China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies. But experts say these groups are now directly targeting customers of international financial institutions, while dramatically expanding their cybercrime infrastructure and support staff.
An image of an iPhone device farm shared on Telegram by one of the Smishing Triad members. Image: Prodaft.
If you own a mobile device, the chances are excellent that at some point in the past two years you’ve received at least one instant message that warns of a delinquent toll road fee, or a wayward package from the U.S. Postal Service (USPS). Those who click the promoted link are brought to a website that spoofs the USPS or a local toll road operator and asks for payment card information.
The site will then complain that the visitor’s bank needs to “verify” the transaction by sending a one-time code via SMS. In reality, the bank is sending that code to the mobile number on file for their customer because the fraudsters have just attempted to enroll that victim’s card details into a mobile wallet.
If the visitor supplies that one-time code, their payment card is then added to a new mobile wallet on an Apple or Google device that is physically controlled by the phishers. The phishing gangs typically load multiple stolen cards to digital wallets on a single Apple or Android device, and then sell those phones in bulk to scammers who use them for fraudulent e-commerce and tap-to-pay transactions.
A screenshot of the administrative panel for a smishing kit. On the left is the (test) data entered at the phishing site. On the right we can see the phishing kit has superimposed the supplied card number onto an image of a payment card. When the phishing kit scans that created card image into Apple or Google Pay, it triggers the victim’s bank to send a one-time code. Image: Ford Merrill.
The moniker “Smishing Triad” comes from Resecurity, which was among the first to report in August 2023 on the emergence of three distinct mobile phishing groups based in China that appeared to share some infrastructure and innovative phishing techniques. But it is a bit of a misnomer because the phishing lures blasted out by these groups are not SMS or text messages in the conventional sense.
Rather, they are sent via iMessage to Apple device users, and via RCS on Google Android devices. Thus, the missives bypass the mobile phone networks entirely and enjoy near 100 percent delivery rate (at least until Apple and Google suspend the spammy accounts).
In a report published on March 24, the Swiss threat intelligence firm Prodaft detailed the rapid pace of innovation coming from the Smishing Triad, which it characterizes as a loosely federated group of Chinese phishing-as-a-service operators with names like Darcula, Lighthouse, and the Xinxin Group.
Prodaft said they’re seeing a significant shift in the underground economy, particularly among Chinese-speaking threat actors who have historically operated in the shadows compared to their Russian-speaking counterparts.
“Chinese-speaking actors are introducing innovative and cost-effective systems, enabling them to target larger user bases with sophisticated services,” Prodaft wrote. “Their approach marks a new era in underground business practices, emphasizing scalability and efficiency in cybercriminal operations.”
A new report from researchers at the security firm SilentPush finds the Smishing Triad members have expanded into selling mobile phishing kits targeting customers of global financial institutions like CitiGroup, MasterCard, PayPal, Stripe, and Visa, as well as banks in Canada, Latin America, Australia and the broader Asia-Pacific region.
Phishing lures from the Smishing Triad spoofing PayPal. Image: SilentPush.
SilentPush found the Smishing Triad now spoofs recognizable brands in a variety of industry verticals across at least 121 countries and a vast number of industries, including the postal, logistics, telecommunications, transportation, finance, retail and public sectors.
According to SilentPush, the domains used by the Smishing Triad are rotated frequently, with approximately 25,000 phishing domains active during any 8-day period and a majority of them sitting at two Chinese hosting companies: Tencent (AS132203) and Alibaba (AS45102).
“With nearly two-thirds of all countries in the world targeted by [the] Smishing Triad, it’s safe to say they are essentially targeting every country with modern infrastructure outside of Iran, North Korea, and Russia,” SilentPush wrote. “Our team has observed some potential targeting in Russia (such as domains that mentioned their country codes), but nothing definitive enough to indicate Russia is a persistent target. Interestingly, even though these are Chinese threat actors, we have seen instances of targeting aimed at Macau and Hong Kong, both special administrative regions of China.”
SilentPush’s Zach Edwards said his team found a vulnerability that exposed data from one of the Smishing Triad’s phishing pages, which revealed the number of visits each site received each day across thousands of phishing domains that were active at the time. Based on that data, SilentPush estimates those phishing pages received well more than a million visits within a 20-day time span.
The report notes the Smishing Triad boasts it has “300+ front desk staff worldwide” involved in one of their more popular phishing kits — Lighthouse — staff that is mainly used to support various aspects of the group’s fraud and cash-out schemes.
The Smishing Triad members maintain their own Chinese-language sales channels on Telegram, which frequently offer videos and photos of their staff hard at work. Some of those images include massive walls of phones used to send phishing messages, with human operators seated directly in front of them ready to receive any time-sensitive one-time codes.
As noted in February’s story How Phished Data Turns Into Apple and Google Wallets, one of those cash-out schemes involves an Android app called Z-NFC, which can relay a valid NFC transaction from one of these compromised digital wallets to anywhere in the world. For a $500 month subscription, the customer can wave their phone at any payment terminal that accepts Apple or Google pay, and the app will relay an NFC transaction over the Internet from a stolen wallet on a phone in China.
