Each department admin will have a defined role, and employees will be able to view their tasks. The system is still being developed and is hosted on their private Gitea platform. Rosa includes a link to the repository and its README file, which has more information and updates. Both emails reflect early planning stages and call for team involvement and feedback.

Checking the machine’s open ports reveals that port 3000 is accessible.

Therefore, we need to set up port forwarding for port 3000.

Gitea Exploitation on Cat Machine

The service running on port 3000 is the Gitea web interface.

Using Axel’s credentials, we successfully logged in.

Gitea service is running version 1.22.0, which may contain specific features and known vulnerabilities relevant for further evaluation.

Start the Python server to serve files or host a payload for the next phase of the assessment.

Inject the XSS payload as shown above.

The fake email is sent to the user jobert to test the functionality.

Obtained a base64-encoded cookie ready for decoding.

The decoded cookie appears to contain the username admin.

Edit the file within the Gitea application.

Obtained the token as shown above.

<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || 
    $_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {
    
    header('WWW-Authenticate: Basic realm="Employee Management"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}

<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || 
    $_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {
    
    header('WWW-Authenticate: Basic realm="Employee Management"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}

This PHP script enforces HTTP Basic Authentication by verifying the client’s username and password against predefined valid credentials: the username “admin” and the password “IKw75eR0MR7CMIxhH0.” Upon receiving a request, the script checks for authentication headers and validates them. If the credentials are missing or incorrect, it responds with a 401 Unauthorised status and prompts the client to authenticate within the “Employee Management” realm.

The password discovered grants root access and functions as an administrator password on Windows machines.

Executing the appropriate command retrieves the root flag.

The post Hack The Box: Cat Machine Walkthrough – Medium Diffculity appeared first on Threatninja.net.

Pets are adopted for unconditional love and to have one who’s always with us. Simultaneously, pets do need proper care and attention to stay fit. It’s the responsibility of the pet owner to take of their pet’s food, health, exercise, and other necessities.

However, when the owner needs to go out for a business trip or vacation, they need to board pets at Kennel. But it’s not a good alternative to pet care as separation from the home environment makes pets and their owners anxious. Here come pet care business services to the rescue. Pet care business provides a wide range of pet services that ensures the complete care of the pets.

With the presence of reimbursement policies and increasing pet humanization, the pet care market size is growing at scale. According to research, the pet care market size is expected to become $550 billion by 2032 with a 7% growth from 2022-2032.

The growing market volume of the pet care industry creates lucrative business opportunities for those who love pets. Starting a pet care business is a great idea to make millions a year with various pet care services. Before we jump into the pet care business to make the most out of the wide opportunities, take a look at the different service applications that you can consider as your profession.

From Grooming to Boarding: Understanding the Different Pet Care Businesses

The pet care industry is divided into various pet business models that are helping pet lovers fur-ever care of their pets. Exploring different types of Pet-friendly businesses can have positive effects on professionals as it will aid them to make inroads into the million-dollar pet care industry. Let’s have a look at some of the remarkable pet care businesses that are available –

Pet grooming: Professionals can start grooming boutiques that provide pet grooming services such as facials, massages, pedicures, teeth cleaning, and aromatherapy.

Pet boarding and kennels: Boarding facilities for pets are extended to the days till when the owner is out of town. The pets are left in a kennel for homely feeling while interacting with other animals.

Pet Daycare: Get a land or building and allow pet owners to drop their pets off in the morning and take them back in the evening. Meanwhile, pets are fed, walk, and had fun outside.

Pet retail and supplies: Launch a pet retail store where pet owners can buy everything that they need for pet care from food to accessories.

Pet marketplace app: Create a platform such as a mobile, website, or software system where pet item sellers can register and sell things online that enables pet owners to get everything under one roof.

Pet adoption app: Launch a mobile pet adoption business where pet owners will get a list of various breeds of pets and get connected with the pet owner to buy them.

Dog walking: Start a dog walking business by taking the dogs for a walk, making them exercise, and spending a few hours outside in exchange for a few bucks.

Pet sitting: Professionals visit the home and take care of pets when the owner needs to go out. You can carve out the niche where you provide pet care services.

On-demand vet app: Launch an on-demand vet business app that helps pet owners easily get connected with pet vets or veterinarians so that they can get immediate medication help.

Pet food delivery app: Get into the pet food delivery business wherein pet food retailers supply pet food to the doorstep of the pet owners.

Pet wearable app: Pet owners can identify their pet’s location in real-time with a wearable device attached to the pet that helps them track every movement anytime, anywhere.

