Tenable Blog

CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited

Tenable Blog
5 hours 11 minutes ago

Broadcom published an advisory for three flaws in several VMware products that were exploited in the wild as zero-days. Organizations are advised to apply the available patches.

Background

On March 4, Broadcom published an advisory (VMSA-2025-0004) for three zero-day vulnerabilities across multiple VMware products:

CVEDescriptionCVSSv3CVE-2025-22224VMware ESXi and Workstation Heap-Overflow Vulnerability9.3CVE-2025-22225VMware ESXi Arbitrary Write Vulnerability8.2CVE-2025-22226VMware ESXi, Workstation and Fusion Information Disclosure Vulnerability7.1

In addition to its advisory, Broadcom published a frequently asked questions (FAQ) document for these vulnerabilities: VMSA-2025-0004: Questions & Answers.

Analysis

CVE-2025-22224 is a TOCTOU (Time-of-Check Time-of-Use) vulnerability in VMWare ESXi and Workstation. A local, authenticated attacker with admin privileges could exploit this vulnerability to gain code execution on the virtual-machine executable (VMX) process.

CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi. A local, authenticated attacker with requisite privileges could exploit this vulnerability through the VMX process to escape the sandbox.

CVE-2025-22226 is an information-disclosure vulnerability in VMware ESXi, Workstation and Fusion. An authenticated, local attacker with admin privileges could exploit this vulnerability to cause the VMX process to leak contents from memory.

Exploited in the wild as zero-days

According to Broadcom, these vulnerabilities were discovered and disclosed by researchers at the Microsoft Threat Intelligence Center (MSTIC) and observed being exploited in the wild. No specific details about in-the-wild exploitation were shared.

Proof of concept

At the time this blog post was published, there were no proofs-of-concept (PoCs) available for any of these three vulnerabilities.

Solution

VMware has released fixed versions for affected VMware products:

Affected ProductsCVEsFixed VersionsVMware ESXi 8.0CVE-2025-22224,
CVE-2025-22225,
CVE-2025-22226ESXi80U3d-24585383,
ESXi80U2d-24585300VMware ESXi 7.0CVE-2025-22224,
CVE-2025-22225,
CVE-2025-22226ESXi70U3s-24585291VMware Workstation 17.xCVE-2025-22224,
CVE-2025-2222617.6.3VMware Fusion 13.xCVE-2025-2222613.6.3

Additionally, VMware Cloud Foundation and VMware Telco Cloud Platform and Telco Cloud Infrastructure are affected. An asynchronous patch is available for VMware Cloud Foundation, while Telco Cloud Platform customers should update to a fixed ESXi version. For more information, please refer to Broadcom’s advisory.

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Satnam Narang

Creating Elegant Azure Custom Roles: Putting NotActions into Action!

Tenable Blog
11 hours 26 minutes ago

Creating custom Roles in Azure can be a complex process that may yield long and unwieldy Role definitions that are difficult to manage. However, it doesn’t have to be that way. Read on to learn how you can simplify this process using the Azure “NotActions” and “NotDataActions” attributes, and create custom Azure Roles that are compact, manageable and – dare we say it? – even elegant.

If you’re familiar with the role-based access control (RBAC) mechanism in Azure, then you’ve probably used Roles, which define the actions that an Azure user, group or service principal is allowed to take. Azure offers a set of pre-built Roles – which Azure calls built-in Roles – but you can also build custom ones. However, this may yield lengthy custom Role definitions that are cumbersome and inconvenient to maintain.

In this blog, we’ll explain how Tenable Cloud Security simplifies the process of assigning permissions using custom Roles by streamlining the use of the Azure properties NotActions and NotDataActions. We’ll also outline why making custom Roles easier to read and manage is beneficial for both security and operational purposes.

A look at Azure Roles

The three elements of a Role assignment are: security principal, role definition and scope. (If you’d like a refresher on the basics of Azure Roles, please check out our blog post “Deconstructing Azure Access Management using RBAC.”)

For the purposes of this blog post, it’s essential to note that an Azure Role is a JavaScript Object Notation (JSON) document detailing the list of permissions to be granted to an identity as part of a Role assignment. A role assignment in turn assigns these permissions for a given resource or set of Azure resources to an identity.

What is “NotActions”? 

The “Actions” field in a Role lists the control plane actions – such as creating, managing and deleting resources – that the Role will grant an identity, such as a user or a group, as part of a Role assignment. 

Similarly, the “DataActions” field lists the data plane actions that the Role will be able to perform, such as reading and writing data within resources.
 

Figure 1: An example of a Role in Azure, with “Actions” and “DataActions”. Source: Azure Documentation

“NotActions” allows you to subtract actions from the control plane actions listed in the “Actions” field that will thus not be granted by the Role. So if you create a custom Azure Role by tailoring a built-in Azure Role, you can remove permissions from the built-in Role’s control plane “Actions” field via the “NotActions” attribute.

Similarly the “NotDataActions” attribute removes permissions from the built-in Role’s data plane listed in “DataActions”. 

Another mechanism you should become familiar with due to its convenience are wildcards. You can use wildcards (*) to define sets of “Actions,” “NotActions,” “DataActions,” and “NotDataActions” permissions, instead of having to list those permissions individually.

“With a wildcard (*), you extend a permission to everything that matches the action string you provide,” reads a Microsoft documentation page.

Here’s an example Microsoft offers. If you want to add all the permissions related to Azure Cost Management and exports, you could add these five action strings individually:

     Microsoft.CostManagement/exports/action

     Microsoft.CostManagement/exports/read

     Microsoft.CostManagement/exports/write

     Microsoft.CostManagement/exports/delete

     Microsoft.CostManagement/exports/run/action

Or alternatively you could add this wildcard string, which is equivalent to the five individual strings. 

     Microsoft.CostManagement/exports/*

So, if we want to create a Role that will allow all actions on Azure Cost Management Exports except the ability to delete them, we can put “NotActions” and wildcars together and place the following pattern in “Actions”: 

     Microsoft.CostManagement/exports/*

And in “NotActions” we would then specify: 

     Microsoft.CostManagement/exports/delete

This will allow the defined Role to read, write and run exports, but not to delete them. Instead of having to specify the four actions which are available (/read, /write, /action and /run/action), we only had to specify the pattern in “Actions” and the one excluded action in “NotActions”. 

This may seem like a marginal improvement when creating Azure custom Roles, but it could be very meaningful when reaching a certain scale. 

How meaningful? We’ll soon see. But first let’s make one important note about these fields.

What “NotActions” isn’t 

For anyone who has experience with “allow / deny” rules, it could be very tempting (and somewhat intuitive) to think of “NotActions” and “NotDataActions” as deny assignments. But they aren’t. 

The difference is quite significant. 

A deny assignment would mean that an action specified in one of these fields would always be denied to an identity to which the policy would be assigned. In other words, even if this action is granted to this identity in a different assignment, the identity wouldn’t be able to perform it. 

Had this been true for “NotActions”, it would have been extremely helpful for creating security boundaries around resources. But this is in fact not the case.

A permission that’s excluded via either “NotActions” or “NotDataActions” in one Role can be granted to the same user in a different Role.

Make sure you remember that. 

Let’s see NotActions in Action 

The Tenable Cloud Security product provides cutting edge analysis of cloud permissions, in this case strengthening Azure security

As part of Tenable Cloud Security’s CIEM (Cloud Infrastructure Entitlements Management) functionality, we automatically analyze all the permissions assigned to all identities in Azure subscriptions and compare them with actual activity as detected in logs. This allows us to automatically generate suggestions for replacing currently assigned Roles with least-privileged custom Roles that only have the permissions that are needed by the identity for its business functionality. That way, in case an identity is breached, the fallout will be less severe than if the identity had had broader, unnecessary privileges. 

This can be done on-demand for Roles you have running (as can be seen in figure 2). For example, you can create a step as part of your testing protocol to have services running in a testing environment with a relatively “loose” set of permissions – which are easy to define. Then you could replace them in staging and production with the appropriate least-privileged Roles created on-demand based on the observed activity of the service during the testing period.
 

Figure 2: Generate least-privileged roles on demand for a specific scope and time frame 

Tenable Cloud Security can also automatically find overprivileged identities and flag them as a security issue. Tenable Cloud Security will then provide the automatically generated least-privilege custom Roles a dedicated “Remediation” tab for solving the issue, as can be seen in figure 3:
 

Figure 3: An overprivileged application finding with the remediation suggestion to resolve it 

Our automatically generated custom Roles take the “NotActions” field into account, so if it was included in the original role assigned to the identity, we factor it in and include it in the least privileged roles as well. 

In order to show just how meaningful this could be, we created a “before” and “after” view showing the use of the “NotActions” field for one of the identities we analyzed. This identity had “NotActions” included in the overpermissive Role originally assigned to it. 

This is what we generated as a least-privileged role, without using “NotActions”: 
 

Figure 4 - Custom Role suggestion generated for an identity without using “NotActions” 

Figure 4 shows the top of the document in Visual Studio Code, which is just a tiny fraction of the full document. 

The “Actions” field of the JSON document has over 7200 (!) lines as shown in Figure 5: 
 

Figure 5 - Custom role suggestion shown in figure 2 scrolled to the bottom 

Imagine having to go over this gargantuan document to understand exactly what it means or to debug it. 

However, when Tenable Cloud Security creates least-privileged custom Roles factoring in the existing “NotActions” field, we can do this in a much more compact and elegant way – so much so that we will be able to fit the entire JSON document into a single screenshot. 

The result of the advanced logic of Tenable Cloud Security calculating how to structure custom roles will look something like this: 

There will be a custom Role (or Roles) with actions and action patterns (with the “*” character as wildcard) that will not have “NotAction” specified in them where it’s not needed, and will look like this: 
 

Figure 6 - First part of the least-privilege custom Role suggestion for action patterns that need to be included completely 

And for recreating the existing appearances of the “NotActions” field, there will be a Role (or Roles) that includes them as necessary:
 

Figure 7 - Second part of the least privilege custom role suggestion, including necessary actions in the “NotActions” field

Believe it or not, but these two custom Roles with fewer than 70 lines total between them are equivalent to the Role we saw in figures 4 and 5 with over 100 times (!) the line count for just the “actions” field. 

Wow! 

You can now assign these two readable and elegant custom Roles to the identity and manage them much more easily. They’ll also be a lot easier to debug and you’ll be able to apply them with confidence. (Of course, you should conduct extensive testing before moving these identities to a production environment.) In the end, this can make the difference between applying the least-privileged Roles and keeping the old, over-permissive risky ones. 

That’s how powerful it can be to use “NotActions” properly. 

Conclusion 

Just like Tenable Cloud Security does, you can use the “NotActions” field to write elegant and understandable Azure custom Roles – just make sure you understand exactly what permissions to include and exclude, and always test in a lower environment before moving to production. 

We’ll be happy to set up a demo of Tenable Cloud Security for you so that you can test the Roles in Azure and in other cloud environments; ensure they’re not overprivileged; and, if they are, replace them with a suggested custom Role.

Lior Zatlavi

Cybersecurity Snapshot: OpenSSF Unveils Framework for Securing Open Source Projects, While IT-ISAC Says AI Makes Ransomware Stealthier

Tenable Blog
4 days 11 hours ago

Check out a new framework for better securing open source projects. Plus, learn how AI is making ransomware harder to detect and mitigate. In addition, find out the responsible AI challenges orgs face today. And get the latest on AI tool sprawl; ransomware trends; and much more!

Dive into six things that are top of mind for the week ending Feb. 28.

1 - New cybersecurity framework for open source projects

Here’s the latest industry effort aimed at boosting open-source software security.

The Open Source Security Foundation (OpenSSF) has crafted a new framework designed to offer cybersecurity guidance to leaders of open-source software projects.

The Open Source Project Security Baseline (OSPS Baseline), announced this week, is structured as a tiered set of security best practices and requirements drawn from established cyber frameworks, standards and regulations.

“It compiles existing guidance from OpenSSF and other expert groups, outlining tasks, processes, artifacts, and configurations that enhance software development and consumption security,” reads an OpenSSF statement.
 


OpenSSF created the OSPS Baseline after concluding that open-source project leaders often need help with cybersecurity. Meanwhile, users often lack visibility into whether and how an open-source software product was securely designed and developed.

“By meeting this ‘baseline,’ a project signals that it has taken essential measures to reduce the risk of common vulnerabilities and improve overall trustworthiness of the project to its adopters and contributors,” reads the OSPS Baseline FAQ.

The OSPS Baseline security controls are divided into three levels. Here’s a small sample of the controls in Level 1.

  • Users must complete multi-factor authentication (MFA) when accessing a sensitive resource in the project’s version control system.
  • When a CI/CD pipeline accepts an input parameter, the parameter must be sanitized and validated before it’s used in the pipeline.
  • While active, the version control system must not contain generated executable artifacts.

For more information about open source security:

2 - IT-ISAC: AI is changing the ransomware landscape

Ransomware groups will deepen their use of artificial intelligence this year, a trend that will help increase the number, severity and impact of ransomware attacks.

That’s one of the main takeaways from IT-ISAC’s report “Exploring the Depths: Analysis of the 2024 Ransomware Landscape and Insights for 2025.

By leveraging AI, ransomware groups make their attacks harder to detect, prevent and mitigate. These sophistcated AI attacks modify their behavior and tactics in real-time as they analyze victims’ environments and protections.

“The integration of AI in the development of ransomware presents a new level of evolution in cyber threats,” reads the report from IT-ISAC, which stands for Information Technology-Information Sharing and Analysis Center.

“With AI, ransomware will be able to adapt in real time and be far more effective than it is currently,” the report adds.
 


To combat AI-boosted ransomware attacks, the report recommends that cybersecurity teams implement “rigorous security controls,” access “timely and relevant threat intelligence” and adopt AI-enhanced cyber defense tools.

The report also lists tips and best practices for preventing and mitigating all types of ransomware attacks, including:

  • Back up your data, system images and configurations; regularly test these backups; and keep them offline.
  • Promptly and regularly patch and update your operating systems, applications and firmware. 
  • Develop an incident response plan and test it.
  • Segment your networks.
  • Take steps to limit your risk of getting breached if a trusted third-party with access to your network — like a supplier or contractor — gets hacked.

IT-ISAC also predicts that in 2025 ransomware groups will:

  • Continue to target the critical infrastructure sector
  • Expand their use of zero-day exploits
  • Shift further towards double extortion and data theft tactics
  • Refine their data exfiltration techniques

For more information about how AI is transforming ransomware:

3 - Tenable poll looks at security tool sprawl, integration

During our recent webinar “Security Beyond Silos with Tenable + Vulcan Cyber: Unified Exposure Management,” we polled attendees about topics including their level of security tool integration and the number of security tools they use for tasks such as asset discovery. Check out how they responded!

(255 webinar attendees polled by Tenable, February 2025)

(218 webinar attendees polled by Tenable, February 2025)

(Respondents could choose more than one answer. 277 webinar attendees polled by Tenable, February 2025.)

Interested in how to prioritize and address critical threats with unified visibility and enriched intelligence? Learn about unified exposure management by watching the on-demand webinar “Security Beyond Silos with Tenable + Vulcan Cyber: Unified Exposure Management.”

4 - Survey: As orgs pursue responsible AI, challenges remain

Businesses are wholeheartedly embracing AI, which in turn is fueling investments in data projects. However, a key success element for AI and data initiatives is still a work in progress: responsible AI.

That finding comes from the Data & AI Leadership Exchange’s “2025 AI & Data Leadership Executive Benchmark Survey,” for which 125 C-level executives, most of them Chief Data Officers from Fortune 1000 companies, were polled.

“Responsible AI is seen as an increasing priority for most organizations, as they focus on establishing safeguards and guardrails to ensure responsible AI utilization. More work needs to be done,” the report reads.

Specifically, surveyed organizations are concerned about misinformation and disinformation; ethical bias; job loss; and insufficient staffers skilled in responsible AI.
 