Chinese nationals were recently busted trying to use these NFC apps to buy high-end electronics in Singapore. And in the United States, authorities in California and Tennessee arrested Chinese nationals accused of using NFC apps to fraudulently purchase gift cards from retailers.
The Prodaft researchers said they were able to find a previously undocumented backend management panel for Lucid, a smishing-as-a-service operation tied to the XinXin Group. The panel included victim figures that suggest the smishing campaigns maintain an average success rate of approximately five percent, with some domains receiving over 500 visits per week.
“In one observed instance, a single phishing website captured 30 credit card records from 550 victim interactions over a 7-day period,” Prodaft wrote.
Prodaft’s report details how the Smishing Triad has achieved such success in sending their spam messages. For example, one phishing vendor appears to send out messages using dozens of Android device emulators running in parallel on a single machine.
Phishers using multiple virtualized Android devices to orchestrate and distribute RCS-based scam campaigns. Image: Prodaft.
According to Prodaft, the threat actors first acquire phone numbers through various means including data breaches, open-source intelligence, or purchased lists from underground markets. They then exploit technical gaps in sender ID validation within both messaging platforms.
“For iMessage, this involves creating temporary Apple IDs with impersonated display names, while RCS exploitation leverages carrier implementation inconsistencies in sender verification,” Prodaft wrote. “Message delivery occurs through automated platforms using VoIP numbers or compromised credentials, often deployed in precisely timed multi-wave campaigns to maximize effectiveness.
In addition, the phishing links embedded in these messages use time-limited single-use URLs that expire or redirect based on device fingerprinting to evade security analysis, they found.
“The economics strongly favor the attackers, as neither RCS nor iMessage messages incur per-message costs like traditional SMS, enabling high-volume campaigns at minimal operational expense,” Prodaft continued. “The overlap in templates, target pools, and tactics among these platforms underscores a unified threat landscape, with Chinese-speaking actors driving innovation in the underground economy. Their ability to scale operations globally and evasion techniques pose significant challenges to cybersecurity defenses.”
Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said he’s observed at least one video of a Windows binary that wraps a Chrome executable and can be used to load in target phone numbers and blast messages via RCS, iMessage, Amazon, Instagram, Facebook, and WhatsApp.
“The evidence we’ve observed suggests the ability for a single device to send approximately 100 messages per second,” Merrill said. “We also believe that there is capability to source country specific SIM cards in volume that allow them to register different online accounts that require validation with specific country codes, and even make those SIM cards available to the physical devices long-term so that services that rely on checks of the validity of the phone number or SIM card presence on a mobile network are thwarted.”
Experts say this fast-growing wave of card fraud persists because far too many financial institutions still default to sending one-time codes via SMS for validating card enrollment in mobile wallets from Apple or Google. KrebsOnSecurity interviewed multiple security executives at non-U.S. financial institutions who spoke on condition of anonymity because they were not authorized to speak to the press. Those banks have since done away with SMS-based one-time codes and are now requiring customers to log in to the bank’s mobile app before they can link their card to a digital wallet.
As software as a service (SaaS) solutions become increasingly popular, it is crucial to securely incorporate them into an organisation’s cybersecurity framework. Of course, SaaS carries many benefits, such as flexibility, scalability, and cost-saving effects. Yet it also introduces security risks that need to be addressed.
The integration of artificial intelligence (AI) changes the in-depth financial sector. AI changes how financial institutions operate and helps them improve efficiency, security, and data-driven decisions in critical areas such as risk management and customer service. One of the most remarkable advances in this industry has been the development of intelligent software agents capable of evaluating market patterns, automating processes, and optimising real-time economic operations.
Cybersecurity isn't just an IT concern; it's a fundamental aspect of digital marketing. As marketers, we handle vast amounts of data, from customer information to campaign analytics. This data is invaluable, making it a prime target for cybercriminals.
To connect billions of devices all around the world, the Internet of Things (IoT) has brought technology to an unprecedented level of interaction with us. IoT Security has integrated itself seamlessly into everything from smart homes, wearables, and automation systems to industrial and healthcare. Nevertheless, the Cybersecurity Challenges increase with their use.
Cybersecurity teams are always on alert for the next attack, but the most dangerous threats are often the ones no one sees coming.
Silent breaches — often unnoticed vulnerabilities within third-party networks — are becoming one of the most pervasive cybersecurity challenges. While the rise of interconnected IT ecosystems has fueled efficiency, it’s also created entry points for attackers that often go undetected until it’s too late.
As organizations rely more on third-party suppliers, cloud services, and digital infrastructure, they are increasingly vulnerable to risks beyond their direct control. In Black Kite’s 2025 Third-Party Breach Report, we took a closer look into the most significant breaches of 2024 to shed light on the silent breach phenomenon, including why it’s so hard to detect these threats and how you can mitigate them in the year ahead.
The Anatomy of a Silent Breach
Silent breaches are particularly dangerous because they don’t just impact one company — they cascade through entire industries and supply chains, amplifying the damage. Several high-profile incidents from 2024 illustrate just how far-reaching these threats can be:
Blue Yonder ransomware attack:
Vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions were exploited via the CIOp ransomware group, which targeted companies using unpatched versions of these MFT products. This incident halted production and delayed shipments for hundreds of businesses across multiple industries.