Pet training & counseling: You can start providing counseling services to the owner to better take care of their pet and train the pets at home or other places.

Pet matchmaking app: Help pet lovers to get the best pet animal matching their needs such as a family pet, safety pet, or companion pet with pet matchmaking app engineering. Also, one can help to connect 2 pets for matchmaking as well.

Pet exercise tracker app: Enable pet owners to keep an eye on their pet’s exercise and other activities right on their mobile with pet exercise tracker app development.

Dog park locator app: Allow pet owners to easily find out the nearby park where they can take their dog for a small walk or fun through the dog park locator app.

From Dream to Reality: Starting Your Own Pet Care Business

Starting a pet care business is more than business registration with the state government. Here’s the step-by-step guide that helps you begin and launch a successful pet care business. Take a tour through all the steps-

Business plan

First, map out the business specifics with well-defined strategy creation, risk identification, and discovery of unknown factors. The business plan defines business description such as types of pets to take care of, accommodation facilities to arrange, and business niches like- pet daycare or pet grooming.

After summarizing the business description, figure out the cost involved in starting the pet care business followed by ongoing expenses. Post-calculation of the pet care business cost, find out the ways to make money and set up the prices for pet care services to keep your business profitable.

Not to forget, select the business name and get it registered. However, before business name registration, you can research for business name on social media channels, federal and state trademark records, and state business records. Having a business plan for your pet care business requirement in detail will help you to get a good Return on Investment in less time.

Financing option

Starting a pet care business is sometimes an inexpensive and costly affair as well. If your pockets are not deep and require finances to start a pet care business, then you need to look for funding options, such as crowdfunding or angel investment.

With financial statement analysis, and profit and loss estimation, create a financial plan to know how much funds you need. Thereafter, you can get connected with investors to fund your pet care business project, and apply for loans, or mortgages to have the necessary funds to get started.

Licensing and regulations

Some locations require pet care businesses to have permits and licenses to operate. You should check with your local authorities for a license and permit you should obtain. A sales tax license or permit is also required to sell any kind of pet care products and services. Small business administration can help you understand which license you need.

Check the regulations rolled out for enabling pet care services in the home or the lease/rent property. State laws put restrictions on the number of pets taken care of at one time. Thereafter signing a service agreement is important that details the services, pricing, visits, payment option, and others.

Equipment and supplies

Some pet care services are modernized that require equipment and supplies. For instance, you need to have an animal clipper, pet shampoo, pet healthcare products, pet soap, clothing, a toothbrush, and more supplies for providing pet grooming services. In the same vein, bathing stations, grooming tables, grooming shears, and more are needed as equipment.

Identify your business niche and then research the equipment setup and supplies required to deliver the best pet care services.

The Ultimate Checklist for Managing a Pet Care Business

After starting your pet care service business you need to manage it in the best way possible to ensure it runs smoothly and properly. Here are the ways to take care of your pet care business:

Staffing and training

Some pet services require professionals to get certification and training so that they can deliver better pet care services. Ensure the pet care providers must have a certain level of expertise and skills such as the pet’s behavioral or dietary issues that makes pet owners feel their pet is in safe hands.

For instance, Hiring trained dog walkers guarantees that they can handle various types of dogs properly because they are aware of the cautious precautions to be taken when handling and treating pets.

Bookkeeping and accounting

To successfully run a business of pet services legitimately, you are liable for various responsibilities such as bookkeeping, accounting, taxes, and more. The owner should create a business account for transactions that are kept separate from the personal account. Use accounting software for expenses and revenue tracking and link it with the business account. Later, account reconciliation is important to ensure no record duplication, which is a great help during the audit.

Insurance liability

Having insurance is a must in pet care services as you are engaging with living animals. Obtaining liability insurance helps you protect employees, property, and other people. Property insurance is a must when you are providing pet care services outside the home say dog walking services. Also, employees are covered with worker’s insurance compensation.

Customer service and satisfaction

The user-centric business needs quality pet care service delivery to make the pet owners happy and satisfied. It requires pet care service provider to hire pet-friendly employees, adjust service prices, and build pet care software application that attracts maximum customers and make them repetitively use the services. You can take this as an opportunity that enables you to consistently deliver the best customer experience and keep the positive impact forever.

Marketing and advertising

Moving ahead according to the business plan, you made everything ready. Now, it’s high time to spread the word about the pet care services that you offer to pet parents. There are a couple of ways to market and promote your pet care services business uniquely.