A strong majority of respondents say that investment in responsible AI is a top corporate priority (73.5%). While respondents’ belief that responsible AI safeguards must be in place is almost unanimous (97.5%), those safeguards are in place today at 77.6% of organizations. 

Meanwhile, little over half of respondents (56.5%) said their organization has enough skilled employees to ensure the implementation of responsible AI. “Talent continues to be a limiting factor,” the report reads.

For more information about AI security, check out these Tenable blogs:

5 - Report: Ransomware attacks up sharply in January

Ransomware groups had an unusually busy January, as attacks more than doubled year-on-year, a trend that further stresses the importance of practicing proactive cybersecurity.

Observed ransomware attacks reached 590 in January — up 3% compared with December 2024 and 114% year-on-year -- according to NCC Group’s “Cyber Threat Intelligence Review of January 2025” report, published this week.

“Taking action to mitigate these risks is more crucial than ever, with continuous monitoring, comprehensive training, and robust cyber security measures proving essential,” Matt Hull, Head of Threat Intelligence at NCC Group, said in a statement.

Factors that drove the surge in ransomware attacks included a more unstable geopolitical environment; the emergence of new ransomware groups; more effective attack methods and tools.

Other highlights from the report include:

  • The Akira ransomware gang ranked first with 13% of all attacks.
  • The most targeted sector was industrials, which received a quarter of all attacks, a sign of ransomware groups’ focus on critical infrastructure organizations.
  • Among regions, North America suffered the majority of attacks (50%), followed by Europe (22%)

Top 10 ransomware groups in January 2025

(Source: NCC Group’s “Cyber Threat Intelligence Review of January 2025” report, January 2025)

For more information about preventing and mitigating ransomware attacks:

6 - FBI: North Korea behind massive crypto theft

The North Korean government, acting via a hacking group known as TraderTraitor and as the Lazarus Group, is responsible for the recent mega-theft of $1.5 billion worth of cryptocurrency, the Federal Bureau of Investigation (FBI) said this week.

The North Korean cybercrime group stole the crypto funds from Dubai-based exchange Bybit in what is considered one of the largest crypto heists ever.
 


“TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains,” reads the FBI’s public service announcement.

The FBI is asking entities involved in the crypto services sector to be on the lookout for transactions tied to the theft and to block them. The PSA includes a list of Ethereum addresses used to hold assets from the heist.

Juan Perez

Identity Security Is the Missing Link To Combatting Advanced OT Threats

Tenable Blog
6 days 11 hours ago

Sophisticated OT threats, like living-off-the-land (LotL) attacks, exploit identity vulnerabilities to infiltrate critical infrastructure. Find out how robust identity security and unified exposure management can help you detect, prioritize and mitigate risks across IT and OT environments.

The attack surface that today’s security leaders have to defend is growing at an unprecedented rate, and the situation is particularly challenging for organizations managing critical infrastructure: almost 70% of cyber attacks in 2023 targeted critical infrastructure, according to IBM’s “X-Force Threat Intelligence Index 2024” report. What was once a manageable task of protecting a defined network perimeter has transformed into a complex challenge of securing a vast, interconnected web of cyber-physical systems – IT, operational technology (OT), internet-of-things (IoT) devices, and more. These devices and their associated networks are under increasing pressure from sophisticated threat actors, who are leveraging advanced techniques such as living-off-the-land (LotL) attacks to infiltrate critical infrastructure networks.

LotL techniques are especially dangerous in OT networks because they usually house “insecure by design” legacy and unmanaged systems that may not support the latest patches or cannot be easily upgraded without affecting operations. Additionally, these OT networks may share resources or trusted zones with IT environments. These two elements create an ideal landscape for attackers to move laterally and undetected between IT and OT networks.

Advanced attack techniques blur the boundaries between historically separate security domains

Operational technology (OT) refers to the hardware and software systems that monitor and control physical devices, processes and events in environments such as industrial operations, building facilities, energy and water infrastructure, data centers and transportation systems. Unlike IT, which focuses on data and information, OT systems interact directly with the physical world. 

LotL attacks and similar modern attack strategies exploit legitimate, trusted applications pre-installed on many devices that control OT devices, as well as credentials within a system to avoid traditional detection methods. Rather than deploying new malware, these attacks rely on exploiting tools that are already present in the breached network.

 


 

With legacy OT systems often lacking detailed logging or monitoring of user activities, attackers target over-privileged accounts to perform critical actions like modifying system configurations, disabling security controls or accessing sensitive data using legitimate permissions. This allows them to evade traditional IT-based security tools that rely on identifying malicious software and that are separate from the OT environment.

Common LotL tactics include:

  • Misusing legitimate tools: Attackers leverage tools pre-loaded onto operating systems such as Certutil, Ntdsutil and XCOPY to achieve their goals while masking as regular system activity.
  • Hands-on-keyboard attacks: Human attackers directly manipulate compromised systems instead of relying on automated or programmed tools to evade detection by common security tools, such as endpoint detection and response (EDR).

These techniques are particularly dangerous in OT environments, where: 

  • Legacy systems may lack robust logging and monitoring capabilities, and may share resources or trusted zones with IT. 
  • Shared or default accounts make it difficult to track user activity and identify unauthorized access. 

These conditions result in an ideal landscape for attackers to move laterally across IT and OT undetected.

Case in point: The Volt Typhoon group

The state-sponsored Chinese hacking group Volt Typhoon (first identified in May 2023), exemplifies the threat posed by LotL attacks. The group targeted critical infrastructure organizations in the U.S., including in the energy, communications and maritime sectors, using legitimate tools and native Windows commands to avoid detection. By exploiting existing system tools like PowerShell and WMI and not using malware, Volt Typhoon seeks to evade traditional defenses. Its focus on credential harvesting and maintaining persistent access highlights the importance of securing identities as a cornerstone of OT security, alongside robust OT network monitoring and configuration change tracking.

Identity security: the missing ingredient for securing cyber-physical systems

Understanding what assets you have and the vulnerabilities associated with them helps ensure you are closing your exposure to stop attackers from getting a foothold in the first place. Attackers typically exploit identity and access systems—especially Microsoft’s Active Directory, a common entry point and target—to escalate privileges, maintain access and execute their strategies. Other common identity exploits that can impact OT systems include shared credentials, default passwords and lack of multi-factor authentication. 

Effective OT security requires a holistic approach that prioritizes identity security. Such an approach helps you:

  • Understand your assets: By identifying and assessing vulnerabilities across your OT environment, you can prevent attackers from gaining a foothold.
  • Monitor for anomalies: This allows you to monitor credential usage for unusual activity, such as logins from unexpected locations or outside of normal work hours.
  • Limit privilege escalation: Proactively identifying privileged accounts and enforcing least privilege policies helps you restrict access to sensitive resources, even if an account is compromised.
  • Harden AD: Given attackers’ focus on AD, it’s key for you to regularly audit AD for misconfigurations and enforce strong access controls. Consider dedicated AD domains for OT environments for enhanced security.
  • Identify attack paths: Using exposure management tools can help you identify potential attack paths involving compromised identities and OT assets, allowing for proactive intervention. 
Closing the gap with exposure management

The role of the CISO continues to evolve in parallel with today’s expanding threat landscape. No longer limited to safeguarding traditional IT environments, security leaders find themselves increasingly responsible for securing OT environments, along with cloud infrastructures, mobile devices, IoT and smart devices, advanced AI systems and shadow IT assets. Each component introduces vulnerabilities, making comprehensive security more difficult.

Securing an organization today requires a far-reaching approach – it’s no longer sufficient to rely on basic defenses. Instead, security leaders must address a continuously shifting environment where attackers use sophisticated techniques and exploit diverse entry points.

However, siloed security tools fail to provide a comprehensive view of the entire attack surface. Such fragmented solutions for security make it difficult for security teams to collaborate across IT and OT to identify risky connections that enable attackers to gain initial access, move laterally across the network and escalate privileges.

The Tenable One Exposure Management Platform offers a unified solution to address this challenge by providing security teams with a set of critical capabilities:

  • Complete attack surface visibility, which gives you insights across the modern attack surface, including OT, IoT, and IT assets
  • Prioritized risk management, which lets you identify and prioritize the exposures most likely to have a significant impact on critical infrastructure
  • Bridging of security silos, which brings together data across Tenable products – including Tenable OT Security and Tenable Identity Exposure – and combines it with third-party data to generate a holistic and real-time view of identities, risks, and configurations
  • Attack path visualization, which identifies and closes potential attack paths that allow threat actors to traverse across converged IT and OT environments

 

(Source: Internal Tenable survey, July 2024)

Incorporating identity security and OT security monitoring as part of any security strategy is critical—through real-time monitoring, anomaly detection, privilege controls, and AD hardening to proactively close risk exposures. By adopting a comprehensive exposure management approach, organizations can gain the visibility and context needed to effectively protect critical infrastructure from evolving threats.

To see how Tenable One helps organizations bridge the gap between securing OT and identities, check out this video, where we demonstrate how Tenable’s AI-powered capabilities help you identify likely attack paths and close risky exposures before attackers can exploit them.
 


For a deeper dive into how exposure management helps bolster your security posture, download the whitepaper "Hackers Don't Honor Security Silos: 5 Steps To Prioritize True Business Exposure" and read the blog post "CISA Finding: 90% of Initial Access to Critical Infrastructure Is Gained Via Identity Compromise. What Can You Do About It?"

Chris Baker

Identity Is the New Battleground: Why Proactive Security Is the Way Forward

Tenable Blog
1 week 1 day ago

Protecting identities has become a top priority for security teams. However, many organizations remain exposed due to blind spots caused by identity sprawl and misplaced trust in identity providers. This blog explores why traditional security measures fall short, how AI-driven attackers are escalating identity threats, and why a proactive, identity-first approach is the only way forward.

The identity security game has changed—not just because attackers are inventing new exploits, but because we’ve unintentionally made their job easier. Identity sprawl has opened the doors wide, effectively giving attackers their own “golden ticket” —pun intended— to target what is arguably an organization’s most valuable asset: its identities. 

Remember when an employee only needed one corporate login and a handful of permissions to access the applications and resources they needed to get their job done? Today, every worker, contractor, service account and even every IoT device is entangled in a complex web of permissions spread across multiple identity providers (IDPs), spanning directory services, such as Microsoft’s Active Directory (AD) and Entra ID; cloud services; SaaS apps; and remote access tools. The rise of IoT has further compounded this challenge by introducing machine identities that seamlessly interact across these environments, increasing both operational complexity and security risks.

Identity sprawl is now a major challenge for organizations, with 57% of security professionals citing it as a key concern, according to the Identity Defined Security Alliance’s “2024 Trends in Identity Security" report. As organizations increasingly rely on multiple identity and access management (IAM) solutions to navigate the complexity of hybrid and multi-cloud environments, each new solution adds another layer of permissions, another place where identities can be exploited, and another door for attackers to walk through.

The problem? Identities are the path of least resistance

Why hack in when you can log in?

Credential theft and privilege escalation are the bread and butter of modern attacks. Lateral movement—where an attacker quietly pivots from system to system using legitimate credentials—has become one of the hardest threats to detect. Why? Because it looks like business as usual.

Why do attackers target identities? Aside from the fact that phishing is widely effective, there are three primary reasons.

  • Persistence – Once they’ve compromised an account, they can maintain access for extended periods, often undetected.
  • Stealth – Logging in with valid credentials doesn’t raise red flags like malware does.
  • Escalation – One low-privileged user can be the first domino in a privilege escalation chain.

Attackers aren’t just targeting identities—they’re exploiting them for long-term access with new AI tools. Attackers now have the ability to automate credential-based attacks, allowing them to gain persistence within networks, operate stealthily, and escalate privileges without triggering traditional alarms. Stolen credentials, phishing, and credential stuffing are being weaponized at scale, making it easier than ever for attackers to infiltrate environments, blend in with legitimate users, and expand their foothold before detection. Without proactive identity security, organizations remain blind to these silent intrusions—until it’s too late.

Why now? The identity crisis has hit a breaking point

The majority of organizations now rely on multiple IDPs to manage the complexities of cloud and remote work environments. However, many assume that identity security is “handled” by their identity provider—whether it’s Active Directory, Entra ID, or another IAM solution. In reality, IDPs are designed primarily for authentication and access control, not comprehensive security. This false sense of security often results in inaction, leaving organizations vulnerable to misconfigurations, orphan accounts, and excessive permissions—all of which significantly expand the attack surface for credential compromise. 

The explosion of cloud adoption, SaaS, remote work and IoT has turned identity security into a nightmare for defenders

Let’s face it, AD was designed for on-premises environments over 25 years ago, and while Entra ID has evolved for cloud-first identity management, neither was built to handle the scale and complexity of today’s hybrid, multi-cloud identity landscape. Each identity-related tool plays a role, but none provide a complete solution on their own. Privileged access management (PAM) technology helps protect high-value accounts but doesn’t offer insight into the broader identity landscape. Identity governance (IGA) technology enforces policies but doesn’t provide real-time risk detection. Identity threat detection & response (ITDR) products can catch threats but often too late—by the time an alert fires, the damage is already done. Without a unified approach, security teams are left patching gaps rather than proactively managing identity risks.

Proactive identity security: The way forward

Security teams can’t keep playing defense. It’s time to take control, especially as attackers increasingly supercharge their efforts with AI-driven automation. According to the UK's National Cyber Security Centre’s (NCSC) “The near-term impact of AI on the cyber threat” report, cyberattacks will grow in volume and impact as hackers adopt AI. As a result, identity-based threats will become even more scalable and effective for attackers. Even open-source tools like BloodHound, originally designed to help defenders map Active Directory relationships, have become invaluable to attackers. So, how do you stay ahead of bad actors?

IAM hygiene isn’t just an operational concern—it’s a foundational security requirement. A recent report by CISA, “Detecting and Mitigating Active Directory Compromises,” highlights the dangers of poor IAM hygiene and the risks posed by misconfigurations, excessive permissions, and outdated security practices. Without proactive security measures, attackers can exploit identity weaknesses to gain persistence and move laterally within networks. Organizations must focus on continuous monitoring, timely remediation, and enforcing least privilege to mitigate these risks and strengthen their identity security posture.

To address these challenges, organizations must adopt a proactive approach that includes the following key strategies:

  • Eliminate the blind spots – We need tools that aggregate all identity data into a single repository, unifying on-prem and cloud identities. No more guessing which accounts are federated or which service accounts have excessive privileges.
  • Adopt AI-powered risk assessment – Attackers use AI to find weak links. We need AI to fight back, assessing identity risks dynamically based on weaknesses, associated devices, entitlements, misconfigurations, and privilege levels.
  • Implement actionable remediation – It’s not enough to know an identity is high-risk. Security and IAM teams need a shared language to act on it. That means visibility into remediation options, costs and prioritization—because not every identity exposure needs an immediate fix, but some are urgent.
The future of identity security with Tenable

This is why we’re building Identity 360 and Exposure Center—giving organizations proactive control over identity risk. Identity 360 provides a comprehensive view of identities—including accounts, devices, entitlements, groups, and roles—while leveraging advanced AI to assess and quantify their associated risks. Exposure Center empowers security teams with actionable insights and guided remediation steps, helping them prioritize and mitigate identity threats efficiently. Identity 360 provides a comprehensive view of your identities -- accounts, devices, entitlements, groups, roles and more -- and uses advanced AI to calculate the risks they pose across. Meanwhile, Exposure Center enables security teams to prioritize and remediate identity threats with actionable insights and guided steps. And we’re not stopping there. By integrating identity security data into the Tenable One Exposure Management Platform, we’re providing security leaders with enhanced attack path analysis and exposure signals—allowing them to anticipate threats, think like an attacker, and proactively shut down risks before they escalate.

If anything, the pace of identity threats is speeding up, not slowing down. Organizations that stay reactive will continue playing catch-up while attackers exploit their blind spots. But with proactive security strategies, unified visibility and intelligent risk assessment, we can turn the tide. The battleground is shifting. It’s time to take control over your organization’s identities. 

To see Tenable Identity Exposure in action, check out our guided demo.