CrowdStrike outage:
While not a cyberattack or data breach, this service outage exposed the vulnerabilities of interconnected IT systems. Many organizations didn’t realize how reliant they were on CrowdStrike until the damage was done. The blackout affected 8.5 million devices and caused over $5 billion in losses across industries.
These incidents highlight the systemic nature of silent breaches, where vulnerabilities in one organization can quickly lead to widespread disruptions. But what makes these breaches so hard to detect and contain? The answer lies in the complexity of modern supply chains and IT ecosystems.
Why Silent Breaches Are So Hard To Predict and Detect
A perfect storm of fragmented ownership, hidden dependencies, and supply chain blind spots has made silent breaches easy to miss — and even harder to stop.
Organizations often struggle with governance when it comes to third-party risk, with responsibility often split between security, procurement, and supply chain teams. The lack of clear ownership means risks frequently slip through the cracks, allowing vulnerabilities to remain unchecked.
Many organizations also underestimate the impact of concentration and cascading risk in their third-party ecosystems. Over-reliance on a single vendor creates a single point of failure that can decimate operations if that vendor is compromised. A breach in one organization can also ripple silently through multiple layers of third, fourth, or even fifth parties before anyone realizes the exposure.
Visibility into third-party cyber risk is another major issue. Most organizations have a rough estimate of how many partners they work with, but the actual number is almost always higher. Without complete visibility into how each vendor manages risk, companies are left guessing about their exposure. When a breach occurs, they don’t know who to contact or how to mitigate the damage, leading to significant operational and financial consequences.
The Costs of a Silent Breach
Most organizations aren’t prepared for silent breaches, catching them flat-footed when one occurs. That leads to a range of serious consequences, including:
Operational fallouts:
A single breach can trigger a chain reaction, causing supply chain delays, service outages, and production stoppages across multiple organizations — and even entire industries.
Financial losses:
These can include direct costs like ransoms and fines, as well as indirect costs like lost productivity and customer churn. Organizations also need to consider the magnification effect which creates additional delays as each supplier takes time to spin back up. As a result of these delays, organizations may find themselves in breach of their SLAs with customers.
Reputational damage:
Cyberattacks and breaches can cost you customer trust. Even if a breach originated from one of your vendors, the customer’s focus is on your organization. This can lead to a long-term impact on partnerships, customer loyalty, and brand equity.
Regulations like GDPR, HIPAA, and the Digital Operational Resilience Act (DORA) are attempting to close the gaps that enable silent breaches by enforcing stricter risk management standards. DORA, in particular — which recently came into effect in the EU — explicitly recognizes third-party risk and places increased focus on critical service providers, expanding reporting obligations and resilience testing requirements to these providers.
Proactive Strategies To Stop Silent Breaches
Silent breaches aren’t going away, and compliance alone won’t protect organizations from third-party risks. Organizations must take proactive steps to strengthen resilience across their entire third-party ecosystem. Here’s how cybersecurity leaders can take action in 2025:
Establish clear governance
Strengthen vendor relationships
Adopt continuous monitoring
Prioritize prevention
Engage in collaborative initiatives
Lets look at each strategy in greater detail.
1 – Establish clear governance
Before organizations can tackle third-party risk, they must first establish a structured governance framework. This framework should identify who assesses vendor risks, how security expectations are enforced, and what escalation procedures exist when risks emerge.
This step also requires bringing all key stakeholders to the table to ensure a shared understanding of third-party dependencies. Security leaders must frame risk in business terms, making it clear how a vendor’s cybersecurity weaknesses could disrupt operations. Black Kite’s FocusTags™ and Cyber Risk Quantification provide CISOs with the data they need to drive these conversations, helping quantify vendor risk and prioritize mitigation efforts based on real business impact.
2 – Strengthen vendor relationships
Rather than seeing vendors as adversaries, organizations need to focus on creating strong, collaborative relationships. Organizations must move beyond static security questionnaires and engage in ongoing conversations about risk.
Cybersecurity expectations should be explicitly written into vendor contracts. Instead of generic security demands, organizations should provide vendors with precise data on vulnerabilities and step-by-step remediation guidance. Tools like Black Kite Bridge™ help streamline this process by eliminating communication gaps and enabling organizations to easily share actionable intelligence with vendors.
3 – Adopt continuous monitoring
Continuous monitoring provides the real-time intelligence needed to track vendor security posture and respond before threats escalate. Instead of starting from scratch when a new zero-day vulnerability is announced, you can instantly pinpoint which third parties are exposed and act accordingly.
Black Kite’s FocusTags™ help organizations continuously assess risks, while the Supply Chain Module maps dependencies and monitors vendor ecosystems for potential disruptions and single points of failure.
4 – Prioritize prevention
Stopping silent breaches requires a shift from reactive responses to proactive vulnerability management. Black Kite’s Ransomware Susceptibility Index® (RSI™) is a powerful tool to uncover the likelihood of an attack across third-party vendors, helping develop effective remediation steps ahead of time.