Harness social power: Create business pages on social media platforms such as Instagram, Facebook, LinkedIn, and Twitter, or list your business on the classified or business listing directories such as Yelp, Foursquare, Thumbtack, Angi, and Craigslist. Post pictures and reviews of customers regularly to get more popular.

Loyalty program: Provide incentives to the existing customers or reward them for showing their patronage of the business. You can also reward them for bringing in new clients.

Furry Ventures!

If you are the one with an entrepreneurial mindset and experience low stress while spending time with pets, the pet care business idea is great for you. With the growing preferences of pet owners to get their pets taken care of by professional pet care service providers, the opportunities are immense. Be compassionate and provide quality care to launch a pet care startup like a pro.

The step-by-step process to start a pet care business and tips to best manage the business allow you to launch and prosper the business boundlessly. Choose your niche and start it right away!

The post Paws for Success: The Pet-Preneur’s Guide to Starting your own Pet Care Business appeared first on TopDevelopers.co.

What exactly is SaaS Security?

Many organizations have multi-cloud setups, with the average corporation employing services from at least five cloud providers. Compatibility problems, contract breaches, non-secured APIs, and misconfigurations are among the security hazards cloud computing brings, which is popular.

SaaS configurations are an attractive target for cybercriminals because they store a large amount of sensitive data, such as payment card details and personal information. Consequently, enterprises need to emphasize the importance of SaaS security. 

SaaS security includes techniques companies use to secure their assets while employing SaaS architecture. According to the UK’s National Cyber Security Centre (NCSC), SaaS security rules, the client and the service provider or software distributor must share security responsibilities. Moreover, service providers offer SaaS Security Posture Management (SSPM) solutions that automate and manage SaaS security.

As SaaS usage and adoption continue to increase, so does the SaaS security problem. The top SaaS security issues are misconfigurations, access management, compliance, data storage, retention, privacy and data breaches, and disaster recovery.

It is easy to believe that protecting SaaS only prevents users from accessing the internet. However, securing SaaS usage is far more challenging than it initially appears.

The fact is that there is no universal, all-encompassing SaaS security checklist. Businesses vary; they perform distinct tasks, operate differently, and have specific needs. Check out this article by Zluri.

Why is SaaS Security a priority?

Many firms are familiar with IaaS and PaaS security threats. IT and security teams frequently communicate through linked business processes and applications. IaaS and PaaS management and security technologies are also widespread.

SaaS security can safeguard a corporation from cyberattacks and data leaks. Any SaaS company should take security precautions to secure its data, assets, and reputation. 

SaaS programs work differently and provide advantages to businesses. However, they can be more difficult to administer from a security standpoint:

The design of SaaS applications supports a range of teams inside a business. For example, Record systems are utilized for client data by sales teams, source code by development teams, and HR information by HR teams. Such SaaS apps are typically used regularly by many end-users with varying degrees of technical expertise. SaaS apps are challenging to understand due to their volume and complexity.

Communication:

There is limited communication between security teams and the business administrators who pick and manage new SaaS technology. Limited team contact makes it more challenging for security teams to identify the breadth of use and related dangers when fully operating apps.

Collaboration:

The internal teams supporting SaaS services typically lack the requisite advice to safeguard them. Constant communication is necessary for balancing business and security requirements. To maintain consistency, enterprises should invest more resources and effort in identifying and addressing security issues and treat SaaS like bare metal, IaaS, PaaS, and endpoint security. 

The security problems that SaaS users face

McKinsey surveyed cybersecurity specialists from over 60 firms to understand how they handled SaaS security concerns. Most respondents said they had increased their attention on SaaS security, highlighting their and their providers’ security offerings.

As expected, Chief Information Security Officers (CISOs) were frustrated by suppliers’ security deficiencies. They complained about contractual and implementation delays and customer-centric security. They wanted SaaS companies to enable security experts to understand product security and set up and integrate them more simply.

Most respondents used SaaS for IT service management and office automation. But, given the dangers, several CISOs said their firms weren’t ready for SaaS in essential areas. Resource planning software was deemed too risky since downtime may cripple the company. Due to data confidentiality, companies hesitated to utilize SaaS for health-related or mergers-and acquisitions applications.

With more complex technologies like AI, cyberattacks become more sophisticated. For this reason, you must regularly review your SaaS security procedures. Listed here are the eight most prevalent SaaS security concerns, in case you are unfamiliar with them. 

1. Management of Identity and Access

A CISO establishing a SaaS application security strategy must include access management as one of the fundamental foundations. However, if not done precisely, it can create a security hole that allows an attacker to enter. 