Brinton Taylor

Cybersecurity Snapshot: Ghost Ransomware Group Targets Known Vulns, CISA Warns, While Report Finds Many Cyber Pros Want To Switch Jobs

Tenable Blog
1 week 4 days ago

Check out mitigation recommendations to protect your organization against the Ghost ransomware gang. Plus, get tips on how to attract and retain top cybersecurity professionals. And learn the latest on the most prevalent malware; CIS Benchmarks; an AI security hackathon; and much more!

Dive into six things that are top of mind for the week ending Feb. 21.

1 - CISA: Ghost ransomware gang exploits known vulnerabilities

For years, ransomware group Ghost has been making hay out of well-known vulnerabilities for which patches have long been available – and it continues to aggressively pick low-hanging fruit by targeting outdated software.

That’s the warning that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued this week in their joint advisory “#StopRansomware: Ghost (Cring) Ransomware.

Since 2021, China-based Ghost, also known as Cring, Crypt3r and Phantom, has been using publicly available code to attack internet-facing servers whose software and firmware contain years-old vulnerabilities – including one disclosed and patched in 2009. 
 


“This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” the advisory reads. Ghost’s main motivation is financial.

CVEs that Ghost has specifically targeted include:

Security teams will find indicators of compromise (IoCs); tactics, techniques and procedures (TTPs); and mitigation recommendations in the advisory.

Some high-level recommendations to mitigate Ghost ransomware attacks include:

  • Patch known vulnerabilities in operating systems, firmware and software on a timely basis using risk prioritization.
  • Segment networks to restrict lateral movement.
  • Protect all privileged accounts and email services accounts using phishing-resistant multi-factor authentication (MFA).
  • Back up systems regularly, and store those backups separately. 

For more information about ransomware prevention and mitigation:

2 - How CISOs can attract and retain cyber pros in competitive job market

A majority of cybersecurity professionals are unimpressed with their employers and mulling a job change, but CISOs can improve employee retention – as well as recruitment – by boosting career development opportunities.

That’s a key takeaway from the “2025 Cybersecurity Staff Compensation Benchmark Report,” based on a survey of about 525 cybersecurity professionals and published this week by IANS Research and Artico Search.

“This year’s data reinforces a critical truth – cybersecurity professionals often feel stuck in demanding roles without opportunities for meaningful career growth," Nick Kakolowski, Senior Research Director at IANS Research, said in a statement.

Specifically, the report found that more than 60% of respondents are considering changing jobs, and only one-third of respondents said they’d recommend their employer. Moreover, under 40% said they’re satisfied with their advancement opportunities.

So how can CISOs reduce turnover among top-performing cybersecurity professionals? Here are some recommendations:

  • Create clear career advancement plans
  • Clearly communicate growth opportunities
  • Roll out leadership development programs

Meanwhile, understaffing remains a challenge, so in order to attract the best candidates, CISOs must be ready to pay them a premium – often as much as 40% above the average comparable candidate. 

This is especially true for versatile cybersecurity professionals who have experience in a variety of areas, such as application security, security operations, and governance, risk and compliance. That’s because performing multiple cyber functions has become the norm on security teams.

Specifically, 61% of respondents said they devote at least 30% of their time to more than one function.
 

(Source: “2025 Cybersecurity Staff Compensation Benchmark Report” from IANS Research and Artico Search, February 2025)

Other interesting tidbits from the report include:

  • Top-earning cyber professionals include security architects and security engineers, with average annual cash compensation of $206,000 and $191,000, respectively.
  • Cybersecurity professionals who specialize in cloud security, application security and threat intelligence command higher compensation. 

To get more details, check out:

3 - CIS: Most malware infections tied to fake update attacks

SocGholish, a variant used in fake software-update attacks, once again topped the Center for Internet Security’s malware-infections report for 2024's fourth quarter.

It’s the sixth straight time in which SocGholish ranks first on the CIS top 10 list of malware incidents, which is published quarterly.

The prevalence of SocGholish reflects the popularity of fake software-update attacks remain among hackers.

Fake software-update attacks trick users into installing a legitimate-looking update for, say, their preferred browser. Instead, the downloaded software infects their computers with malware.

(Source: Center for Internet Security, January 2025)

Here’s the full list, in descending order:

  • SocGholish, a downloader distributed through malicious websites that tricks users into downloading it by offering fake software updates 
  • CoinMiner, a cryptocurrency miner that spreads using Windows Management Instrumentation (WMI)
  • Arechclient2, also known as SectopRAT, is a .NET remote access trojan (RAT) whose capabilities include multiple stealth functions
  • NanoCore, a RAT that spreads via malspam as a malicious Excel spreadsheet
  • Agent Tesla, a RAT that captures credentials, keystrokes and screenshots
  • Ratenjay, a RAT that executes commands remotely and features keylogging capabilities
  • ZPHP, a JavaScript downloader that’s distributed via fake browser updates
  • DarkGate, a downloader and keylogger that steals financial data and personally identifiable information (PII), and delivers other malware
  • Jupyter, also known as SolarMarker, an evasive and adaptive .NET infostealer often distributed via Zip and PDF files 
  • LandUpdate808, a JavaScript downloader distributed through malicious or compromised websites via fake browser updates

To get more information, check out the CIS blog “Top 10 Malware Q4 2024,” where you’ll find more details, context and indicators of compromise for each malware strain.

For details on fake update attacks:

VIDEOS

Fake Chrome Update Malware (The PC Security Channel)

Beware Google Chrome fake update browser pop ups that bring malware (Windows, Computers and Technology)

4 - SANS holds AI security hackathon

To encourage cybersecurity professionals and others to attain AI security knowledge and to promote the development of open-source AI security tools, SANS Institute is holding a hackathon that runs through mid-March.

“The hackathon aims to inspire participants to develop expertise in AI security, identify and support cybersecurity talent, and drive progress in AI security research through open-source contributions,” reads a SANS Institute statement.
 


The hackathon is aimed at cybersecurity professionals, ethical hackers, software developers and students. Entrants can participate as individuals or as part of a team.

"Through this hackathon, SANS hopes to not only contribute vital open-source tools but also encourage individuals to pursue and refine the AI security skills the industry desperately needs,” Rob Lee, Chief of Research at SANS Institute, said in the statement.

Those interested can register at the “SANS AI Cybersecurity Hackathon” website.

For more information about AI security, check out these Tenable blogs:

5 - New, updated CIS Benchmarks released for Apache, AWS, Oracle products

The Center for Internet Security has published new and updated CIS Benchmarks for multiple products, including Apache Cassandra, AWS Compute Services and Oracle MySQL Enterprise Edition.
 


Here’s the full list of updated and new CIS Benchmarks for January.

Updated

New

Organizations use the CIS Benchmarks’ secure-configuration guidelines to harden products and increase their resiliency against cyberattacks. Today, CIS offers 100-plus Benchmarks for 25-plus vendor product families. Categories of products include cloud platforms; desktop and server software; mobile devices; operating systems; and more.

To get more details, read the CIS blog “CIS Benchmarks February 2025 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:

VIDEO

CIS Benchmarks (CIS)

6 - Int’l operation disrupts Phobos and 8Base ransomware ops

A multinational law enforcement effort has impacted individuals and infrastructure tied to 8Base and Phobos, two ransomware groups that caused major damage last year.

The international crackdown led to the arrest of four people – all Russian nationals – and to the takedown of 27 servers used by Phobos and 8Base, according to Europol, which helped coordinate the operation involving law enforcement agencies from 14 countries.
 


Two of the individuals arrested were part of an affiliate ransomware gang that used Phobos to victimize 1,000-plus organizations, collecting more than $16 million in ransom payments, according to the U.S. Department of Justice.

Juan Perez

How To Reduce DNS Infrastructure Risk To Secure Your Cloud Attack Surface

Tenable Blog
1 week 6 days ago

Mismanaging your DNS infrastructure could put you at risk of destructive cyberattacks – especially as your cloud attack surface expands. Read on to learn about DNS vulnerabilities, the impact of DNS takeover attacks, and best practices for DNS security, including how new Tenable plugins can help you.

Many organizations overlook the security of their domain name system (DNS) infrastructure, a grave mistake, particularly if their cloud adoption is growing. Mismanaging your DNS records can allow attackers to take over any of your subdomains that are inactive and forgotten. Once hackers control one of your subdomains, they can craft a variety of devastating cyberattacks.

In this blog, we’ll unpack how the DNS protocol works; outline common DNS vulnerabilities and their impacts; and drill down into detection, prevention and mitigation best practices. We’ll also explain how newly-released Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Attack Surface Management plugins can help you secure your DNS infrastructure.

Why cloud growth intensifies the importance of DNS security

Organizations increasingly want to integrate new cloud services and SaaS applications into their IT infrastructure to provide them to their users and customers. As part of this process, organizations often create a custom subdomain for their users or customers to access these third-party cloud applications. 

In order to do this, organizations need to create a new DNS record. It’s critical for organizations to keep track of these DNS records so that attackers don’t hijack the custom subdomains. Unfortunately, DNS infrastructure management is often overlooked, creating a blindspot for the organization’s security team. 

DNS resolution basics

The DNS protocol, historically a critical component of the internet infrastructure, translates numerical IP addresses into human-readable names.

DNS protocol provides various record types, including these four:

  • "A" records, which are the basic translation between a subdomain and an IPv4 address.
  • Canonical Name (CNAME) records, which allow organizations to have more than one domain alias pointing to a single domain name linked to one IP address. For instance, five domain aliases can point to example.com. If the IP address tied to example.com ever changes, its DNS record is the only one that needs to be updated. The CNAME aliases that point to example.com can remain as they are. CNAME records never point directly to an IP address – only to other domain names. The target domain name can be either in the aliases' same domain name or in a different one.
  • Mail Exchange (MX) records, which direct email traffic by specifying which mail servers are responsible for accepting incoming email messages for a domain.
  • Name Server (NS) records, which identify which DNS servers are authoritative on a given DNS zone. An authoritative DNS server contains the DNS zone with all the records.

To map a third-party service to an organization’s custom domain, the third-party vendor will request to configure one of these four record types. Once the process is completed, the organization’s traffic will be properly routed via the custom domain. 

The following diagram shows a basic example of how a DNS resolution mechanism works for a CNAME record that isn’t already in any cache of the DNS resolution chain:

Chart showing how a DNS resolution mechanism works for a CNAME record that isn't already in any cache of the DNS resolution chain

The overall flow is similar for other record types such as MX or NS records.

Understanding DNS takeover vulnerabilities

The risk of a DNS takeover emerges when a DNS record is left dangling – meaning that the DNS record points to a subdomain that is inactive or was deleted. This would allow anyone to claim this DNS record from the third-party cloud service. 

A common scenario at the origin of such vulnerabilities is:

  1. An organization’s business unit sets up a third-party cloud service for its internal users.
  2. This business unit then asks the IT department to create a DNS CNAME record for this service to make it look more legit with an “organization” owned domain.
  3. Later, the business unit decides to stop using this third-party cloud service but does not ask the IT department to remove the DNS CNAME record from the DNS zone.
  4. Any user, including an attacker, can claim the custom subdomain from the cloud service provider, and configure it to host malicious content under the victim organization’s domain.

As an example, let’s take an organization that wants to host a basic static website on an AWS S3 storage bucket for an event, such as a two-day conference, and map a subdomain it owns such as mysuperstaticwebsite.acme.corp. By following the official AWS documentation, the service is provisioned and available to all intended users.

After the event ends, the organization takes the website hosted on S3 offline but forgets to remove the custom subdomain’s DNS record. 

The website now displays a generic error showing that the S3 bucket does not exist:

However, an attacker who looks at the DNS record for mysuperstaticwebsite.acme.corp would see the following configuration: 

dig +short CNAME mysuperstaticwebsite.acme.corp mysuperstaticwebsite.s3-website.eu-west-3.amazonaws.com.

Using this information, the attacker could then log on to the AWS console, create an S3 bucket named mysuperstaticwebsite in the eu-west-3 region and attract people who think they’re visiting the legitimate https://mysuperstaticwebsite.acme.corp website.

This risky scenario isn’t limited to CNAME records. MX, NS or A records are also vulnerable. For example, for around 5 years, a Mastercard DNS error went unnoticed just because of a typography issue in one of the NS records set on its az.mastercard.com. The record, using akam.me, was indeed targeting a non-existing domain which was available for registration. 

DNS takeovers can also happen when a domain name expires and is not renewed in the allocated time by the organization that owned it. The domain name then can be purchased by anyone, including hackers, leaving the previous owner open to multiple attack scenarios.

One takeover, multiple impacts

Organizations are often unaware of the potential impacts a DNS takeover attack can have, beyond damage to its brand reputation and to its customer confidence. 

Depending on the type of the compromised DNS record and the organization’s usage of this record, many exploitation vectors could have an impact on an organization's security, including:

  • Phishing: Attackers can build realistic phishing websites hosted on a legitimate URL domain name to target the organization’s internal or external users.
  • Email interception: MX records are a critical part of email infrastructure. When one or several MX records are left dangling and target-DNS records become unavailable, an attacker could take over the DNS records and receive e-mails intended for previous users of this service. This can have a huge impact. It can allow attackers, for example, to perform password-reset operations and log into active services from the organization. 
  • Cookie tossing: Taking control of a subdomain could allow an attacker to set cookies for the parent domains and make them apply to other subdomains. Depending on how the cookies are handled on the other applications, this could help an attacker conduct further attacks.
  •  Bypassing client-side security:
    • Content-Security Policy (CSP) allows website admins to control which resources a browser can load. If a compromised subdomain is in a CSP allow list, an attacker could exploit this vulnerability to bypass the CSP security controls and launch client-side attacks such as cross-site scripting (XSS).
    • A Cross-Origin Resource Sharing (CORS) policy defines the vulnerable subdomain in the allowed origins. An origin is a combination of the URI scheme, the host name and the port number, and adding it to the CORS policy defines the sources allowed to perform cross-site requests on a given web application. An attacker could host malicious JavaScript and exploit the CORS configuration to access sensitive information or perform operations on behalf of legitimate users.
  • Cloud resources compromise: When the compromised target is, for example, a cloud resource such as a storage bucket or a database, it could have a broader impact on the rest of the infrastructure. For example, if a web application still refers to JavaScript static files on a storage bucket that has been taken over, an attacker could upload malicious JavaScript content and conduct stored XSS attacks on other internal or external web applications. 

The risks are even higher when the vulnerable record is an NS record. This type of record allows administrators to delegate the entire DNS zone management to a third-party server. If it is compromised, attackers can then create multiple other records in the delegated zone.

How to detect, prevent and mitigate

Mitigating DNS takeover vulnerabilities is not complex, and will mainly require following best practices for the lifecycle management of DNS records. 

For starters, you must have a well-established and documented process for provisioning external services so that you avoid these mistakes:

  • The DNS record is created but you haven’t yet deployed the third-party cloud service.
  • The DNS record is created and you’ve subscribed to the third-party cloud service, but you haven’t finalized the custom DNS configuration.
  • The third-party cloud service is terminated but the DNS record is not removed from your organization’s DNS zone.

Instead, you must ensure that the DNS record is created only after the third-party cloud service has been created and configured. Once the third-party cloud service is no longer needed, the DNS record must be removed before the external service configuration is eliminated. 

If you are developing a SaaS application as a service provider, you should request customers to verify their domain name's ownership before assigning it a custom DNS record and routing it to your infrastructure. Common security protection requires organizations to add TXT DNS records in the subdomain DNS zone to confirm that they own the subdomain. It is also possible to generate a random and unique CNAME record to be used by each customer, preventing an attacker from re-using a previous CNAME record and hijacking the subdomain.

When attackers analyze an organization’s attack surface, they will enumerate the DNS records related to this organization and check if any dangling records exist. To achieve this, they will look for three different issues:

  • Dangling services that provide an HTTP response. They will have a valid and resolvable DNS record, but will also provide a default HTTP response which can be used to fingerprint the vulnerable services.
  • Dangling services with DNS resolution failure which, most of the time, have CNAME records targeting DNS records that are not resolvable, and makes the DNS resolver return an NXDOMAIN error.
  • Dangling services targeting an IP address not allocated. Attackers can claim, for example, elastic IP addresses on public cloud infrastructures.