Updating your approach to compliance gap analysis can also reduce the administrative load on both sides. Traditional security assessments overwhelm vendors with long, generic questionnaires that often fail to capture real risks. Black Kite’s AI-powered compliance gap analysis replaces these questionnaires, analyzing vendor security frameworks to pinpoint compliance gaps. Instead of answering hundreds of irrelevant questions, vendors receive a tailored set of questions, ensuring they focus on the most pressing security improvements.
5 – Engage in collaborative initiatives
Real resilience comes from collaboration — both internal and external. Compliance mandates like DORA and the NIST Cybersecurity Framework provide a solid starting point, but security leaders must go beyond regulatory checkboxes.
Strengthening internal alignment is the first step, ensuring security, risk, and procurement teams work together. From there, expanding collaboration externally is critical to staying ahead of evolving threats. Industry-specific groups like ISACs (Information Sharing and Analysis Centers) foster intelligence-sharing and collective defense, while cross-industry collaboration initiatives like ISSA and CISOs Connect™ help security leaders anticipate emerging risks.
Vendors must also be part of this equation. Encouraging them to participate in collaborative initiatives and using tools like Black Kite Bridge™ can help engage vendors in the threat intelligence process, strengthening security partnerships.
Creating a Roadmap To Beat Silent Breaches
Silent breaches might have dominated 2024’s cyber threat landscape, but they don’t have to define the future. The hard lessons from these attacks offer a blueprint for resilience. By taking a proactive approach — strengthening governance, improving vendor collaboration, and continuously monitoring for hidden risks — organizations can turn the tide against silent breaches in 2025.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
Welcome to the January 2025 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.
The Black Kite Research & Intelligence Team (BRITE) tracked 546 ransomware incidents in January 2025, marking a sharp increase compared to January 2024, which saw approximately 300 cases. This significant rise indicates that ransomware activity is escalating at an alarming pace. Among these incidents, 274 were recorded in the United States, 32 in Canada, 23 in the United Kingdom, and 18 in France.
Manufacturing was the most targeted sector, followed by technical services. Closing out December with 535 cases, ransomware groups have historically shown a tendency to slow down at the beginning of the year. However, this year is proving to be an exception.
Top Threat Actors in January 2025
The Clop ransomware group took the lead in January 2025 by a significant margin with 115 publicly disclosed victims. As usual, RansomHub remained among the top-ranking groups with 42 victims. One of the most notable groups this month was Lynx, which saw a major surge with 42 victims in January. They were followed by the Akira group, which recorded 38 victims.
Clop Is No Joke, But It’s Not What It Used to Be
Nearly all of the 115 Clop attacks were linked to the CLEO vulnerability, continuing the momentum from Clop’s December disclosures. Initially, only 50 victims were expected, but as the group continues to release names in alphabetical order, the final number could reach 500.
Among these 115 victims, the United States was the most affected, with 79 cases, followed by Canada with 12 and the Netherlands with 4.
In terms of industry impact among these attacks, the manufacturing sector suffered the highest number of attacks, with 34 victims. It was followed by the transportation sector with 18 victims, the information technology sector with 17, and the technical services sector with 14.
Two years ago, during the MoveIT disclosures, Clop was at the center of global media attention. Now, despite its high ransomware activity, the group seems to be struggling to capture the same level of interest. They kept postponing victim disclosures, which was unusual for them, and then starting sharing victims in a different way to seek attention. Whether this signals Clop’s waning influence or a shift in public perception remains to be seen, but one thing is certain: the group appears increasingly frustrated by the lack of attention.
Screenshot from the site where Clop now publishes stolen data.
FunkSec: From Ransomware to Full-Fledged Cybercrime Group
FunkSec continued its aggressive expansion in January, making headlines with its unconventional tactics:
Launched FunkBID, a data leak auction platform.
Announced a partnership with Fsociety for joint ransomware operations.
Gave media interviews, shedding light on their internal workings.
Released FunkSec V1.2, their own Ransomware-as-a-Service (RaaS) for $100.
Threatened a cybersecurity researcher who had written about them.
Established their own forum to further expand their operations.
Screenshot of the site where Funksec announced Funksec V1.2
Key takeaways from their recent interview:
They claim to be entirely self-taught with no external affiliations.
AI plays a role in their operations, but they state it accounts for only 20%.
They have developed their own GPT model for internal use.
Their primary goal is financial gain, but they explicitly state hostility toward Israel and the U.S.
The group consists of four members.
While hacking remains their focus, they employ specialized ransomware developers.
They use tools like Shodan Premium and Burp Pro, alongside advanced custom brute force tools.
Rust is their programming language of choice.
FunkSec’s erratic yet calculated moves make them one of the most unpredictable actors in the ransomware ecosystem. Their expansion beyond traditional ransomware operations suggests a broader ambition that could redefine the threat landscape.
Is Babuk Back? Or Just an Imposter?
A new leak site emerged in January claiming to be affiliated with Babuk, publishing 60 alleged victims. While this sparked speculation that the notorious ransomware group had returned, our analysis revealed that most of the disclosed victims had already been published by FunkSec, RansomHub, and LockBit.