Single Sign-On

Examples of successful ‘Identity and Access Management (IAM) strategies implemented by SaaS companies include Single Sign-On (SSO) and Secure Web Gateways (SWG). With SSO, the user must log in once to access all linked services inside a single ecosystem. However, if the provider has a secure access mechanism, SSO might introduce SaaS security problems, as it enables simple tracking of ID and password and access to multiple services. 

2. Virtualization

Most SaaS services utilize virtualization because it provides more uptime than conventional computers. Nonetheless, if a single virtual machine is hacked, numerous parties may have problems since data is copied across servers. Virtualization has substantially improved mobile app security over the years, but there are still vulnerabilities that hackers are likely to exploit. 

3. Obscurity

The SaaS model concentrates on application and business continuity while the service providers make infrastructure and architecture decisions. Occasionally, these suppliers withhold crucial back-end information, a significant red flag. CISOs should hold one-on-one meetings with service providers and inquire about their security measures. Remember that you must select a service that can provide adequate responses on data security. 

4. Accessibility

Suitable SaaS applications are available from any location. This benefit, however, might soon become negative if the devices accessing the application are infested with viruses and malware. In addition, if the user accesses the application over a public WiFi network or VPN, it might pose a security risk to your infrastructure. Therefore, CISOs should prioritize safeguarding all endpoints to prevent such threats. 

For example, the NHS (National Health Service) is a publicly financed healthcare institution established in the United Kingdom. The system contains voluminous sensitive data, such as patients’ health information, physicians’ information, pharmaceutical data, etc. Therefore, protecting every endpoint was essential. The university then cooperated with Cisco, which helped build the SecureX unified security platform. This technology protects the NHS’s highly targeted PII (Personally Identifiable Information) against internet thieves. It also allows users to protect data from phishing attempts, ransomware, data exfiltration, etc. 

5. Data Control

With SaaS, all data is stored and managed on the cloud, leaving you little control over data storage and management. If you have a problem, you are relying on the service providers. Before signing a contract, ask the SaaS provider about data storage patterns, security measures, and disaster recovery processes. After receiving positive responses, you can form a partnership with the supplier. 

6. Misconfigurations

SaaS apps are renowned for incorporating several complex features into a single solution. However, they add complexity to the code and increase the likelihood of misconfigurations. Even a little coding error might influence the availability of your cloud services. In one of the most disastrous misconfigurations of 2008, a Pakistani Telecom application attempted to restrict YouTube for legal reasons. However, in trying to block YouTube, they established a dummy route that resulted in misconfigurations, resulting in YouTube being unavailable worldwide for two hours. 

7. Disaster Restoration

Regardless of the security procedures, you employ to protect your application, server, infrastructure, and data; there is always the possibility of a disaster since the future is unpredictable. CISOs should ask suppliers of SaaS security solutions: 

• In the event of a catastrophe, what happens to all cloud-stored data?
• Do you ensure complete data recovery?
• Do you include catastrophe recovery in your service-level agreement?
• How long will it require to retrieve and restore the data? 

5 Ways to Strengthen your SaaS Security with SaaS Ops

Source

1. Develop Real-time Security Observability and Ongoing System Monitoring 

Due to the dynamic infrastructure, changes in SaaS settings tend to occur often, and this has instantaneous effects, and influence on many resources. Running a SaaS infrastructure without real-time security monitoring and observability is equivalent to flying blind. 

     2.Configure and Constantly Monitor Configuration Settings

The SaaS landscape is constantly evolving. Since services are frequently launched and withdrawn in real time, configuring them correctly and monitoring settings can help you secure your customers’ data. 

    3.Utilize Operations Theory for Security

Practical operations principles may address tech sprawl, lack of integration between tool sets, lack of visibility, and operations running at the speed of business without security checks. Remember, “Great ops = great security.” 

    4.Protect Data

Storing unencrypted data on the cloud might expose your business to reputational harm, revenue loss, and customer loss. Encryption is one of the simplest and the most effective methods for securing client information.

 Obtain Compliance & Regulatory Consulting Services, IT Audits, Risk & Security Management solutions, and training programs that meet the industry’s Regulatory Compliance and Information Security problems.

   5.Measure & Enhance Performance

If you have a method for measuring performance, you can examine the impact of infrastructure modifications. Consequently, you may accomplish the constant security and performance enhancements essential for enhancing client relationships.