Tenable Vulnerability Management’s Attack Surface Management and Web App Scanning features let you comprehensively assess and remediate DNS security issues. By leveraging plugins 114146 (Subdomain Takeover) and 114572 (Danging DNS Record) in addition to Attack Surface Management capabilities, Web Application Scanning users can quickly check if their subdomain is targeting HTTP based dangling records and try fixing these issues before an attacker exploits them. 

Conclusion

Managing an organization’s attack surface requires solid DNS infrastructure management. While DNS records may seem like relics of early cloud adoption, the increasing complexity of modern architectures and rapid evolution of cloud services makes DNS infrastructure management more relevant than ever.

When attackers exploit DNS vulnerabilities, they can build an attack chain that can compromise user sessions, exfiltrate sensitive data or impersonate legacy services. That’s why organizations must embrace a proactive approach and adopt a solid DNS provisioning and management process.

Rémy Marot

Cybersecurity Snapshot: CISA Calls for Stamping Out Buffer Overflow Vulnerabilities, as Europol Tells Banks To Prep For Quantum Threat

Tenable Blog
2 weeks 4 days ago

Check out best practices for preventing buffer overflow attacks. Plus, Europol offers best practices for banks to adopt quantum-resistant cryptography. Meanwhile, an informal Tenable poll looks at cloud security challenges. And get the latest on ransomware trends and on cybercrime legislation and prevention!

Dive into six things that are top of mind for the week ending Feb. 14.

1 - CISA, FBI offer buffer overflow prevention tips

The U.S. government is urging software makers to adopt secure application-development practices that help prevent buffer overflow attacks.

This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) called buffer overflow vulnerabilities “unforgivable defects” that put national and economic security at risk.

“CISA and FBI urge manufacturers to use proven prevention methods and mitigations to eliminate this class of defect while urging software customers to demand secure products from manufacturers that include these preventions,” the agencies wrote in a joint fact sheet. 

Buffer overflows happen when data written to a computer’s memory buffer exceeds the buffer’s capacity. This can lead to issues such as system crashes, data corruption and remote code execution.
 

 

These are some of the recommendations the agencies offered for preventing buffer overflows in the fact sheet titled “Malicious Cyber Actors Use Buffer Overflow Vulnerabilities to Compromise Software.

  • Use memory-safe languages when developing software.
  • Implement compile time and runtime protections using compiler flags.
  • Rigorously test your software products using static analysis, fuzzing and manual reviews throughout the development cycle.
  • Analyze the root cause of past buffer overflow vulnerabilities to detect trends and patterns.

CISA and the FBI also highlighted these buffer overflow vulnerabilities:

CVE-2025-21333
CVE-2025-0282
CVE-2024-49138
CVE-2024-38812
CVE-2023-6549
CVE-2022-0185

For more information about buffer overflow attacks and vulnerabilities:


VIDEOS

What is a Buffer Overflow Attack? (TechTarget) 

Buffer Overflow Attacks Explained (Tech Sky)

 

2 - Europol to banks: Prepare for quantum computing threat

Financial institutions in Europe must get ready to face the cyberthreat that quantum computers will pose to data security and data privacy when these powerful systems become widely available.

That’s the message from Europol’s new document “Quantum Safe Financial Forum - A call to action” which urges the European financial sector to prioritize adopting post-quantum cryptography.

Here’s the problem: Quantum computers will be able to decrypt data protected with existing public-key cryptographic algorithms, which is why post-quantum algorithms are being developed, with several already available for use. 

Estimates about when these quantum computers will be ready range anywhere from five years to 15 years from now. However, the process for organizations to transition towards quantum-resistant cryptography will be lengthy and complicated.
 


In addition to adopting post-quantum cryptography, banks and other financial institutions should take this opportunity to boost their cryptography management practices, according to Europol.

However, the financial sector won’t be able to go through this journey unassisted. “Achieving this complex goal requires immediate action and a coordinated effort involving industry peers, vendors, policymakers, and society,” the document reads.

Europol recommendations for adopting post-quantum cryptography include:

  • To prioritize the shift to quantum-resistant cryptography, banks should update how they manage cryptography; train IT teams on cryptography; and allocate the required resources.
  • To update cryptographic management, banks should, for example, integrate this practice into general IT asset management; inventory cryptographic assets; and implement policy compliance checks.
  • Banks, governments, vendors and law enforcement agencies must collaborate, coordinate their efforts and share knowledge towards the common goal of securing data against quantum attacks.
  • Regulators should refrain from creating new rules and instead focus on collaborating with the private sector on a set of common, consistent guidelines for quantum-safe cryptography.

For more information about the threat from quantum computing:

3 - A temperature check on cloud security challenges

During this week’s webinar “How does an industry leader like Tenable protect its own cloud environments?,” we asked attendees about their main cloud security challenges. Check out how they responded.

(Source: 138 webinar attendees polled by Tenable, February 2025)

Interested in learning how Tenable’s security team uses Tenable Cloud Security to safeguard our cloud environments? Watch the on-demand webinar, in which Phillip Hayes, Tenable’s Director of Information Security, and Michael Garman, Tenable’s Senior Manager of Technology Engineering, discuss a variety of cloud security best practices.

For more information about Tenable’s cybersecurity best practices, check out these Tenable blogs:

4 - Google: Curbing cybercrime requires international collaboration

Governments must understand that financially motivated cyberattacks impact not only their specific victims but also endanger national security, and as such merit heightened attention from the public sector.

That’s a key takeaway from “Cybercrime: A Multifaceted National Security Threat,” a report released this week by Google’s Threat Intelligence Group.

Although cybercrime accounts for a majority of malicious cyber activity, it gets short shrift from national security cyber defenders, who instead place most of their focus on state-backed groups, the report states.

“While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions,” the authors wrote.
 


“Financially motivated cyber intrusions, even those without any ties to state goals, harm national security. A single incident can be impactful enough on its own to have a severe consequence on the victim and disrupt citizens' access to critical goods and services,” the report reads.

So how can governments more effectively tackle national-security cyberthreats from profit-seeking cybercriminals? Here are some of Google’s recommendations for government policymakers globally:

  • Raise cybercrime to a national security priority, including collecting and analyzing data on cybercrime groups; and boosting law enforcement’s capacity to fight cybercrime.
  • Promote adoption of strong cyber defenses across all industries by, for example, incentivizing organizations to adopt security best practices.
  • Deploy legal, technical and financial measures to dismantle the infrastructure supporting cybercrime operations.
  • Strengthen international collaboration by sharing cyberthreat information, conducting joint investigations and taking coordinated actions against cybercrime networks.
  • Enhance efforts to educate individuals and organizations about online safety, cyber best practices and cyber incident reporting.

For more information about cybercrime trends:

5 - Bipartisan U.S. bill seeks tougher punishments for cybercrimes

A bill introduced by two U.S. senators this week would update an existing computer crime law in order to dial up penalties for cybercrime conspiracies.

Currently, the U.S. government charges suspects accused of conspiracies to commit cybercrimes under a general statute, instead of under the Computer Fraud and Abuse Act (CFAA).

 

 

While the maximum penalty under the general conspiracy statute is five years in prison, the new conspiracy charge that would be added to the CFAA via the “Cyber Conspiracy Modernization Act” could result in jail time ranging between 10 years to life imprisonment.

“The ‘Cyber Conspiracy Modernization Act’ would amend the CFAA to create a specific penalty for the crime of conspiracy under the CFAA,” reads a statement from Sen. Mike Rounds (R-S.D.) who introduced the bill along with Sen. Kirsten Gillibrand (D-N.Y.)

6 - Report: Global ransomware attacks up in 2024

Ransomware attacks grew 15% worldwide last year, compared with 2023, as ransomware gangs showed a growing interest not just in encrypting data but in stealing it to further monetize it.

That’s according to NCC Group’s “Cyber Threat Intelligence Annual Report 2024,” which also found that the industrials sector was the hardest hit, suffering 27% of ransomware attacks, a sign of ransomware groups' focus on critical infrastructure organizations.
 


A trend that developed last year was the increasing interest among ransomware gangs on swiping data, not just locking it up in exchange for payment. Why? Stealing data is “faster, easier and more profitable,” according to NCC Group.

“Stolen information can be leveraged for extortion, fraud, identity theft, or even future breaches, making it a highly valuable commodity in the hands of cybercriminals,” reads the report.

The 5,263 ransomware attacks observed by NCC Group in 2024 were the most since it started monitoring them in 2021. Despite getting hit by law enforcement operations, LockBit ranked first among ransomware groups with 10% of all attacks, followed by RansomHub.

For more information about ransomware:

Juan Perez

Frequently Asked Questions About DeepSeek Large Language Model (LLM)

Tenable Blog
2 weeks 5 days ago

The open-source LLM known as DeepSeek has attracted much attention in recent weeks with the release of DeepSeek V3 and DeepSeek R1, and in this blog, The Tenable Security Response Team answers some of the frequently asked questions (FAQ) about it.

Background

The Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding DeepSeek.

FAQ

What is DeepSeek?

DeepSeek typically refers to the large language model (LLM) produced by a Chinese company named DeepSeek, founded in 2023 by Liang Wenfeng.

What is a large language model?

A large language model, or LLM, is a machine-learning model that has been pre-trained on a large corpus of data, which enables it to respond to user inputs using natural, human-like responses.

Why is there so much interest in the DeepSeek LLM?

In January 2025, DeepSeek published two new LLMs: DeepSeek V3 and DeepSeek R1. The interest surrounding these models is two-fold: first, they are open-source, meaning anyone can download and run these LLMs on their local machines and, second, they were reportedly trained using less-powerful hardware, which was believed to be a breakthrough in this space as it revealed that such models could be developed at a lower cost.

What are the differences between DeepSeek V3 and DeepSeek R1?

DeepSeek V3 is an LLM that employs a technique called mixture-of-experts (MoE) which requires less compute power because it only loads the required “experts” to respond to a prompt. It also implements a new technique called multi-head latent attention (MLA), which significantly reduces the memory usage and performance during training and inference (the process of generating a response from user input).

In addition to MoE and MLA, DeepSeek R1 implements a multitoken prediction (MTP) architecture first introduced by Meta. Instead of just predicting the next word each time the model is executed, DeepSeek R1 predicts the next two tokens in parallel.

DeepSeek R1 is an advanced LLM that utilizes reasoning, which includes chain-of-thought (CoT), revealing to the end user how it responds to each prompt. According to DeepSeek, performance of its R1 model “rivals” OpenAI’s o1 model.

Example of DeepSeek’s chain-of-thought (CoT) reasoning model

What are the minimum requirements to run a DeepSeek model locally?

It depends. DeepSeek R1 has 671 billion parameters and requires multiple expensive high-end GPUs to run. There are distilled versions of the model starting at 1.5 billion parameters, going all the way up to 70 billion parameters. These distilled models are able to run on consumer-grade hardware. Here is the size on disk for each model:

DeepSeek R1 modelsSize on disk1.5b1.1 GB7b4.4 GB8b4.9 GB14b9.0 GB32b22 GB70b43 GB671b404 GB

Therefore, the lower the parameters, the less resources are required and the higher the parameters, the more resources are required.

The number of parameters also influences how the model will respond to prompts by the user. Most modern computers, including laptops that have 8 to 16 gigabytes of RAM, are capable of running distilled LLMs with 7 billion or 8 billion parameters.

What makes DeepSeek different from other LLMs?

Benchmark testing conducted by DeepSeek showed that its DeepSeek R1 model is on par with many of the existing models from OpenAI, Claude and Meta at the time of its release. Additionally, many of the companies in this space have not open-sourced their frontier LLMs, which gives DeepSeek a unique advantage.

Finally, its CoT approach is verbose, revealing more of the nuances involved in how LLMs respond to prompts compared to other reasoning models. The latest models from OpenAI (o3) and Google (Gemini 2.0 Flash Thinking) reveal additional reasoning to the end user, though in a less verbose fashion.

What is a frontier model?

A frontier model refers to the most advanced LLMs available that include complex reasoning and problem-solving capabilities. Currently, OpenAI’s o1 and o3 models along with DeepSeek R1 are the only frontier models available.

DeepSeek was created by a Chinese company. Is it safe to use?

It depends. Deploying the open-source version of DeepSeek on a system is likely safer to use versus DeepSeek’s website or mobile applications, since it doesn’t require a connection to the internet to function. However, there are genuine privacy and security concerns about using DeepSeek, specifically through its website and its mobile applications available on iOS and Android.

What are the concerns surrounding using DeepSeek’s website and mobile applications?

DeepSeek's data collection disclosure is outlined in its privacy policy, which specifies the types of data collected when using its website or mobile applications. It's important to note that data is stored on secure servers in the People's Republic of China, although the retention terms are unclear. Since DeepSeek operates in China, its terms of service are subject to Chinese law, meaning that consumer privacy protections, such as the EU’s GDPR and similar global regulations, do not apply. If you choose to download DeepSeek models and run them locally, you face a lower risk regarding data privacy.

Has DeepSeek been banned anywhere or is it being reviewed for a potential ban?

As of February 13, several countries have banned or are investigating DeepSeek for a potential ban, including Italy, Taiwan, South Korea and Australia, as well as several states in the U.S. have banned DeepSeek from government devices including Texas, New York, Virginia along with several entities of the U.S. federal government including the U.S. Department of Defense, U.S. Navy and the U.S. Congress. This list is likely to continue to grow in the coming weeks and months.

Is Tenable looking into safety and security concerns surrounding LLMs like DeepSeek?

Yes, Tenable Research is actively researching LLMs, including DeepSeek, and will be sharing more of our findings in future publications on the Tenable blog.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Satnam Narang, Nick Miles

Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)

Tenable Blog
3 weeks ago
  1. 3Critical
  2. 52Important
  3. 0Moderate
  4. 0Low

Microsoft addresses 55 CVEs with three rated critical and four zero-day vulnerabilities, including two that were exploited in the wild.

Microsoft patched 55 CVEs in its February 2025 Patch Tuesday release, with three rated critical and 52 rated as important. Our counts omitted one vulnerability reported by HackerOne.

This month’s update includes patches for:

  • Active Directory Domain Services
  • Azure Active Directory
  • Azure Firmware
  • Azure Network Watcher
  • Microsoft AutoUpdate (MAU)
  • Microsoft Digest Authentication
  • Microsoft High Performance Compute Pack (HPC) Linux Node Agent
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft PC Manager
  • Microsoft Streaming Service
  • Microsoft Surface
  • Microsoft Windows
  • Outlook for Android
  • Visual Studio
  • Visual Studio Code
  • Windows Ancillary Function Driver for WinSock
  • Windows CoreMessaging
  • Windows DHCP Client
  • Windows DHCP Server
  • Windows DWM Core Library
  • Windows Disk Cleanup Tool
  • Windows Installer
  • Windows Internet Connection Sharing (ICS)
  • Windows Kerberos
  • Windows Kernel
  • Windows LDAP - Lightweight Directory Access Protocol
  • Windows Message Queuing
  • Windows NTLM
  • Windows Remote Desktop Services
  • Windows Resilient File System (ReFS) Deduplication Service
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Setup Files Cleanup
  • Windows Storage
  • Windows Telephony Server
  • Windows Telephony Service
  • Windows Update Stack
  • Windows Win32 Kernel Subsystem

Remote code execution (RCE) vulnerabilities accounted for 38.2% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 34.5%.

ImportantCVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2025-21418 is an EoP vulnerability in the Ancillary Function Driver for WinSock for Microsoft Windows. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM level privileges.

Microsoft notes this vulnerability was exploited in the wild as a zero-day. At the time this blog post was published, there was no other information about this exploitation.