Shortly after the site gained traction, access was restricted, leaving its authenticity in question. Whether this marks the actual return of Babuk or merely an opportunistic attempt to capitalize on the name remains unclear.
Screenshot of the new Babuk Ransomware Leaks Site.
New Groups Keep Emerging, but Originality Is Fading
Ransomware groups continue to surface at an increasing rate, and the rise of Ransomware-as-a-Service (RaaS) is undoubtedly fueling this trend. However, despite this growth, these groups seem to do little more than mimic each other. Many simply replicate existing leak sites, making it increasingly difficult to track them as they blur into one another.
In previous years, such copycat behavior was less common, but now it’s becoming the norm. This shift strongly suggests that experienced cybercriminals are being replaced by younger, less-skilled actors. As a result, while the number of ransomware groups grows, innovation within the ecosystem seems to be stagnating.
A new group appears to imitate the RansomHub group.
Attacks Are Increasing, but Ransom Payments Are Decreasing
While ransomware attacks surged in 2024, total ransom payments dropped by 35%, amounting to $813.55 million. Companies are increasingly adopting robust cybersecurity measures, improving backup strategies, and benefiting from law enforcement crackdowns on cybercriminals.
Notably, the international operation “Operation Cronos” disrupted LockBit’s infrastructure, demonstrating the growing impact of coordinated cybercrime enforcement. However, despite these advancements, ransomware groups are evolving their tactics, becoming more aggressive in their extortion methods.
In response, the UK government is considering stricter regulations, including:
Banning public institutions and critical infrastructure providers from making ransom payments.
Mandating all victims to report ransomware incidents to authorities.
Authorities believe these measures will curb ransomware groups’ financial streams and act as a deterrent. If enacted, these regulations could reshape how organizations respond to ransomware threats.
Key Takeaways
January 2025 set a record-breaking pace for ransomware incidents.
Clop led the charge but may be struggling to maintain its past level of influence.
FunkSec is rapidly expanding its operations beyond ransomware, building a cybercrime ecosystem.
The alleged return of Babuk remains uncertain, raising questions about its legitimacy.
While ransom payments are declining, attack volume is increasing, prompting tighter regulations.
For cybersecurity teams, 2025 is already shaping up to be one of the most challenging years yet. Black Kite’s Ransomware Susceptibility Index® (RSITM) offers a proactive approach by assessing the likelihood of a ransomware attack throughout the third-party ecosystem. By leveraging RSI, risk managers can identify high-risk vendors before an attack strikes, prioritize remediation efforts, and ultimately safeguard their organizations against the escalating threat.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
Cloud “container” defenses have inconsistencies that can give attackers too much access. A new company, Edera, is taking on that challenge and the problem of the male-dominated startup world.
An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED.
On Monday morning, TV sets at the headquarters of the Department of Housing and Urban Development played the seemingly AI-generated video on loop, along with the words “LONG LIVE THE REAL KING.”
The internet must controlled nationally based on the laws of the land. And as any asset need Identity control and monitoring. We must Protect our borders
SANS has been around since AL Gore invented the Internet. I spent many hours reading their materials in the past. Below is a list of courses. There is no one more knowledgeable.
The DHS Intel app, available to all Homeland Security Information Network – Intelligence (HSIN-Intel) members, enables users to view and search for intelligence information, receive alerts when new products are available, and bookmark products for future reference
In this week’s Focus Friday, we examine high-impact vulnerabilities affecting Palo Alto Networks PAN-OS, Ivanti Connect Secure, Zimbra Collaboration, and Cacti, all of which pose significant third-party risk concerns. These vulnerabilities range from remote code execution (RCE) flaws to SQL injection attacks that could lead to data breaches, system takeovers, and supply chain risks.
Organizations relying on network security appliances, email collaboration tools, and monitoring frameworks must take proactive measures to assess their exposure and secure their vendor ecosystem against these threats. In this blog, we provide an in-depth Third-Party Risk Management (TPRM) perspective, detailing how these vulnerabilities could impact vendor security postures and what questions security teams should ask to mitigate risks.
Additionally, we highlight how Black Kite’s FocusTags™ provide real-time insights into vendor exposure, helping organizations prioritize remediation efforts and streamline their risk management processes.
Filtered view of companies with PAN-OS – Feb2025 FocusTag™ on the Black Kite platform.
CVE-2025-0108, CVE-2025-0110: Authentication Bypass & Command Injection in PAN-OS
What are the PAN-OS Authentication Bypass and Command Injection Vulnerabilities?
Two high-severity vulnerabilities have been identified in Palo Alto Networks PAN-OS, affecting network security devices:
CVE-2025-0108 (Authentication Bypass – CVSS: 8.8): This vulnerability affects the management web interface of PAN-OS. An unauthenticated attacker with network access can bypass authentication and invoke specific PHP scripts. While it does not allow remote code execution, it compromises system integrity and confidentiality.
CVE-2025-0110 (Command Injection – CVSS: 8.6): Found in the OpenConfig plugin, this vulnerability enables an authenticated administrator with gNMI request privileges to inject and execute arbitrary commands. The commands run as the _openconfig user, which has Device Administrator privileges, potentially leading to full system compromise.