Now that you have a better grasp of the SaaS data security landscape, let’s examine the measures you can take to secure this at your organization: 

1. Document your Data Processing Actions

Regarding SaaS data security, RoPA is only one starting point. RoPA stands for Record of your Processing Activities, a requirement of the GDPR. You are compelled by law to comply with this requirement.

Consider this an overview of all of your data processing procedures. It is a single document detailing your company’s data processing activities. Some examples of personal information processing activities include marketing, human resources, and third-party operations.

This is vital not just because the GDPR needs it but also because it assists organizations with self-auditing. If you keep track of and comprehend your data processing operations, you will be in the greatest position to implement data security.

After all, you cannot manage risks without first identifying them, correct?

2.Establish Authentication Methods and Necessitate a Formidable Password

Implementing appropriate access controls is one of the most critical measures to reduce the likelihood of a data breach. The first line of defense in this regard is a strong password.

Whenever a user establishes an account, you must ensure that they choose a secure and effective password, which should contain a combination of uppercase and lowercase letters, numbers, and special characters. Do not permit the use of clearly identifiable terms as passwords.

Verify that you do not depend solely on passwords to grant access to an individual’s account. Multi-factor authentication necessitates completing more than one step before admittance is granted.

Several more alternatives are available, such as requiring the user to enter a code provided to their cell phone or doing facial verification. It depends on the software you give and the individuals utilizing it. 

3. Educate both your Consumers and your Staff

Education is essential for data security. You must do all your power to ensure that everyone using your program has the security expertise.

Did you know that 94% of businesses have had an insider data breach? While a few of these incidents may have been caused by malevolent employees, the great majority have been the consequence of unintended employee acts.

If they had received training on data security, this event might never have occurred.

The issue is that many companies are only concerned with the expense and resources associated with training. Nonetheless, it is crucial to calculate how much money you would lose if you were the victim of a data breach.

In addition, you must ensure that you are simultaneously teaching your clients. According to Gartner, customers will be accountable for 95% of cloud security breaches.

Whether releasing critical upgrades to existing clients or onboarding new ones, you must actively inform them how their activities affect security.

A growing number of SaaS companies are transitioning to cloud-based infrastructures. The great majority of customers are unaware of the ramifications of this decision. Educating your customers on how to secure their data is essential to reduce the likelihood of a security breach. 

4. Continuously Monitor User Responsibilities and Access

In addition to the topics we’ve already discussed, you must continue to monitor division of duties (SOD) infractions.

SaaS applications are developed using initialized roles. However, as time passes, these roles and the users may get confused, leading to SOD violations, and it can be a significant compliance burden.

To prevent SOD breaches, you must regularly monitor people and their assigned roles. 

5. Employ a Cybersecurity Company

If you are having trouble with SaaS data security, you should contact a cybersecurity company with experience in this field. Security is a challenging subject to master. On the other hand, you cannot afford to cut shortcuts since doing so might result in your company suffering a data breach, which could cost you hundreds or millions of dollars!

A good cybersecurity company can do a vulnerability assessment and even provide services such as penetration testing. This is ethical hacking if you have never heard the term before. It suggests that someone with good intentions will hack into your system before someone with malicious purpose. This will notify you of any software vulnerabilities so that you may make the necessary modifications.

Numerous aspects must be considered while searching for a reputable cybersecurity company. You want a corporation with a solid reputation and extensive industry expertise.

Concerning experience, you should not only seek a company with a substantial number of years under its belt, but you should also ensure that they have extensive expertise dealing with SaaS organizations.

Tips for SaaS security

 These strategies can protect SaaS environments and assets.

1.Authentication Strengthening

Cloud providers handle authentication differently, making it challenging to decide how customers should access SaaS applications. Some manufacturers support customer-managed identity providers like Active Directory (AD) with SAML, OpenID Connect, and Open Authorization. Some providers allow multifactor authentication. Some don’t.

The security team must know which services are used and the alternatives each service supports to manage SaaS products. This context allows administrators to choose the proper authentication method(s).

If the SaaS provider supports it, a single sign-on (SSO) connected to AD ensures that account and password policies match the application’s services.

2.Encryption of Data

The channels that interface with SaaS apps use Transport Layer Security (TLS) to secure data in transit. Some SaaS suppliers offer data-at-rest encryption. This feature may be defaulted or activated.

Investigate each SaaS service’s security procedures to discover if data encryption is possible and activate it if so. 

3.Oversight and Vetting

Review and examine any prospective SaaS provider (as you would with other vendors). Make sure you know how the service is used, its security model, and any extra security precautions. 