Since 2022, there have been nine Ancillary Function Driver for WinSock EoP vulnerabilities patched across Patch Tuesday releases, including three in 2022, three in 2023, and three in 2024, including one that was exploited in the wild as a zero-day (CVE-2024-38193) by the North Korean APT known as the Lazarus Group to implant the FudModule rootkit.

ImportantCVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability

CVE-2025-21391 is an EoP vulnerability in Windows Storage. It was assigned a CVSSv3 score of 7.1 and is rated important. A local, authenticated attacker could exploit this vulnerability to delete files from a system. According to Microsoft, this vulnerability does not disclose confidential information to an attacker, rather, it only provides them with the capability to delete data, which may include data that could result in service disruption.

Microsoft notes this vulnerability was exploited in the wild as a zero-day. At the time this blog post was published, there was no other information about this exploitation.

Since 2022, there have been seven Windows Storage EoP vulnerabilities patched across Patch Tuesday releases, including two in 2022, one in 2023 and four in 2024. However, this is the first Windows Storage EoP vulnerability exploited in the wild.

ImportantCVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability

CVE-2025-21194 is a security feature bypass vulnerability affecting Microsoft Surface. This vulnerability was assigned a CVSSv3 score of 7.1 and was publicly disclosed prior to a patch being available from Microsoft. According to the advisory, exploitation requires multiple steps, including an attacker successfully gaining access to the same network as the device. Additionally, exploitation requires the attacker to convince the user to reboot their device. With multiple requirements for exploitation, this flaw was assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index.

ImportantCVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability

CVE-2025-21377 is a New Technology LAN Manager (NTLM) Hash disclosure spoofing vulnerability that was publicly disclosed prior to a patch being made available. Despite the medium severity CVSSv3 score of 6.5, Microsoft assesses this vulnerability as “Exploitation More Likely.” Successful exploitation requires an attacker to convince a user to interact with a malicious file, such as inspecting the file or “performing an action other than opening or executing the file.” Exploitation would allow an attacker to obtain a user's NTLMv2 hash, which could then be used to authenticate as that user.

Microsoft’s advisory also notes that users that only install “Security Only” updates will also need to install Internet Explorer (IE) Cumulative updates in order to be fully protected against this vulnerability.

CriticalCVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

CVE-2025-21376 is a critical RCE vulnerability affecting Windows Lightweight Directory Access Protocol (LDAP). This vulnerability was assigned a CVSSv3 score of 8.1, rated as critical and assessed as “Exploitation More Likely" according to Microsoft. Successful exploitation requires winning a race condition via a specially crafted request necessary to exploit a buffer overflow. If successful, the attacker could achieve RCE on an affected host.

This is the first LDAP RCE in 2025, with three having been patched in the December 2024 Patch Tuesday release, each of which were also rated as critical.

ImportantCVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2025-21400 is a RCE vulnerability affecting Microsoft SharePoint Server. This vulnerability was assigned a CVSSv3 score of 8.0 and rated as important. Successful exploitation would grant an attacker the ability to execute arbitrary code. Exploitation requires an attacker to coerce the victim machine to first connect to a malicious server. This vulnerability was credited to cjm00n of Cyber Kunlun Lab and Zhiniang Peng.

ImportantCVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability

CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 are EoP vulnerabilities affecting Windows Core Messaging. Two of the three vulnerabilities were assigned CVSSv3 scores of 7.0, while CVE-2025-21358 was assigned a CVSSv3 score of 7.8. Exploitation of these flaws could allow an attacker to elevate their privileges to SYSTEM.

According to Microsoft, exploitation for CVE-2025-21184 and CVE-2025-21414 requires an attacker to gather information about the target as well as take additional measures to prepare a target for exploitation. Despite the differing requirements necessary for exploitation, Microsoft assesses all three of these vulnerabilities as “Exploitation More Likely.”

Tenable Solutions

A list of all the plugins released for Microsoft’s February 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

Cybersecurity Snapshot: Cyber Agencies Offer Best Practices for Network Edge Security, While OWASP Ranks Top Risks of Non-Human Identities

Tenable Blog
3 weeks 4 days ago

Check out recommendations from CISA and others on how to protect network edge devices and applications. Plus, OWASP has published the 10 risks associated with non-human identities. In addition, find out why ransomware payments plunged in 2024. And a new U.K. non-profit will categorize cyber incidents’ severity. And much more!

Dive into six things that are top of mind for the week ending Feb. 7.

1 - New cyber guides unpack how to secure network edge wares

Looking for insights and best practices for preventing and mitigating cyberattacks against network edge hardware and software devices, such as routers, VPN gateways, IoT devices, web servers and internet-facing operational technology (OT) systems? You might want to check out new guidance published by several cybersecurity agencies this week.

“Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems,” reads a statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

“These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise,” the statement adds.
 


These are the new guides, jointly published by cyber agencies from various countries:

“As organizations scale their enterprises, even though securing all devices is important, prioritizing edge device security is vital to defend the many endpoints, critical services, and sensitive data they protect,” Eric Chudow, a U.S. National Security Agency cybersecurity vulnerability analyst, said in a statement.

For more information about network edge vulnerabilities, check out these Tenable blogs:

2 - OWASP ranks top cyber risks of non-human identities

Recognizing the significant growth in non-human identities (NHIs), such as access keys and service accounts, OWASP has published a list of the 10 most critical risks associated with them.

The goal of the “OWASP Non-Human Identities Top 10” project is to make software developers and security pros aware of NHI risks and of the best practices to prevent and mitigate related threats.

“Non-human identities are prevalent in usage for facilitating creation of applications by developers, and the project is aimed at helping security professionals thoroughly understand their non-human attack surface, so they can better protect and manage it,” reads the project’s home page.

Here’s the OWASP list of the top 10 NHI risks:

“This comprehensive list highlights the most critical challenges in integrating NHIs into the development lifecycle, ranked based on exploitability, prevalence, detectability, and impact,” reads the project’s home page.

For more information about securely managing digital identities:

3 - Report: Ransomware payments dropped in 2024

If your organization suffers a ransomware attack, would it be less willing to pay the attackers than, say, it would have been a few years ago? If so, then you’d be part of a growing trend.

Last year, ransomware gangs collectively pocketed less money than in 2023, as victims refused to shell out ransom payments in more than half of 2024 incidents. 

That’s according to blockchain analytics firm Chainalysis, which this week said that although ransomware incidents grew in 2024, ransom payments shrunk significantly compared with 2023.

Another factor that disrupted ransomware activity was a variety of global law enforcement efforts that hobbled major ransomware players.

Specifically, ransomware groups collected about $814 million from victims last year, down 35% from $1.25 billion in 2023.

Interestingly, ransomware payments in the first half of 2024 were up about 2.4%, compared with the same period in 2023. However, payments then declined about 40% in 2024’s second half.

(Source: Chainalysis, February 2025)

Two large ransomware gangs whose activity plummeted in the second half of 2024 were LockBit, which was hit by law enforcement actions, and ALPHV/BlackCat.

Although lone actors and smaller new groups emerged, they weren’t able to fully fill the ransom-payment void left by disrupted larger groups, which also included Blacksuit and Silent/Luna Moth.

Ransomware in 2024 reflected shifts driven by law enforcement action, improved victim resilience, and emerging attack trends,” reads Chainalysis’ report.

For more information about recent ransomware trends and incidents:

4 - New non-profit will analyze and rate U.K. cyber incidents

The Cyber Monitoring Centre (CMC) went live this week with the charter of using a standard and uniform criteria for rating the severity of cybersecurity incidents that impact U.K. businesses.

An independent non-profit organization, the CMC hopes its work will help organizations more clearly grasp the consequences of cyber incidents so that they can improve their mitigaton and response.

“The CMC has the potential to help businesses and individuals better understand the implications of cyber events, mitigate their impact on people’s lives, and improve cyber resilience and response plans,” reads a CMC statement.

The CMC has developed a framework for assessing and analyzing cyber incidents that affect multiple companies and could potentially cause more than £100 million in losses. The CMC’s technical committee will gather cyber incident data and use the framework to analyze it.

“Measuring the severity of incidents has proved very challenging,” Ciaran Martin, the CMC’s technical committee chairman and a former head of the U.K. National Cyber Security Centre, said in the statement.

“I have no doubt the CMC will improve the way we tackle, learn from, and recover from cyber incidents,” he added. 

Once it has completed its analysis of an incident, the CMC will rate it between 1 (least severe) and 5, and create a free report available to any interested organization.

To get more details about the CMC, check out the announcement “Cyber Monitoring Centre officially starts categorising cyber events” and the organization’s “Event Categorisation Methodology.”

5 - CISA alerts healthcare orgs about backdoor in Contec tool

Here’s one security warning for hospitals, clinics and other healthcare facilities.

The product Contec CMS8000, used to monitor patients’ vital signs, has a backdoor that can allow data leakage, remote code execution and device modification, CISA has warned.

The Contec CMS8000’s embedded backdoor function with a hard-coded IP address is present in three versions of the product’s firmware, according to CISA’s factsheet.
 


Two CVEs have been assigned to the issue: CVE-2025-0626 and CVE-2025-0683

The Contec CMS8000 is also sold under different names, including Epsimed MN-120. The manufacturer, Contec Medical Systems, is based in Qinhuangdao, China.

To get more details about healthcare security, check out:

6 - E-marketplaces for cybercrime wares shut down

The U.S. Department of Justice and and Dutch National Police took down almost 40 domains and their servers that a Pakistan-based group had used for years to sell phishing toolkits, hacking wares and other cybercrime tools.

The group, known as Saim Raza and as HeartSender, had operated the now shuttered websites since at least 2020. Its customers were organized cybercrime groups that inflicted losses of more than $3 million on U.S. victims, mostly via business email compromise schemes.
 


“The seizure of these domains is intended to disrupt the ongoing activity of these groups and stop the proliferation of these tools within the cybercriminal community,” reads a DOJ statement.

In addition to selling cybercrime tools, Saim Raza also provided training via instructional videos posted on YouTube on how to use these products and on how to carry out cyber fraud operations.

For more information about cybercrime trends:

Juan Perez

Tenable Supercharges Exposure Management with Acquisition of Vulcan Cyber

Tenable Blog
3 weeks 4 days ago

Vulcan brings more than 100 additional third-party integrations and enhanced remediation workflows to the Tenable One Exposure Management Platform, enabling organizations to prioritize their security risk based on contextualized and enriched intelligence.

At our core, Tenable is dedicated to exposing and closing the security gaps that put businesses at risk. Today, we announce a significant advancement in that mission with the acquisition of Vulcan Cyber, whose capabilities will soon enhance the Tenable One Exposure Management Platform.

The role of exposure management

As the cyber attack surface expands exponentially, so does the number of security tools meant to manage it. Unfortunately, these scattered tools often overwhelm security teams with fragmented insights — resulting in endless alerts, isolated data and conflicting recommendations on how to address threats — making it nearly impossible to understand what matters most.

Exposure management addresses these challenges by shifting preventive security from securing technology silos to applying contextual risk intelligence to protect the business. Since the launch of the Tenable One Exposure Management Platform in 2022, we’ve helped customers:

  • Gain visibility and control across the entire attack surface
  • Prioritize exposure risk based on contextualized and enriched intelligence
  • Foster collaboration among security teams and remediation owners using automated workflows and remediation guidance
  • Remediate more critical findings and reduce mean time to remediate (MTTR)
Expanding Tenable One with Vulcan Cyber

By integrating Vulcan Cyber’s capabilities into Tenable One, we will expand our ecosystem of third-party data integrations across vulnerability assessment, endpoint, cloud and application security, which will provide our customers with even more visibility and control over their entire attack surface. Vulcan also introduces advanced tagging, intelligent ticketing and automated campaigns that will automatically route security issues to the appropriate teams, ensuring seamless collaboration between security teams and remediation owners.

This acquisition represents a powerful step forward in our vision to build the most advanced exposure management platform on the market — one that doesn’t just highlight weaknesses but actively helps businesses close their most critical security gaps. With Vulcan Cyber’s third-party integrations and automated remediation workflows, combined with Tenable One’s analysis of vulnerabilities and misconfigurations across IT, cloud, identity, internet of things (IoT) and operational technology (OT) systems, our customers have the ability to prioritize the most critical actions, automate remediation workflows to improve proactive security and manage everything within a single, user-friendly interface.

Stay tuned for more updates as we integrate Vulcan Cyber into the Tenable ecosystem.

Amir Hirsh

CISA Releases FOCAL Plan to Help Federal Agencies Reduce Cyber Risk

Tenable Blog
1 month ago

CISA’s FOCAL Plan, which aims to standardize the cybersecurity operations of federal civilian agencies, marks an important step in the federal government's efforts to strengthen cyber defenses and reduce agency risk. Learn how Tenable One for Government, which recently achieved FedRAMP Authorization, aligns to the FOCAL Plan key priorities. 

Each Federal Civilian Executive Branch (FCEB) agency has a unique role in supporting the mission of the U.S. federal government, from national security to healthcare to education. However, agencies’ approaches to managing cyber risk vary widely, with each agency operating independent networks with interconnected systems and varying degrees of cyber risk tolerance. This complexity makes managing exposures across the FCEB a complex challenge and drives the need for a coordinated cybersecurity strategy.

To address this issue, the Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled the “Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan.” It’s designed to enhance cybersecurity across the FCEB by standardizing essential components of operational cybersecurity throughout the federal enterprise and enabling a collective defense approach. It provides actionable steps federal agencies can take, with their varied architectures and risk management strategies, to mitigate cyber risks and improve resilience through a unified approach to operational defense. And while it is not an exhaustive list of all the things agencies must do to secure their missions, it does provide a baseline for agencies to focus resources on those actions that substantially advance operational cybersecurity improvements and alignment goals. 

CISA’s FOCAL Plan priority areas

(Source: “Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan,” CISA, September 2024.)

  1. Asset Management

To safeguard federal networks, agencies must have comprehensive visibility into their entire infrastructure, and continuously assess how those assets are interconnected. As the old saying goes: “You can’t protect what you can’t see.” This priority area aims to ensure agencies know what assets they have so they can be properly defended. 

It’s important to remember that assets span far beyond traditional IT assets. As recent mandates and CISA Binding Operational Directives (BOD) have stressed, agencies must have visibility into OT, IoT, cloud and identity assets. Look no further than the Office of Management and Budget (OMB)’s Memorandum M-24-04 which directed federal civilian departments and agencies to inventory their IoT and OT assets by the end of fiscal year 2024.

  1. Vulnerability Management

Getting an accurate inventory of your assets is a key first step, but it’s equally fundamental to understand the vulnerabilities on each of those assets so that you can proactively secure the attack surface. As the FOCAL Plan points out: “What constitutes an agency’s enterprise has evolved over the years, particularly as the attack surface has expanded and grown more complicated.” This has made vulnerability management more challenging. The FOCAL Plan focuses on proactive vulnerability management, so that agencies can understand their exposures by identifying, assessing and mitigating vulnerabilities across asset types, before an attacker can exploit them. 

  1. Defensible Architecture

Because attacks are inevitable and resilience is critical, this priority area focuses on building robust, defensible infrastructures with principles like segmentation, identity management and zero-trust security. With a focus on limiting an attacker's ability to access sensitive data when a compromise occurs, this priority aims to help agencies minimize impact and operational disruptions through the implementation of proper tools and controls. 

  1. Cyber Supply Chain Risk Management (C-SCRM)

FCEB agencies often rely on third-party vendors, which can introduce supply chain risk. This priority addresses the risk posed by external vendors and technologies by ensuring agencies can quickly identify, assess and mitigate vulnerable software and hardware from their suppliers and partners. 

Case in point: the critical Log4j vulnerability, known as Log4Shell, a critical remote code execution vulnerability in Apache’s Log4j software library. This vulnerability posed a massive risk due to the widespread use of the Apache Log4j open-source logging library in many enterprise applications and cloud services, and the ease with which the vulnerability could be exploited. In the days that followed, every agency and industry security practitioner had to detect all instances of Log4j in their environment. In many cases, versions of the offering were buried deep within third-party software packages or government off-the-shelf solutions. Agencies with a complete understanding of the software deployed across their environment were able to quickly respond to the threat, and meet or exceed the deadline established by the CISA Emergency Directive (ED) 22-02. Unfortunately, Log4Shell quickly became a crisis for security teams that did not have a complete understanding of their inventory.