Both vulnerabilities were published on February 12, 2025. One proof-of-concept exploit is available on github.com. There is no evidence of active exploitation or inclusion in CISA’s KEV catalog at this time. However, PAN-OS vulnerabilities have been targeted in the past, making proactive mitigation crucial.
Why Should TPRM Professionals Be Concerned About These Vulnerabilities?
Third-party risk management (TPRM) professionals should be concerned due to the critical role of PAN-OS in enterprise cybersecurity.
Authentication Bypass (CVE-2025-0108): Attackers could exploit this flaw to gain unauthorized access to PAN-OS management functions, leading to potential misconfigurations, unauthorized changes, or exposure of sensitive network settings.
Command Injection (CVE-2025-0110): If the OpenConfig plugin is enabled, an attacker with administrator access could execute arbitrary system commands, escalating privileges or deploying persistent malware on PAN-OS devices.
For vendors relying on PAN-OS for perimeter security, exploitation of these vulnerabilities could lead to network-wide security breaches, data exposure, and compromised firewall configurations.
What Questions Should TPRM Professionals Ask Vendors?
To assess vendor exposure, TPRM professionals should ask:
Have you identified any PAN-OS devices in your environment that are running vulnerable versions (before PAN-OS 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, 10.1.14-h9)?
Do you use the OpenConfig plugin in PAN-OS? If so, have you verified that it is updated to version 2.1.2 or later?
What access controls are in place to restrict exposure of the PAN-OS management web interface to untrusted networks?
Have you applied Palo Alto Networks’ recommended mitigations, such as disabling unused plugins and restricting management access?
Remediation Recommendations for Vendors Subject to this Risk
To mitigate the risk associated with these vulnerabilities, vendors should:
✔ Upgrade PAN-OS to patched versions:
PAN-OS 11.2 → Upgrade to 11.2.4-h4 or later
PAN-OS 11.1 → Upgrade to 11.1.6-h1 or later
PAN-OS 10.2 → Upgrade to 10.2.13-h3 or later
PAN-OS 10.1 → Upgrade to 10.1.14-h9 or later
If running PAN-OS 11.0 (EoL), upgrade to a supported version.
✔ Update OpenConfig plugin to version 2.1.2 or later (if enabled). ✔ Restrict management interface access to trusted internal IPs only. ✔ Disable the OpenConfig plugin if not in use to reduce the attack surface. ✔ Monitor system logs for unusual access or command execution activity. ✔ Apply Palo Alto Networks’ Threat Prevention rules to block potential exploits (Threat IDs 510000, 510001).
How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities
Black Kite has tagged this issue as “PAN-OS – Feb2025” with a VERY HIGH confidence level.
The FocusTag™ identifies vendors potentially affected by CVE-2025-0108 and CVE-2025-0110.
Black Kite provides asset intelligence, including IP addresses and subdomains hosting vulnerable PAN-OS instances.
The FocusTag™ was published on February 13, 2025, allowing TPRM teams to take proactive measures before potential exploitation.
Black Kite’s PAN-OS – Feb2025 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-22467, CVE-2024-38657, CVE-2024-10644: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure
What Are the Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure?
Multiple critical vulnerabilities have been identified in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products:
CVE-2025-22467 (CVSS: 9.9): A stack-based buffer overflow vulnerability in ICS versions prior to 22.7R2.6. This flaw allows a remote authenticated attacker with low privileges to execute arbitrary code, potentially leading to full system compromise.
CVE-2024-38657 (CVSS: 9.1): An external control of file name or path vulnerability affecting ICS (before 22.7R2.4) and IPS (before 22.7R1.3). A remote authenticated attacker with administrative privileges can write arbitrary files on the system, which may lead to unauthorized file manipulation or system compromise.
CVE-2024-10644 (CVSS: 9.1): A code injection vulnerability in ICS (before 22.7R2.4) and IPS (before 22.7R1.3). This allows a remote authenticated attacker with administrative privileges to execute arbitrary commands on the system, potentially resulting in complete system control.
These vulnerabilities were publicly disclosed on February 11, 2025. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Other vulnerabilities to be mindful of include CVE-2024-12058 (arbitrary file read), CVE-2024-13842 (sensitive data exposure), and CVE-2024-13843 (cleartext storage of sensitive information), which, despite their lower CVSS scores, should still be carefully considered.
Why Should TPRM Professionals Be Concerned About These Vulnerabilities?
Third-Party Risk Management (TPRM) professionals should be concerned due to the following reasons:
Remote Code Execution Risks: Exploitation of these vulnerabilities could allow attackers to execute arbitrary code or commands, leading to unauthorized access, data breaches, and potential lateral movement within the network.
Privilege Escalation: Attackers with low-level access could exploit these flaws to escalate privileges, gaining administrative control over critical systems.
Supply Chain Impact: Vendors utilizing vulnerable versions of ICS and IPS may inadvertently expose connected organizations to security risks, emphasizing the importance of assessing third-party security postures.
What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?
To assess vendor exposure, TPRM professionals should inquire:
Which versions of Ivanti Connect Secure and Ivanti Policy Secure are currently deployed within your environment?
Have the identified vulnerabilities (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644) been remediated by updating to the latest recommended versions?