4.Discovery and Inventory

Tracking all SaaS usage is essential as usage patterns might be unpredictable, especially when apps are quickly launched. Ensure you hunt for fresh, untracked SaaS use and be watchful for changes. When possible, combine human and automatic data collection to keep up with growing SaaS consumption and maintain a reliable, up-to-date inventory of services and users. 

5.Cloud Access Protection Broker (CASB) tools

Consider employing a CASB solution when the SaaS provider does not provide enough security. CASB allows organizations to build SaaS-unique controls. Examine the SaaS provider’s security issues. You should also know the CASB deployment choices so you may choose the suitable configuration (API or proxy-based) for your organization’s architecture. 

6.Situational Awareness

Review data from CASBs and the SaaS provider’s data and logs to monitor SaaS consumption. IT and security directors must treat SaaS products differently from conventional websites since they are complex tools requiring the same degree of protection as any business application.

Adopting SaaS security best practices with systematic risk management provides consumer and enterprise SaaS security.

7.Utilize SaaS Security Posture Management (SSPM)

SSPM ensures SaaS apps remain secure. An SSPM system monitors SaaS applications for gaps between declared security policy and actual security posture, allowing you to automatically detect and repair security vulnerabilities in SaaS assets and prioritize risk severity.

Source

To summarize, we can say that many businesses rely on SaaS applications to perform mission-critical operations. Hence they must give the security measures around SaaS the same level of importance as those surrounding other technologies. It is possible to maintain the security of your data and the seamless operation of your business by continuously monitoring your SaaS environment, fixing misconfigurations as soon as they are discovered, and maintaining a tight check on third-party access to your systems.

One of the most prevalent realizations in the cybersecurity world over the last 5 years has been that many organizations are simply not aware of the vastness of their external attack surface. This has given rise to a defensive principle called “External Attack Surface Management“, or EASM. Without an EASM program at your organization, there is a high chance that your external assets will fall into a state of vulnerability at some point. In this article, we’ll discuss why this is the case and how we might defend against it.

The post Why is securing the external attack surface a hot topic for security experts right now? appeared first on Detectify Blog.

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations.

Shedding light on the “cracked doors” that cybercriminals are using to compromise cloud environments, the 2022 X-Force Cloud Threat Landscape Report uncovers that vulnerability exploitation, a tried-and-true infection method, remains the most common way to achieve cloud compromise. Gathering insights from X-Force Threat Intelligence data, hundreds of X-Force Red penetration tests, X-Force Incident Response (IR) engagements and data provided by report contributor Intezer, between July 2021 and June 2022, some of the key highlights stemming from the report include:

• Cloud Vulnerabilities are on the Rise — Amid a sixfold increase in new cloud vulnerabilities over the past six years, 26% of cloud compromises that X-Force responded to were caused by attackers exploiting unpatched vulnerabilities, becoming the most common entry point observed. 

• More Access, More Problems — In 99% of pentesting engagements, X-Force Red was able to compromise client cloud environments through users’ excess privileges and permissions. This type of access could allow attackers to pivot and move laterally across a victim environment, increasing the level of impact in the event of an attack.

• Cloud Account Sales Gain Grounds in Dark Web Marketplaces — X-Force observed a 200% increase in cloud accounts now being advertised on the dark web, with remote desktop protocol and compromised credentials being the most popular cloud account sales making rounds on illicit marketplaces.

Unpatched Software: #1 Cause of Cloud Compromise

As the rise of IoT devices drives more and more connections to cloud environments, the larger the potential attack surface becomes introducing critical challenges that many businesses are experiencing like proper vulnerability management. Case in point — the report found that more than a quarter of studied cloud incidents were caused due to known, unpatched vulnerabilities being exploited. While the Log4j vulnerability and a vulnerability in VMware Cloud Director were two of the more commonly leveraged vulnerabilities observed in X-Force engagements, most vulnerabilities observed that were exploited primarily affected the on-premises version of applications, sparing the cloud instances.

As suspected, cloud-related vulnerabilities are increasing at a steady rate, with X-Force observing a 28% rise in new cloud vulnerabilities over the last year alone. With over 3,200 cloud-related vulnerabilities disclosed in total to date, businesses face an uphill battle when it comes to keeping up with the need to update and patch an increasing volume of vulnerable software. In addition to the growing number of cloud-related vulnerabilities, their severity is also rising, made apparent by the uptick in vulnerabilities capable of providing attackers with access to more sensitive and critical data as well as opportunities to carry out more damaging attacks.