  1. Incident Detection and Response 

This priority area is geared towards strengthening the ability of security operations centers (SOCs) to detect, respond to, and mitigate cyberattacks rapidly and effectively. As mentioned earlier, attacks are inevitable, so it’s critical to quickly detect and respond to an attack. Combining rapid detection and response with best practices such as segmentation and identity management will further disrupt an attacker's ability to access sensitive data.

Meeting CISA FOCAL Plan priorities with Tenable One

We’re excited to share that Tenable One is now FedRAMP authorized at the moderate impact level. Tenable One for Government is an exposure management platform designed to help agencies radically unify security visibility, insight and action across the attack surface to rapidly expose and close the gaps that put agencies at risk. 

Tenable One for Government helps agencies meet CISA FOCAL Plan priorities with:

  • Centralized visibility of all assets across the attack surface, from IT infrastructure to cloud environments to critical infrastructure, containers, identity systems, web applications and everywhere in between.
  • Vulnerability enumeration and prioritization so you can pinpoint priority weaknesses and focus on the actual exposures that matter to quickly reduce cyber risk.
  • A defensible architecture based on zero trust principles so you can quickly detect and respond to attacks in real time, map attack paths and surface all the possible steps that attackers could take to move laterally, escalate privileges and gain control of your infrastructure.
  • A deep understanding of overall cyber risk with risk metrics and exposure scores to easily identify problem areas across your agency infrastructure. You can then set precise, trackable KPIs and SLAs to hold teams accountable for managing risk.
Learn more:
Garrett Cook

Cybersecurity Snapshot: CSA Offers Tips for Deploying AI Securely, While Deloitte Says Cyber Teams’ GenAI Use Yields Top ROI

Tenable Blog
1 month ago

Check out the Cloud Security Alliance’s recommendations for rolling out AI apps securely. Meanwhile, a Deloitte survey found GenAI initiatives by cyber teams deliver the highest ROI to their orgs. Plus, the NSA urges orgs to combat GenAI deepfakes with content provenance tech. And get the latest on CISO trends; patch management; and data breach prevention.

Dive into six things that are top of mind for the week ending Jan. 31.

1 - CSA: Best practices for secure AI implementation

Looking for guidance on how to deploy AI systems securely? You might want to check out the Cloud Security Alliance’s new white paper “AI Organizational Responsibilities: AI Tools and Applications.

Published this week, the paper covers three key areas: the security of large language models and generative AI applications; supply chain management; and additional implementation elements, such as employee use of generative AI tools. 
 

 
Each of those three areas is analyzed according to six areas of responsibility for teams deploying AI systems:

  • Evaluation criteria: To assess AI risks, organizations need quantifiable metrics. That way, they’ll be able to measure elements such as model performance, data quality, algorithmic bias and vendor reliability.
  • RACI model: It’s key to be clear about who is responsible, accountable, consulted and informed (RACI) regarding AI decisions, selection of tools and vendor management.
  • High-level implementation strategies: Teams should outline the process for integrating AI tools and applications into existing workows, and particularly how they’ll address challenges such as data integration and model deployment.
  • Continuous monitoring and reporting: The paper recommends continuously monitoring elements such as AI tool performance and data drift, and regularly generating reports on AI system health and vendor compliance.
  • Access control: It’s critical to implement strong access-control mechanisms to protect algorithms, data and AI infrastructure.
  • Adherence to AI standards and best practices: Complying with AI standards, regulations and guidelines will help teams, for example, secure AI applications, conduct responsible AI development and mitigate supply chain risks.

As AI technologies evolve and their adoption expands across industries, the need for strong governance, security protocols, and ethical considerations becomes increasingly critical,” Michael Roza, the paper’s lead author, said in a statement.

Some of the white paper’s key takeaways include:

  • AI security requires addressing both traditional and AI-specific cybersecurity concerns.
  • Effective third-party and supply chain management is critical. 
  • Organizations need clear policies and guidelines for employees’ AI use.
  • AI governance requires clear role definitions and specialized skills.

For more information about AI security, check out these Tenable blogs:

2 - Report: Cybersecurity use of GenAI produces highest ROI

As enterprises deploy generative AI across their business, cybersecurity initiatives are generating the highest return on investment (ROI).

Moreover, cybersecurity initiatives are more deeply integrated into work processes than initiatives from other departments, such as sales, research and development, and finance.

Those findings come from Deloitte’s “The State of Generative AI in the Enterprise: Generating a new future” report, based on a survey of about 2,770 directors and CxOs from organizations piloting or implementing generative AI.

“Relative to other types of advanced GenAI initiatives, those focused on cybersecurity are far more likely to be exceeding their ROI expectations,” reads the report from Deloitte, which polled respondents in 14 countries.

Specifically, the survey found that 44% of respondents' cybersecurity initiatives are delivering an ROI that is “somewhat or significantly above expectations.” 
 

(Source: Deloitte’s “The State of Generative AI in the Enterprise: Generating a new future” report, January 2025)

While these findings reflect positively on how cybersecurity departments are deploying generative AI, the technology still faces adoption challenges in enterprises in general, the report notes, including:

  • Regulatory uncertainty
  • Risk management
  • Data deficiencies
  • Workforce issues

Specifically, regulatory concerns have become the top barrier for generative AI adoption, while almost 70% of respondents estimate that it’ll take their organizations more than a year to fully implement a generative AI governance strategy.

The report’s recommendations for successful adoption of generative AI in enterprises include:

  • CxOs must ensure IT and business leaders work in tandem.
  • Ensure generative AI initiatives deliver measurable ROI by, for example, focusing on high-impact use cases; establishing centralized governance; and continuously iterating.
  • Plan for the eventual adoption of agentic AI systems, which can act with a high degree of autonomy, requiring little or no human intervention.

To get more details, check out the report’s announcement, the full report and this video of a panel discussion about the report:

For more information about using generative AI for cybersecurity:

3 - How content provenance tech helps flag AI deepfakes

Organizations must get acquainted with a key technology designed to track the origin of media files and that way verify if they have been maliciously created or modified to spread falsehoods and misinformation.

That’s the message from the Australian, Canadian, U.K. and U.S. governments, which this week jointly published the document “Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era.

“Advanced tools that allow the easy creation, alteration, and dissemination of digital content are now more accessible and sophisticated than ever before,” the 25-page document reads.  
 


“This escalation threatens organizations’ security, with AI-generated media being used for impersonations, fraudulent communications, and brand damage. Therefore, restoring transparency has never been more urgent,” the document adds.

The technology in question is called Content Credentials, and, according to the document, it’s in the process of becoming global ISO standard 22144. It tracks the provenance of media files by logging their creation and subsequent changes, and storing that information as encrypted, tamper-evident metadata.

Co-authored by the U.S. National Security Agency, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security and the U.K. National Cyber Security Centre, the document seeks to:

  • Explain how Content Credentials can provide media-provenance transparency
  • Create awareness about how Content Credentials is being developed
  • Recommend best practices for how to preserve provenance data
  • Stress why broadly adopting Content Credentials is critical

The Content Credentials technical specification is developed and maintained by the Coalition for Content Provenance and Authenticity (C2PA) and implemented by the Content Authority Initiative (CPI)

For more information about Content Credentials:

VIDEO

Join the movement for content authenticity (Content Authenticity Initiative)

4 - Study: CISOs’ access to the board and CxOs is critical

Organizations where the CISO works closely with the board of directors and with fellow CxOs have stronger security programs than organizations where this collaboration is weaker.

In addition, CISOs with strong ties to their boards and CxOs tend to be happier at work and to earn more.

Those are two findings from the “State of the CISO 2025 Report” from IANS Research and Artico Search, based on a survey of 830 security executives.

“This report demonstrates that board engagement and C-suite access is critical in shaping the future of a security program and a CISO’s career,” Steve Martano, IANS Faculty and Executive Cyber Recruiter at Artico Search, said in a statement.

Yet, only 28% of survey respondents fell into the category of “Stragegic CISO,” defined as one with outstanding C-suite access and boardroom influence. 

The majority – 50% – were deemed as “Functional CISOs,” who despite having “significant influence” nonetheless lack consistent visibility with the board or CxOs.

The rest – 22% – were classified as “Tactical CISOs” because they focus mostly on technology and have minimal interaction with the C-suite and the board. 
 

(Source: “State of the CISO 2025 Report” from IANS Research and Artico Search,” January 2025)

Obviously, the recommendation is for all CISOs to rise to the category of “Strategic CISO,” as close communication and collaboration with the board and fellow CxOs -- including CFOs -- is essential to align the security program with the business strategy.

For CISOs to have optimal communication with board members and CxOs, the report recommends that they:

  • Volunteer for projects and committees to explain to fellow business leaders the security angle of these cross-functional initiatives.
  • Delegate tactical and operational tasks on team members so CISOs have more time for strategic work.
  • Instead of limiting themselves to technical topics, CISOs should address strategic governance issues and that way act as a partner to the other CxOs.

To get more details, check out:

5 - Tenable: What are your patch management challenges?

During our recent webinar “From Reactive to Proactive: Expert Guide to Effective Remediation Automation,” we polled attendees about their struggles with patch management. Check out what they said. 
 

(124 webinar attendees polled by Tenable, January 2025)

Check out the on-demand webinar to learn about actionable strategies and proven approaches for streamlining remediation, improving patching efficiency and reducing risk.

To learn more about patch management and vulnerability management, check out these Tenable resources:

VIDEO

Key Elements of Effective Exposure Response

6 - Data breach report: Many incidents preventable with standard cyber

Almost 200 data breaches that occurred in the U.S. last year -- including several of the largest ones -- could have been prevented via the use of well-known cybersecurity practices.

That’s one of the findings from the Identity Theft Resource Center’s “2024 Data Breach Report,” which was published this week and is the latest reminder of the importance of adopting foundational cybersecurity tools and procedures.

“A significant number of data compromises could have been avoided with basic cybersecurity,” ITRC President James E. Lee wrote in the report’s introduction.

Specifically, four of 2024’s “mega-breaches,” which collectively resulted in the issuance of 1.24 billion victim notices, were deemed preventable through cybersecurity processes and techniques, including:

  • multi-factor authentication (MFA) or passkeys
  • secure software software development
  • vulnerability patching
  • security awareness training


Here are other key findings from the report:

  • The 3,158 U.S. data compromises recorded in 2024 fell 1% compared with 2023. Most of the incidents – 90% – were categorized as data breaches.
  • Cyberattacks caused the majority – 80% – of data breaches. The rest were caused by system and human errors; physical attacks; and supply chain attacks.
  • Victim notices skyrocketed 312% to 1.72 billion, driven by 2024's six “mega-breaches,” each of which generated at least 100 million notices.
  • The hardest hit industry was financial services, followed by healthcare and professional services.

To get more information, check out the ITRC’s report announcement and the full report.

For more information about data security:

Juan Perez

What Makes This “Data Privacy Day” Different?

Tenable Blog
1 month 1 week ago

As we celebrate Data Privacy Day, Bernard Montel, Tenable’s EMEA Technical Director and Security Strategist, wants to remind us that we live in a digital world and that we need to protect it. With data breaches a daily occurrence, and AI changing the playing field, he urges everyone to “do better.”

Launched in April 2006 by the Council of Europe, Data Protection Day – or Data Privacy Day, as it’s known outside of Europe – is celebrated globally every year on January 28. Back in 2006, around 100 million records were compromised across various breaches in the U.S., according to data collated by Privacy Rights Clearing House. But in 2024, in just one data breach suffered by National Public Data (NPD), approximately 2.9 billion records were allegedly stolen.

Collectively, we have to do better. 

The lifeblood of the organization

Data is the essence of every company. It’s information about your customers, your employees, your intellectual property, your financial performance and more. Data also fuels innovation in the cloud. However, the volume and complexity in hybrid and multi-cloud environments make it increasingly complex to secure your business’s data. 

Externally, data breaches can lead to mistrust and brand damage, as well as to lawsuits, fines and lost business. Internally, they can – and should – trigger increased scrutiny from the board, which will justifiably question the strength of the organization’s security posture. 

When AI comes marching in

With data at the heart of everything, AI has completely changed the playing field this Data Privacy Day, adding a further layer of risk when it comes to protecting our information. 

Organizations face the complex task of controlling AI deployment usage while also identifying vulnerabilities within AI tools and AI development packages. The adoption of AI increases the volume and variety of cloud data. In tandem, as AI applications become more sophisticated, they require more training data to learn from and function effectively. Thus, protecting cloud data is paramount to maintaining the integrity and security of your business’s AI usage.

Externally, threat actors are also looking to supercharge their activity with AI. It has been well documented how attackers are leveraging AI to write more sophisticated and effective malware for ransomware attacks, as well as to enhance phishing scams and more. 

You can’t have privacy without security

To take advantage of the unique opportunities offered by the cloud and AI, you must address the full spectrum of security responsibilities that accompany collecting, storing, and using data. These responsibilities include automatically and continuously scanning data assets, discovering and monitoring sensitive data, and alerting on any potential risk.

Protecting data in public cloud environments starts with three steps:

  • Know your cloud resources. You must discover the compute, identity and data resources in your cloud and get contextualized visibility into how critical resources are accessed.
  • Expose critical cloud risks. It’s critical to gain the context you need to focus on the priority risks caused by the toxic combination of misconfigurations, excessive entitlements, vulnerabilities and sensitive data.
  • Close cloud exposures. It’s essential to reduce cloud risk by closing priority exposures with top speed and surgical precision – even if you only have five minutes to spare.

Let’s look at how the integration of data security posture management (DSPM) into a cloud native application protection plaform (CNAPP) can give you a comprehensive view of your cloud data and the risks associated with it. 

DSPM is a set of ongoing processes and technologies that provides visibility into where sensitive data is stored, who has access to it, and how it's being used across your systems, providing analysis of the overall security posture around data itself, rather than just the infrastructure hosting it. 

Meanwhile, CNAPP solutions replace a patchwork of siloed products that often cause more problems than they solve, such as multiple false positives and excessive alerts. Those individual products usually provide only partial coverage and often create overhead and friction with the products they’re supposed to work with. Most importantly, CNAPPs allow businesses to monitor the health of cloud native applications as a whole rather than individually monitoring cloud infrastructure and application security.

When DSPM is integrated into a CNAPP, it empowers the security team to obtain actionable data context that helps the team better prioritize risks and reduce the organization's exposure to customer data breaches and the compromise of AI resources and intellectual property. 

How Tenable can help

With Tenable Cloud Security, you can reduce risk by rapidly exposing and closing priority security gaps caused by misconfigurations, risky entitlements and vulnerabilities – in one powerful CNAPP. With integrated DSPM capabilities, Tenable Cloud Security continuously monitors your multi-cloud environment to discover and classify data types, assign sensitivity levels and prioritize data findings in the context of the entire cloud attack surface. 

At Tenable, we help you identify your weaknesses, detect your gaps and close your exposures quickly. This Data Privacy Day, do better by taking action to protect the data that your organization relies upon to function and that you’re trusted to protect, wherever it resides.

Learn more
Bernard Montel

How To Clean Up Your Cloud Environment Using Tenable Cloud Security

Tenable Blog
1 month 1 week ago

You must periodically review your cloud environments to remove old and unused resources because they can create security risks. But what is the right way to perform this task? Read on to learn about five best practices we employ internally to clean up our cloud accounts which we hope can help enhance your cloud security strategy.

Overview

At the start of the new year, it’s important to assess all of your cloud environments and see where you can remove old and unused resources. While your production accounts might have a few unused resources and services, accounts used for product testing and development typically contain a larger number of resources of varying ages and states. 

While there are tools for automatically deleting those resources, these solutions often arbitrarily remove resources that are still needed. In order to prevent that from happening, it’s better to use a solution that provides more comprehensive details on what’s active, what’s not in use, and what you might need to exclude. That way, your organization would be able to make more informed decisions. 