What measures are in place to monitor and detect potential exploitation attempts related to these vulnerabilities?
Is multi-factor authentication (MFA) enabled for all administrative access to these systems?
Remediation Recommendations for Vendors Subject to This Risk
To mitigate the risks associated with these vulnerabilities, vendors should:
✔ Update to Patched Versions:
For Ivanti Connect Secure, upgrade to version 22.7R2.6 or later.
For Ivanti Policy Secure, upgrade to version 22.7R1.3 or later.
✔ Restrict Administrative Privileges:
Limit administrative access to essential personnel.
Enforce principle of least privilege to reduce risk.
✔ Implement Multi-Factor Authentication (MFA):
Ensure MFA is enabled for all administrative and remote access.
✔ Monitor System Logs:
Regularly review logs for unusual activities or signs of attempted exploitation.
✔ Apply Security Best Practices:
Follow Ivanti’s security guidelines to mitigate risks associated with authenticated users.
How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities
Black Kite has tagged these vulnerabilities under “Ivanti Connect Secure – Feb2025” with a HIGH confidence level.
The FocusTag™ provides detailed information on vendors potentially affected by these vulnerabilities.
Black Kite’s asset intelligence helps identify IP addresses and subdomains hosting vulnerable instances.
This enables TPRM teams to proactively assess and address risks associated with these vulnerabilities.
Black Kite’s Ivanti Connect Secure – Feb2025 FocusTagTM details critical insights on the event for TPRM professionals.
Zimbra Collaboration (formerly known as Zimbra Collaboration Suite or ZCS) is an open-source and commercial groupware email platform. It includes features such as email, calendaring, contacts, task management, instant messaging, and file sharing, designed for enterprises, government institutions, and service providers.
What is CVE-2025-25064?
CVE-2025-25064 is a critical SQL injection vulnerability affecting Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. This flaw arises from insufficient sanitization of user-supplied parameters in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this vulnerability by manipulating specific request parameters to inject arbitrary SQL queries, potentially allowing unauthorized retrieval of email metadata and other sensitive information. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 0.05%. It was publicly disclosed on February 9, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Why Should TPRM Professionals Be Concerned About CVE-2025-25064?
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-25064 due to its potential impact on email security. Zimbra Collaboration is widely used by organizations for email and collaboration services. Exploitation of this vulnerability could allow attackers to access sensitive email metadata, leading to unauthorized disclosure of confidential information. If a vendor utilizes vulnerable Zimbra Collaboration products, their compromised systems could serve as entry points for attackers, resulting in data breaches and disruptions that may affect connected organizations.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-25064?
To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:
Have you updated all instances of Zimbra Collaboration to versions 10.0.12 or 10.1.4, where CVE-2025-25064 has been patched?
Can you confirm if you have implemented access restrictions to the ZimbraSync Service SOAP endpoint to trusted networks and users as recommended?
Have you deployed Web Application Firewalls (WAFs) to detect and block SQL injection attempts targeting Zimbra Collaboration?
Do you regularly monitor server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service?
Remediation Recommendations for Vendors
Vendors using affected Zimbra Collaboration products should:
Update Software: Upgrade to Zimbra Collaboration versions 10.0.12 or 10.1.4, where this vulnerability has been addressed.
Restrict Access: Limit access to the ZimbraSync Service SOAP endpoint to trusted networks and users to minimize potential exploitation vectors.
Implement Web Application Firewalls (WAF): Deploy WAFs to detect and block SQL injection attempts and other malicious activities targeting web applications.
Monitor Logs: Regularly review server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service.
How Can TPRM Professionals Leverage Black Kite for This Vulnerability?
Black Kite has proactively addressed this issue by publishing the “Zimbra – Feb2025” FocusTag™ on February 11, 2025. This tag enables TPRM professionals to identify vendors potentially affected by CVE-2025-25064. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.
Black Kite’s Zimbra – Feb2025 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-22604: Critical Remote Code Execution Vulnerability in Cacti
Cacti is an open-source network monitoring and graphing tool designed to collect, store, and visualize performance data for IT infrastructure. It is widely used by network administrators and IT professionals to monitor network devices, servers, and applications in real time.
What is the Cacti Remote Code Execution Vulnerability?
CVE-2025-22604 is a critical security flaw in Cacti, an open-source network monitoring and fault management framework. This vulnerability allows authenticated users with device management permissions to execute arbitrary commands on the server by injecting malformed Object Identifiers (OIDs) into SNMP responses. When processed by functions like ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), parts of these OIDs are used as keys in an array that becomes part of a system command, leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.1. It was publicly disclosed on January 26, 2025. There is no evidence of proof of exploitation at the moment.
Why Should TPRM Professionals Be Concerned About This Vulnerability?
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-22604 because Cacti is widely used by organizations to monitor network performance and availability. A successful exploit of this vulnerability could allow attackers to execute arbitrary commands on the server, potentially compromising system integrity and data security. This could lead to unauthorized access to sensitive information, disruption of network monitoring capabilities, and further exploitation within the organization’s network. Given the critical nature of this vulnerability and the availability of proof-of-concept exploit code, it is imperative for organizations to assess their exposure and ensure that their vendors have addressed this issue.