These ongoing challenges point to the need for businesses to pressure test their environments and not only identify weaknesses in their environment, like unpatched, exploitable vulnerabilities, but prioritize them based on their severity, to ensure the most efficient risk mitigation.

Excessive Cloud Privileges Aid in Bad Actors’ Lateral Movement

The report also shines a light on another worrisome trend across cloud environments — poor access controls, with 99% of pentesting engagements that X-Force Red conducted succeeding due to users’ excess privileges and permissions. Businesses are allowing users unnecessary levels of access to various applications across their networks, inadvertently creating a stepping stone for attackers to gain a deeper foothold into the victim’s cloud environment.

The trend underlines the need for businesses to shift to zero trust strategies, further mitigating the risk that overly trusting user behaviors introduce. Zero trust strategies enable businesses to put in place appropriate policies and controls to scrutinize connections to the network, whether an application or a user, and iteratively verify their legitimacy. In addition, as organizations evolve their business models to innovate at speed and adapt with ease, it’s essential that they’re properly securing their hybrid, multi-cloud environments. Central to this is modernizing their architectures: not all data requires the same level of control and oversight, so determining the right workloads, to put in the right place for the right reason is important. Not only can this help businesses effectively manage their data, but it enables them to place efficient security controls around it, supported by proper security technologies and resources.

Dark Web Marketplaces Lean Heavier into Cloud Account Sales

With the rise of the cloud comes the rise of cloud accounts being sold on the Dark Web, verified by X-Force observing a 200% rise in the last year alone. Specifically, X-Force identified over 100,000 cloud account ads across Dark Web marketplaces, with some account types being more popular than others. Seventy-six percent of cloud account sales identified were Remote Desktop Protocol (RDP) access accounts, a slight uptick from the year prior. Compromised cloud credentials were also up for sale, accounting for 19% of cloud accounts advertised in the marketplaces X-Force analyzed.

The going price for this type of access is significantly low making these accounts easily attainable to the average bidder. The price for RDP access and compromised credentials average $7.98 and $11.74 respectively. Compromised credentials’ 47% higher selling price is likely due to their ease of use, as well as the fact that postings advertising credentials often include multiple sets of login data, potentially from other services that were stolen along with the cloud credentials, yielding a higher ROI for cybercriminals.

As more compromised cloud accounts pop up across these illicit marketplaces for malicious actors to exploit, it’s important that organizations work toward enforcing more stringent password policies by urging users to regularly update their passwords, as well as implement multifactor authentication (MFA). Businesses should also be leveraging Identity and Access Management tools to reduce reliance on username and password combinations and combat threat actor credential theft.

To read our comprehensive findings and learn about detailed actions organizations can take to protect their cloud environments, review our 2022 X-Force Cloud Security Threat Landscape here.

If you’re interested in signing up for the “Step Inside a Cloud Breach: Threat Intelligence and Best Practices” webinar on Wednesday, September 21, 2022, at 11:00 a.m. ET you can register here.

If you’d like to schedule a consult with IBM Security X-Force visit: www.ibm.com/security/xforce?schedulerform

The post Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments appeared first on Security Intelligence.

As reported in the IBM X-Force Threat Intelligence Index 2020, X-Force research teams operate a network of globally distributed spam honeypots, collecting and analyzing billions of unsolicited email items every year. Analysis of data from our spam traps reveals trending tactics that attackers are utilizing in malicious emails, specifically, that threat actors are continuing to target organizations through the exploitation of older Microsoft Word vulnerabilities (CVE-2017-0199 and CVE-2017-11882).

• CVE-2017-0199 was first disclosed and patched in April 2017. It allows an attacker to download and execute a Visual Basic Script containing PowerShell commands after the victim opens a malicious document containing an embedded exploit. Unlike many other Microsoft Word and WordPad exploits, the victim does not need to enable macros or accept any prompts — the document just loads and executes a malicious file of the attacker’s choosing.
• CVE-2017-11882 was first disclosed and patched in November 2017. This vulnerability involves a stack buffer overflow in the Microsoft Equation Editor component of Microsoft Office that allows for remote code execution. Interestingly, the vulnerable component was 17 years old (compiled in 2000) at the time of exploitation and unchanged since its removal in 2018.

These vulnerabilities, which were reported and subsequently issued patches in 2017, are the most frequently used of the top eight vulnerabilities observed in 2019. They were used in nearly 90 percent of malspam messages despite being well-publicized and dated. These findings highlight how delays in patching allow cybercriminals to continue to use old vulnerabilities and still see some success in their attacks.