After launching our Cloud Security program, we used Tenable Cloud Security to review our cloud accounts for old and unused resources. Based on our experience, we identified five key best practices for cloud environment cleanup and created a process to carry out this task. In this blog, we’re sharing what we’ve learned, hoping that it will help your organization refine its cloud security strategy further.

The rationale behind account cleanup

Reviewing and cleaning up old and unused resources from cloud accounts is important for several reasons.

First, many resources can generate hourly charges, but terminating one resource may not stop all its costs. That’s because associated resources often have additional costs that may linger within your account. 

It’s also essential to monitor all public-facing instances and virtual machines that use Secure Shell (SSH) keys or that have local login credentials set up. These resources can be accessible to users long after they have left your organization, leading to increased security risks.

Moreover, reviewing data within public-facing Amazon S3 buckets, Amazon RDS instances, GCP storage buckets, and Azure storage accounts can help prevent the exposure of sensitive data such as personally identifiable information (PII), financial records, and other sensitive information. 

In addition, when cleaning up cloud accounts, reviewing access control is also important. Reviewing the status of all user identities and how they access your account can help improve account security. You may have active and inactive user accounts with access and permissions to resources that need to be removed. 

Below we explain how you can find these resources and why it’s important to review them for potential deletion. We also highlight additional security controls you should consider implementing in your cloud environment. You can apply these best practices selectively or comprehensively, regardless of your cloud platform or the account types that need to be reviewed.

Consideration 1: Age of resources

To determine the age of your resources, first select the account in-scope, then choose the service you want to review under the “Inventory” section of the console. You can review the existing resource counts to see if you need to focus your cleanup efforts on a specific service. 
 


Tenable Cloud Security provides several options to easily view when a resource was created. Using the “Created” column, you can filter results from oldest to newest, so you can see the older resources at the top of the list.
 


In the console, if you want to view the resources created more than 180 days ago, select the “Created” filter, then use the “Before the last” option to choose that filtering criteria. 
 


Results using this filter should give you an idea of the age of your resources and what might need to be deleted. We also recommend that you export results to a .csv file to get the complete list of resources within your account, so you can view all resources at-a-glance, including those that do not contain a “Created” date.

Consideration 2: Active vs inactive

Cloud accounts will contain a combination of both active and inactive resources. Checking a resource’s size may indicate whether it’s in use or not. Tenable Cloud Security lists the size of data resources such as buckets, databases, clusters, and snapshots, so you’re able to filter the resources list using that element. Results can show you resources with little to no data being stored. Depending on the “Last Modified” date or “Created” date listed, some of these resources may be a good candidate for deletion. 
 


To quickly find inactive identities within the Tenable Cloud Security console, select the “Inactive” label. You'll get a list of inactive identities that are overprivileged permissions, require key rotation, or have unused access keys and passwords that must be addressed.
 


When reviewing other services to see if they are active, it’s important to remember that not all cloud services will provide details on when the resource was last active. The Amazon EC2 service, for example, supports the “Launch Time” filter, which indicates when an instance was last rebooted. However, other services like Amazon S3 only provide a “Created” date. The S3 service does not provide direct information on when a bucket is being actively used or when it was last modified. 

Consideration 3: Access to accounts

When reviewing access to accounts, it’s important to determine how your team members are accessing them, what resources are being used, and when they were last active. If you have set up in Tenable Cloud Security an “Identity Providers” integration such as Okta, Microsoft Entra ID, or Google Workspace for example, you can view the status of your “Users”, when they last signed-in, and how long ago they were active.
 


Another important aspect to consider is how team members are accessing the account. For AWS accounts, the list of questions below can help you determine where you need to focus your efforts.

  1. If you are using AWS Identity and Access Management (IAM) users to log into your account, do they employ access keys, passwords, or both? 
  2. If AWS IAM roles are used to log into the account, and IAM users are also required, should permissions be restricted using access keys only?
  3. Are there any inactive IAM user accounts that need to be disabled?
  4. Are there any team members with access to an active IAM user account that may have recently left your company? 

From this list, you can determine if you need to take additional steps such as deactivating an identity, removing access, or updating how users are accessing your account. Lastly, you may need to consider implementing additional security controls like organizational policies or IAM permissions to prevent the creation of those resources. 

Consideration 4: Public resources

While it’s important to check on all identities, it’s also critical to review what type of public-facing resources you have in your account. Many non-production accounts often include resources such as public instances or public buckets. These resources may allow public access to known ports, provide public access to web applications, and grant remote access to these instances. It’s also important to check for running public instances and virtual machines that use SSH keys. Public instances with SSH keys could contain local user accounts and credentials that were set up, but need to be disabled.
 


If you plan to retain any public-facing resources, we also recommend reviewing public buckets or storage accounts for any sensitive data that might be stored. Using Tenable Cloud Security’s Data Protection feature, you can find scanned buckets and managed databases containing sensitive data. Within the “Data” section, you can select the “Public” labels filter to view resources with sensitive data being stored on publicly accessible resources. 
 


Scanned results will include the specific files or location within the resource under the Details column that should be reviewed.
 


We recommend that you review all public resources and data within your account, as a data breach could have a significant financial impact on your organization. These results can also be used to determine if data obfuscation and anonymization practices need to be improved. 

Consideration 5: Resource types and costs

In your cloud account, it’s critical that you review what resource types are running, what region it’s operating in, and the data being accessed.

Tenable Cloud Security allows you to easily filter your resources by “Region”, “Instance Type” and “Instance Class.” Running instances and virtual machines generate hourly costs, and can vary depending on the size of the resource and operating region. You can use those filters to find instance variants, instance family size, or specific types to help you find high-cost resources that could be scaled down or removed. 
 


Even if your instance is stopped or terminated, you can still incur additional costs for associated snapshots, backups, storage, and IP addresses. To avoid additional cloud costs, we recommend deleting all associated resources that are not in use.

Regarding cleanup efforts, it's crucial to evaluate whether additional security controls need to be implemented. You can optionally set up IAM policy restrictions to specific regions or permit only certain instance types within your account. Additionally, organizational policies can also be applied for more comprehensive coverage.

Other things to keep in mind

Before starting any cleanup efforts, it’s important to factor in any resources that need to be excluded from future deletion. Resources managed through infrastructure as code (IaC) are a good example of resources that can remain out of scope. To detect your IaC-managed resources, we recommend setting up Tenable Cloud Security’s IaC Security feature that will scan your IaC pipeline and highlight where your resources are managed in code. Once scanned, you should see the “IaC” label applied to that resource within the console.
 


Even if you don’t have IaC-managed resources in your account, using Labels provides a great option to easily identify resources managed by a specific team that need to remain out of scope. If you have resources with consistent tag key and value pairs applied, we recommend creating automatic labels for those resources. This feature will automatically label resources regardless of whether they need to be excluded. 

You can also apply manual labels to resources that may not have consistent tagging applied. For services that do not support tags, you can use this option to identify which team manages resources like Azure Roles or Okta Groups.

Determine what will be deleted

Once you have determined what you have, you can review what resources are in scope for deletion. Within the Tenable Cloud Security console, we recommend that you filter on the account and resources in scope and export those resources to a .csv file. This step will provide a compliance list of resources regardless of whether they have a “Created” date or not. 

If you have many resources that are in scope for deletion, you can optionally perform cleanup efforts in phases. Within the console, if you find that you have many EC2 instances and Lambda functions, for example, you can export that list to review those resources within each service.

In cases where all of your resources have a “Created” date listed, we recommend using the “Created” filter to highlight those resources created before a specified date. Some of the examples below provide different filter options you can use to identify those resources you want to target for deletion.
 

Filter NameFilter ValueResultsCreatedBefore the last 6 months Lists all resources created more than 6 months agoCreatedBefore January 1st Lists all resources created before January 1stSize0 BIncludes supported resources with zero bytes or no data storedLabelsPublicIncludes publicly accessible resourcesLabels IaC Includes resources identified as managed within IaC Labels InactiveList all IAM / Identities reporting as inactiveInstance Type16xlargeLists all Amazon EC2 instances types ending with *.16xlarge


When determining whether a resource is active, be aware of a few things. Not all services support filters such as “Last Modified,” “Updated,” “Last Sign-In,” or “Last Activity” that highlight when a resource was last updated or when a user was last active.

Services like Amazon S3 do not support any information on whether the bucket is actively in use. There may be additional options available in AWS to determine that status through logs and enabling associated services. We highly recommend that you communicate this information to team members so they can check and confirm that nothing important is deleted. 

Lastly, if you determine that any retained resources need to be consolidated or reduced in size, you can implement security controls to retain data for a specific amount of time and then delete it. You can also resize or scale down the resource type to help reduce costs. 

Communicate cleanup efforts

Before you implement cleanup efforts, it’s important to communicate these changes to all team members. We recommend sharing the details listed below with those users who have access to your account. You can also use this list if you plan to perform future cleanup efforts within your account, either randomly or on a schedule.

  1. Include the account(s) in scope.
  2. Communicate why resources are being deleted.
  3. Include the date when resources will be deleted.
  4. Include the services and filter criteria in scope. Examples can include:
    • All virtual machine instances created more than 90 days ago
    • All SQL databases larger than 500GB
    • All resources with no “Created” date listed
    • All resources whose size is zero Bytes
    • All EC2 instances running *16xlarge instance types
  5. If applicable, include what’s out of scope. Examples can include:
    • Resources managed through your CI/CD pipeline with the “IaC” label attached
  6. If applicable, include important information that users should review or can request. Examples can include:
    • Ask users to review S3 buckets to confirm activity
    • Provide options for users to scale down resources
    • Explain how users can request exclusions

If team members already have access to review those resources within Tenable Cloud Security, we recommend including that information in your initial e-mail as a reminder. We’ve found that if you provide direct access to Tenable Cloud Security, teams can be more autonomous in managing resources within their account. You can also create an inventory report that can be e-mailed to team members who might not have access.

We also recommend notifying team members by e-mail at least 2-4 weeks in advance before any cleanup efforts are started. Also, send out a final reminder at least one week in advance to remind users that once resources are deleted, they cannot be restored. 
 

Conclusion

To maintain an efficient and secure cloud environment, it's important to run cleanup efforts quarterly or twice yearly, depending on the number of resources in your account. Start by determining what you plan to delete and when, and consider addressing specific cloud services in phases. Additionally, implement extra security controls and scale down resources to only what’s necessary. Be sure to include which resources or services are out-of-scope for your cleanup efforts.  

Stephanie Dunn

Cybersecurity Snapshot: WEF Offers AI Security Best Practices, as DORA Regulation Places Strict Cyber Rules on Banks

Tenable Blog
1 month 1 week ago

Check out tips for adopting AI securely from the World Economic Forum. Plus, the EU’s DORA cyber rules for banks go into effect. Meanwhile, a report warns about overprivileged cloud accounts. And get the latest on ransomware trends; CIS Benchmarks; and data privacy.

Dive into six things that are top of mind for the week ending Jan. 24.

1 - WEF: Best practices to adopt AI securely

As businesses scramble to adopt artificial intelligence to boost their competitiveness, they’re also grappling with how to deploy AI systems securely and in line with policies and regulations.

If your organization is among the many that are looking for guidance on secure AI adoption, now you have have one more resource.

The latest guidance for adopting AI securely comes from the World Economic Forum, whose new “Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards” report seeks to explain how organizations can benefit from AI while reducing their cybersecurity risks.

“By prioritizing cybersecurity and mitigating risks, organizations can safeguard their investments in AI and support responsible innovation,” the 28-page report reads.

Among the report’s recommended best practices are:

  • Apply a risk-based approach to AI adoption, and create a cross-disciplinary risk-management team with members from departments including legal, human resources, cybersecurity, compliance and IT.
  • Maintain an updated inventory of AI applications.
  • Invest in essential cybersecurity controls for protecting AI systems both before and after they’re deployed, and for responding to and recovering from cyber incidents.
  • Pay attention to information governance, such as what data will be exposed to AI systems and how it will be protected.
     


The report also suggests questions for cybersecurity leaders to ask in order to frame their AI adoption strategy, including:

  • Have we established our AI risk tolerance and do all stakeholders understand it?
  • Do we have a process to govern and track AI deployments?
  • Do we weigh risks against rewards when considering new AI projects?
  • Are we clear on who must be involved in assessing and mitigating AI adoption cyber risks?

“By assessing and mitigating cyber risks, leaders can align AI adoption with organizational goals and resilience needs,” reads the companion WEF article “Securing innovation: A leader’s guide to managing cyber risks from AI adoption.

For more information about AI security, check out these Tenable blogs:

2 - DORA cyber regulation for banks and their tech providers goes into effect

Financial services companies doing business in the European Union, as well as their technology and communications vendors, now must comply with the Digital Operational Resilience Act (DORA). 

DORA establishes strict cybersecurity requirements for financial firms including banks, insurance companies and investment firms, as well as for third-parties that provide information and communications technology (ICT) products and services to financial sector organizations.

After entering into force in January 2023, the DORA regulation became applicable last week. It covers ICT security areas including:

  • Risk management, including the risk posed by third parties
  • Resilience testing of digital operations
  • Reporting of significant cybersecurity incidents
  • Sharing of information about cyberthreats and vulnerabilities


DORA will strengthen the ability of financial firms to withstand cyber‑related disruptions and threats and ensure a swift recovery if incidents do occur,” reads a statement from the European Commission. 

“The framework also includes an oversight mechanism of critical third‑party providers of ICT services to financial entities, such as cloud service providers,” the statement adds.

To find out how Tenable can help with DORA compliance, read the “Tenable Cyber Exposure Study: DORA” document.

For more information about the EU’s DORA cybersecurity regulation for the financial sector:

VIDEOS

Understanding the Digital Operational Resilience Act (Deloitte)

DORA compliance for ICT Providers - What Do You Need to Do? (IT Governance)

3 - Google: Hackers shift sights to overprivileged cloud accounts

Cloud accounts that have more privileges than they should are increasingly attracting the attention of hackers.

That’s because taking over these overprivileged service accounts makes it easier for cyber crooks to move laterally within a breached cloud environment, according to Google Cloud’s “H1 2025 Threat Horizons Report.”

Cloud Risk Alerts Detected in H2 2024

(Source: Google Cloud’s “H1 2025 Threat Horizons Report,” January 2025)

Meanwhile, weak or no credentials (45.7%) and misconfigurations (34.3%) ranked as the top two initial access vectors to cloud environments during the second half of last year.

Once in, attackers most often attempt to move laterally (62.2%). They also go looking for insecure private keys (13.7%) and attempt to manipulate access tokens (11.3%).

For more information about cloud security, check out these Tenable resources:

4 - Report: Ransomware attacks uncharacteristically jumped in December

Apparently, ransomware groups didn’t take a break during the holidays, as they normally do.

NCC Group, which has been tracking ransomware activity since 2021, said it tallied the most attacks ever during December, which is usually a quieter month for ransomware attacks.

Funksec, a new cyber extortion gang, ranked first with 18% of all attacks – followed by CL0P, Akira and RansomHub, according to NCC Group’s December 2024 Monthly Threat Pulse report.

Funksec uses double extortion—encrypting and exfiltrating victims’ files—and operates a Tor-based data leak site. There, it posts breach announcements and offers a free DDoS tool.

NCC Group calls the December data a “wake-up call.”
 


As newer, more aggressive ransomware gangs emerge, cybersecurity teams may encounter a more challenging threat landscape in 2025, with attacks occurring more frequently and broadly. A proactive cybersecurity approach is key.

“Companies need to double down on their cybersecurity measures and ensure that their teams are trained and prepared to evolve with the changing nature of ransomware threats,” Ian Usher, NCC Group Associate Director of Threat Intelligence Operations, said in a statement.

This is especially true for the industrials sector, which includes critical infrastructure organizations and was the most targeted, receiving 24% of all December attacks.