2 Years and Still Going Strong

In addition to these vulnerabilities’ popularity in malspam, the volume of 2019 network attacks that targeted X-Force-monitored customers while attempting to exploit them was 25 times higher than the combined number of network attacks attempting to exploit similar vulnerabilities that leverage Object Linking and Embedding (OLE).

Our analysts did not observe a commonality regarding the malicious payloads used post-exploitation, which means that using these vulnerabilities is the choice of a wide array of threat actors and not specific to a small number of campaigns or adversarial groups.

Figure 1: Observed usage of top CVEs in 2019 spam emails (Source: IBM X-Force)

Another noteworthy insight from the figure above is that most vulnerabilities commonly used by cybercriminals are older ones. None of the vulnerabilities leveraged in 2019 were disclosed last year and only one was disclosed in 2018. The rest go back as far as 2003, further driving home the point that when it comes to malicious cyber activity, what’s old is new and what’s new is old.

The Allure of Older Vulnerabilities

Why would a wide array of threat actors use the same two old and well-known exploits in so many of their attacks? There are a few possible explanations, but the essence of it is they are cheaper, better documented, battle-tested and more likely to lead to legacy systems that are no longer being patched.

First, the exploits are very convenient for an attacker to use in that they don’t require user interaction. Unlike more recent Word vulnerabilities, which require the attacker to convince the user to enable macros, the exploits for these particular vulnerabilities automatically execute when the document is opened. This can help reduce the chance of arousing user suspicions and, accordingly, increase the rate of success.

Second, since so many different actors use these vulnerabilities, it can complicate attribution, as their widespread usage makes associating them with any particular individual or group difficult.

For example, IBM researchers recently observed threat actors leveraging these CVEs and using a variant of the X-Agent malware, which was historically associated with a threat actor known to IBM as ITG05 (also known as APT28). That threat group has been attributed to Russia’s Main Intelligence Directorate. But while they were being used by highly sophisticated threat actors, these vulnerabilities were also leveraged by low-end spammers dropping commodity malware through massive email campaigns.

The reuse of common exploits is a convenient way to muddy threat actor attribution, especially for groups that wish to remain anonymous in their operations. It can allow threat actors to hide among a large volume of activity, obfuscating their actions.

The third and perhaps most likely reason for the continued use of these vulnerabilities is the simple ease and convenience of generating documents that can exploit them. Because these types of documents are essential to the day-to-day operations of many target organizations, they are often not blocked by enterprise email filters. As a final bonus to threat actors, they are also some of the cheapest exploits cybercriminals can buy.

X-Force’s dark web research of underground forums highlights multiple offerings of free document builders that leverage each of these vulnerabilities. Our team also identified free YouTube videos focused on each vulnerability, illustrating how an attacker can generate a document to exploit these issues.

Figure 2: YouTube videos detailing how to generate documents exploiting CVEs 2017-0199, 2017-11882 (Source: IBM X-Force)

One should keep in mind that successful exploitation of older vulnerabilities is more likely to happen on older, unpatched operating systems (OSs) and legacy systems where OS end-of-life means that no new patches are even available. These kinds of systems are most likely used by organizations that can’t patch due to other issues or priorities. While there are many reasons that can contribute to the decision to defer patching, that decision is never a good one in the long run.

What Can Companies Do With This Sort of Information?

Older vulnerabilities are clearly not going away any time soon, so organizations need to be prepared to defend against their attempted exploitation. IBM X-Force Incident Response and Intelligence Services (IRIS) has the following tips for organizations to better protect themselves:

• Asset management is an ongoing process that should be top of mind for risk management. Part of this process is continually assessing risk to critical systems and considering the consequences of not patching them. Reassess the risks and consider patching and updating operating systems as soon as possible. Reality check: Windows 7’s end-of-life took place on January 14, 2020. Is your organization ready to move to an updated OS?
• On the application level, ensure that patches for productivity suites — especially Microsoft software — are applied as soon as they become available.
• Monitor the organization’s environment for PowerShell callouts that may be attempting to download and execute malicious payloads.
• Continue user education on the risks of opening attachments from unknown sources, as vulnerabilities like these do not require any user interaction beyond opening to cause harm.
• Scope and engage in a vulnerability management program to determine if older vulnerabilities are exposing your environment to exploitation by an attacker.

Download the latest X-Force Threat Intelligence Index

The post What’s Old Is New, What’s New Is Old: Aged Vulnerabilities Still in Use in Attacks Today appeared first on Security Intelligence.