For more information about ransomware trends:

5 - Survey: Practicing “privacy by design” makes a difference

Want to boost your organization’s privacy practices? A new ISACA report recommends practicing “privacy by design,” which is the process of integrating privacy considerations into the organization’s entire engineering process.

ISACA’s “State of Privacy 2025” report found that organizations that always use a “privacy by design” approach when building new applications and services do better than organizations that use it less frequently or not at all.
 


According to the report, based on a global survey of about 1,600 cybersecurity and privacy professionals, organizations that always use “privacy by design” tend to have more support and resources, and are more likely to have:

  • A board of directors that adequately prioritizes privacy
  • An appropriately funded enterprise privacy budget
  • An appropriately staffed technical privacy team
  • A privacy strategy aligned with organizational objectives
  • Confidence in their ability to ensure data privacy and comply with privacy regulations

Other recommendations for having strong enterprise privacy programs include:

  • Have one person who is primarily responsible for privacy
  • Work closely with the legal and compliance teams to ensure privacy compliance
  • Address privacy with documented policies, processes and standards
  • Use AI to help manage and classify collected data, and to identify personal information
  • Offer privacy awareness training to employees
6 - CIS updates Benchmarks for Apple, Microsoft products

Apple macOS and Microsoft Windows Server were two CIS Benchmarks updated in December by the Center for Internet Security.

Specifically, these CIS Benchmarks were updated:

 


The CIS Benchmarks’ secure-configuration guidelines are intended to help you harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families. There are CIS Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.

To get more details, read the CIS blog “CIS Benchmarks January 2025 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:

Juan Perez

CVE-2025-23006: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Reportedly Exploited

Tenable Blog
1 month 1 week ago

A zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 1000 was reportedly exploited in the wild according to researchers.

Update January 23: The Analysis and Identifying affected systems sections have been updated to include confirmation of exploitation from SonicWall and how to identify assets using Tenable Attack Surface Management.

View Change Log

Background

On January 22, SonicWall published a security advisory (SNWLID-2025-0002) for a newly disclosed vulnerability in its Secure Mobile Access (SMA) 1000 product, a remote access solution.

CVEDescriptionCVSSv3CVE-2025-23006SonicWall SMA 1000 Deserialization of Untrusted Data Vulnerability9.8Analysis

CVE-2025-23006 is a deserialization of untrusted data vulnerability in the appliance management console (AMC) and central management console (CMC) of the SonicWall SMA 1000. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable device. Successful exploitation would grant the attacker arbitrary command execution on the device. The advisory specifies that “specific conditions” could allow for OS command execution, though it’s unclear from the information provided by SonicWall what those conditions might be.

Possible active exploitation in the wild

According to SonicWall’s Product Security Incident Response Team (PSIRT), there are reports of “possible active exploitation” of this flaw “by threat actors.” While specific details are not known at this time, the vulnerability was reported to SonicWall by researchers at Microsoft Threat Intelligence Center (MSTIC).

In a knowledge base article, SonicWall explicitly said that CVE-2025-23006 "has been confirmed as being actively exploited in the wild" and that the vulnerability should "be treated with the utmost severity."

Historical exploitation of SonicWall SMA vulnerabilities

SonicWall products have been a frequent target for attackers over the years. Specifically, the SMA product line has been targeted in the past by ransomware groups, as well as being featured in the Top Routinely Exploited Vulnerabilities list co-authored by multiple United States and International Agencies. The following are a list of known SMA vulnerabilities that have been exploited in the wild:

CVEDescriptionTenable Blog LinksYearCVE-2019-7481SonicWall SMA100 SQL Injection Vulnerability12019CVE-2019-7483SonicWall SMA100 Directory Traversal Vulnerability-2019CVE-2021-20016SonicWall SSLVPN SMA100 SQL Injection Vulnerability1, 2, 3, 4, 52021CVE-2021-20038SonicWall SMA100 Stack-based Buffer Overflow Vulnerability1, 2, 32021Proof of concept

At the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-23006. If and when a public PoC exploit becomes available for CVE-2025-23006, we anticipate a variety of attackers will attempt to leverage this flaw as part of their attacks.

Solution

SonicWall has released version 12.4.3-02854 to address this vulnerability, which impacts version 12.4.3-02804 and earlier. According to SonicWall, SMA 100 series and SonicWall Firewall devices are not impacted.

The advisory also provides a workaround to reduce potential impact. This involves restricting access to the AMC and CMC to trusted sources. The advisory also notes to review the best practices guide on securing SonicWall appliances.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-23006 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Tenable Attack Surface Management customers are able to identify these assets using a filtered search for SMA devices:

 

Get more informationChange Log

Update January 23: The Analysis and Identifying affected systems sections have been updated to include confirmation of exploitation from SonicWall and how to identify assets using Tenable Attack Surface Management.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza, Satnam Narang

Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor

Tenable Blog
1 month 1 week ago

Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor.

Background

Throughout 2024, attacks from sophisticated advanced persistent threat (APT) actors associated with the People’s Republic of China (PRC) were a major focus for U.S. government organizations, including the Cybersecurity and Infrastructure Security Agency (CISA). In a previous blog post, we examined Volt Typhoon, a PRC state-sponsored actor known to target critical infrastructure. However in September, the Wall Street Journal reported on another PRC actor, Salt Typhoon, citing anonymous sources who said that the group had breached multiple U.S. telecommunications providers. While several outlets reported on speculation of the report, in early October, CISA and the Federal Bureau of Investigation (FBI) offered official confirmation of the attacks when they released a joint statement that “the U.S. Government is investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.” By December, a White House press call confirmed that at least eight U.S. telecommunications providers had been breached, with that figure increasing to at least nine telecommunications companies by December 27. As new details emerge on Salt Typhoon and its targets, this Tenable Research blog examines the tactics, techniques and procedures (TTPs) employed, including the exploitation of known vulnerabilities associated with this threat actor.

Analysis

Salt Typhoon is a sophisticated threat group whose targets include the telecommunications, government and technology sectors. The group is tracked under several monikers, including FamousSparrow, GhostEmperor, Earth Estries and UNC2286. This APT has most recently been in the news for breaching multiple U.S. telecommunications providers; however it’s believed that its targets in this sector span the globe. In the U.S, government officials claimed that Salt Typhoon’s targets include government officials primarily involved in “political activity,” sparking CISA and joint partners to release guidance on visibility and security hardening of communications infrastructure as well prompting the White House to issue the Executive Order titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” Based on various reports on Salt Typhoon, its primary objective appears to be espionage.

In mid-December, CISA released the document “Mobile Communications Best Practice Guidance,” with an emphasis on using end-to-end encryption for secure communications. While it’s unclear what information may have been accessed by Salt Typhoon, CISA and other government agencies, including the Federal Communications Commission (FCC) have been actively helping and providing security guidance to the impacted organizations, as communications infrastructure is a matter of national security.

Known CVEs commonly exploited by Salt Typhoon

Salt Typhoon typically gains initial access to its victim networks by targeting external-facing assets using known vulnerabilities. While not an exhaustive list, the table below highlights some of the CVEs known to have been exploited by Salt Typhoon.

CVEDescriptionCVSSv3 ScoreVPRCVE-2021-26855Microsoft Exchange Server Server-Side Request Forgery Vulnerability (ProxyLogon)9.89.8CVE-2022-3236Sophos Firewall Code Injection Vulnerability9.87.4CVE-2023-48788FortiClient Enterprise Management Server (FortiClientEMS) SQL Injection Vulnerability9.89.4CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability9.19.8CVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability8.26.7

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on January 23 and reflects VPR at that time.

Several of these vulnerabilities have been routinely exploited by APT and ransomware groups alike, including CVE-2021-26855, also known as ProxyLogon, and related Microsoft Exchange vulnerabilities including CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Ivanti Connect Secure/Policy Secure and Fortinet FortiClientEMS have each been the subject of Tenable Research blog posts and CVE-2022-3236, the SQL injection flaw in Sophos Firewall, was featured in our “2022 Threat Landscape Report.”

Of these five CVEs, four of them were exploited in the wild as zero-day vulnerabilities. While it’s unknown if Salt Typhoon exploited any of these flaws as zero-days, the level of sophistication from the group does suggest it has the technical ability to develop and exploit zero-day flaws in its attacks.

Despite these CVEs having had patches available, an analysis of anonymized Tenable scan data reveals that of nearly 30,000 instances impacted by ProxyLogon, a staggering 91% remain unpatched. In a stark contrast, an analysis of over 20,000 devices impacted by both Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887), our data found that these devices were fully remediated in over 92% of cases.

As part of CISA’s guidance for enhanced visibility and hardening, the agency mentioned Cisco network equipment. While CISA didn’t mention specific Cisco device models or vulnerabilities, its guidance does note that PRC-affiliated actors have targeted Cisco-specific devices and as such, care should be taken to ensure organizations in the communications sector and beyond are properly securing and hardening their Cisco network devices. CISA’s recommendations include disabling Cisco’s Smart Install service, which is often abused by attackers and should be properly configured or disabled to prevent abuse.

Post-Compromise Activity

Salt Typhoon is known for maintaining a stealthy presence on victim networks and remaining undetected for a significant time period. It maintains persistence by utilizing custom malware including GhostSpider, SnappyBee and the Masol remote access trojan (RAT).

It’s been reported that the group has been active for several years and may have breached and maintained access at telecommunications providers for months before being detected. In a recent blog by outgoing CISA Director Jen Easterly, she revealed that “CISA threat hunters previously detected the same actors in U.S. government networks.”

The “eyes” of the various “Typhoons”

Each suspected state-sponsored PRC actor includes the family name of “Typhoon.” In recent months, CISA and security vendors have issued several warnings regarding the various “Typhoon” groups, including Volt Typhoon, Flax Typhoon, and Salt Typhoon. Volt Typhoon’s focus is persistence and stealth, targeting critical infrastructure while Flax Typhoon’s focus is on attack infrastructure, building botnets from compromised Internet of Things (IoT) devices.

While each group’s targets and activities are unique, the “eye” of each of these typhoons is they target unpatched and often well-known vulnerabilities for initial access, targeting public-facing servers. Despite the persistence of these threat actors, it's vital that organizations routinely patch public-facing devices and quickly mitigate known and exploited vulnerabilities. This is underscored in commentary from the Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel:

In light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting.

Identifying affected systems

Tenable offers several solutions to help identify potential exposures and attack paths as well as to identify systems vulnerable to the CVEs mentioned in this blog. For a holistic approach, we recommend using the Tenable One Exposure Management Platform. Tenable One extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.

Tenable Plugin Coverage

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2021-26855, CVE-2022-3236, CVE-2023-48788, CVE-2024-21887 and CVE-2023-46805. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to these CVEs, we also recommend scanning with plugin ID 105161 to identify if Cisco Smart Install is enabled on any Cisco devices in your network.

Tenable Attack Path Analysis techniques

The following are a list of attack paths associated with Salt Typhoon and the associated Tenable Attack Path Analysis techniques:

MITRE ATT&CK IDDescriptionTenable Attack Path techniquesT1003.003OS Credential Dumping: NTDST1003.003_WindowsT1021Remote ServicesT1021.002_WindowsT1047Windows Management InstrumentationT1047_WindowsT1053.005Create or Modify System Process: Windows ServiceT1053.005_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1059.003Command and Scripting Interpreter: Windows Command ShellT1059.003_WindowsT1068Exploitation for Privilege EscalationT1068_WindowsT1078Valid Accounts

T1078.001_ICS

T1078.003_Windows

T1078.004_Azure

T1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1082System Information DiscoveryT1082T1087Account Discovery

T1087.004_Azure

T1087.004_AWS

T1134Access Token ManipulationT1134.005_WindowsT1190Exploit Public-Facing Application

T1190_Aws

T1190_WAS

T1203Exploitation for Client ExecutionT1203_WindowsT1482Domain Trust DiscoveryT1482_WindowsT1547Boot or Logon Autostart Execution

T1547.002_Windows

T1547.005_Windows

T1574Hijack execution flow

T1574.007_Windows

T1574.009_Windows

T1574.010_Windows

T1574.011_Windows

Tenable Identity Exposure Indicators of Exposure and Indicators of Attack

The following are a list of Indicators of Exposure and Indicators of Attack for Tenable Identity Exposure:

MITRE ATT&CK IDDescriptionIndicatorsT1003.003OS Credential Dumping: NTDSI-NtdsExtractionT1021Remote Services

C-LAPS-UNSECURE-CONFIG

C-AAD-PRIV-SYNC

C-USERS-REVER-PWDS

T1036MasqueradingC-CONFLICTED-OBJECTST1055.001Process Injection: Dynamic-link Library InjectionI-DnsAdminsT1068Exploitation for Privilege EscalationI-SamNameImpersonationT1078Valid Accounts

MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT

C-PASSWORD-DONT-EXPIRE

C-USER-PASSWORD

C-PRIV-ACCOUNTS-SPN

C-NATIVE-ADM-GROUP-MEMBERS

C-AAD-SSO-PASSWORD

C-MSA-COMPLIANCE

C-PASSWORD-POLICY

C-REVER-PWD-GPO

C-CLEARTEXT-PASSWORD

C-DC-ACCESS-CONSISTENCY

C-PROP-SET-SANITY

C-SLEEPING-ACCOUNTS

C-KERBEROS-CONFIG-ACCOUNT

HIGH-NUMBER-OF-ADMINISTRATORS

MISSING-MFA-FOR-PRIVILEGED-ACCOUNT

C-AUTH-SILO

C-KRBTGT-PASSWORD

C-AAD-PRIV-SYNC

C-SERVICE-ACCOUNT

C-PASSWORD-NOT-REQUIRED

C-ADMIN-RESTRICT-AUTH

C-ADMINCOUNT-ACCOUNT-PROPS

C-DANGEROUS-SENSITIVE-PRIVILEGES

C-PKI-DANG-ACCESS

C-EXCHANGE-MEMBERS

C-PASSWORD-HASHES-ANALYSIS

C-ADM-ACC-USAGE

C-DANG-PRIMGROUPID

C-DSHEURISTICS

T1134Access Token ManipulationC-ACCOUNTS-DANG-SID-HISTORYT1190Exploit Public-Facing ApplicationAPPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATIONT1203Exploitation for Client ExecutionC-OBSOLETE-SYSTEMS

Tenable Web App Scanning

MITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASGet more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza

Oracle January 2025 Critical Patch Update Addresses 186 CVEs

Tenable Blog
1 month 1 week ago

Oracle addresses 186 CVEs in its first quarterly update of 2025 with 318 patches, including 30 critical updates.

Background

On January 21, Oracle released its Critical Patch Update (CPU) for January 2025, the first quarterly update of the year. This CPU contains fixes for 186 CVEs in 318 security updates across 27 Oracle product families. Out of the 318 security updates published this quarter, 9.4% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 56.6%, followed by high severity patches at 32.4%.

This quarter’s update includes 30 critical patches across 18 CVEs.

SeverityIssues PatchedCVEsCritical3018High10355Medium180109Low54Total318186Analysis

This quarter, the Oracle REST Data Services product family contained the highest number of patches at 85, accounting for 26.7% of the total patches, followed by Oracle Health Sciences Applications at 39 patches, which accounted for 12.3% of the total patches.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle REST Data Services8559Oracle Health Sciences Applications394Oracle Communications Applications3124Oracle Graph Server and Client2815Oracle Construction and Engineering2621Oracle Analytics2314Oracle Communications2218Oracle Hospitality Applications166Oracle Java SE63Oracle MySQL64Oracle Database Server52Oracle Secure Backup41Oracle TimesTen In-Memory Database41Oracle Commerce33Oracle Big Data Spatial and Graph20Oracle E-Business Suite21Oracle Financial Services Applications20Oracle Fusion Middleware21Oracle Hyperion22Oracle Insurance Applications21Oracle PeopleSoft20Oracle Application Express10Oracle Blockchain Platform11Oracle Essbase11Oracle GoldenGate11Oracle Enterprise Manager11Oracle JD Edwards10Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2025 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza
Checked
1 hour 26 minutes ago
URL
https://www.tenable.com/
Tenable Blog feed

Managed ad