What Questions Should TPRM Professionals Ask Vendors About CVE-2025-22604?
To assess the risk associated with this vulnerability, TPRM professionals should consider asking vendors the following questions:
Have you identified any instances of Cacti within your infrastructure that are affected by CVE-2025-22604?
If so, have you updated all affected Cacti installations to version 1.2.29 or later to mitigate this vulnerability?
What measures have you implemented to restrict SNMP access to trusted users and networks?
Do you regularly monitor system logs and SNMP activity for unusual or unauthorized actions?
Remediation Recommendations for Vendors Subject to This Risk
Vendors should take the following actions to remediate the risk associated with CVE-2025-22604:
Upgrade Cacti: Update all Cacti installations to version 1.2.29 or later, as this version addresses the vulnerability.
Restrict SNMP Access: Limit SNMP access to trusted users and networks to reduce potential attack vectors.
Monitor Systems: Regularly review system logs and SNMP activity for any unusual or unauthorized actions.
Review Permissions: Ensure that only necessary personnel have device management permissions within Cacti.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite has published a FocusTag™ titled “Cacti – Feb2025” to help organizations identify potential exposure to CVE-2025-22604. TPRM professionals can utilize this tag to assess their vendors’ risk related to this vulnerability. By leveraging Black Kite’s platform, professionals can identify vendors using vulnerable versions of Cacti and take proactive steps to mitigate potential risks. This includes obtaining asset information such as IP addresses and subdomains associated with the vendors’ systems, which is crucial for effective risk assessment and management.
Black Kite’s Cacti – Feb2025 FocusTagTM details critical insights on the event for TPRM professionals.
Maximizing TPRM Effectiveness with Black Kite’s FocusTags™
With high-profile vulnerabilities such as PAN-OS authentication bypass (CVE-2025-0108), Ivanti Connect Secure RCE (CVE-2025-22467), Zimbra SQL injection (CVE-2025-25064), and Cacti remote code execution (CVE-2025-22604), organizations must rapidly assess third-party security risks to prevent cascading impacts. Black Kite’s FocusTags™ enable security teams to efficiently identify, analyze, and mitigate these threats by offering:
✅ Real-Time Risk Identification – Instant visibility into which vendors are affected by the latest vulnerabilities, allowing organizations to take immediate action. ✅ Risk Prioritization – Insights into vendor importance and vulnerability severity, helping security teams allocate resources effectively. ✅ Informed Vendor Engagement – Targeted discussions with vendors about their security measures and remediation strategies for identified vulnerabilities. ✅ Comprehensive Security Posture Enhancement – A holistic view of third-party risks, enabling organizations to make data-driven security decisions.
By leveraging Black Kite’s FocusTags™, organizations can stay ahead of evolving cyber threats, ensuring proactive risk mitigation in their third-party ecosystems. These tags provide critical intelligence, transforming complex vulnerability data into actionable insights for better vendor security management.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
In a fast-paced corporate landscape, efficiency and security are key. Managing employee accounts across various platforms can be a time-consuming task, not to mention it could open your organization up to security vulnerabilities. That’s why we’re happy to introduce our latest feature developed especially for Enterprise clients – SAML-based Single Sign-On (SSO). Keep reading to discover its full benefits!
Understanding Single Sign-On
For those new to the concept, Single Sign-On (SSO) is a centralized authentication process commonly used by larger organizations. It allows users to access multiple applications with just one set of login credentials, like a digital passport to all essential corporate tools and services.
Streamlining account management
With SSO, users can easily navigate through various platforms without the hassle of remembering multiple passwords. For larger organizations with multiple employees or contractors, this means no more juggling accounts and worrying about unauthorized access. Once an employee’s rights are revoked centrally, they lose access to all connected systems simultaneously, giving employers peace of mind.
Introducing SAML SSO
Our SAML SSO feature operates similarly to familiar login methods like Google or Apple login but is tailored for a corporate environment. The key to SAML SSO lies in the user’s email domain, which determines their identity provider (IdP) and corresponding Team in Inoreader.
Two authentication flows
We offer two primary authentication flows for SAML SSO: SP-initiated and IdP-initiated. With the SP-initiated one, users begin the login process on our website, whereas the IdP-initiated one allows them to start directly from their corporate login portal, ensuring flexibility and ease of use.
Configuring SSO
Configuring SSO for your Team is easy. Team admins can access the Single Sign-On configuration through the Team dashboard by clicking the dropdown menu under the Team’s name and selecting Manage SSO. Then, they should simply follow the prompts to complete the setup, save their settings, and start enjoying the benefits of SSO. After the initial configuration, admins can use the Inoreader Single Sign-On URL to configure their IdP-initiated flow.
Logging in with SSO
Logging in with SSO is as simple as entering your corporate email on our dedicated SSO login page. Once authenticated through your IdP, you’ll be redirected back to Inoreader, ready to dive into your Team’s content.
Important considerations
While SSO offers unparalleled convenience and security, there are a few things to keep in mind:
Only Team owners can modify the SSO configuration.
Enabling SSO deactivates Inoreader authentication for all Team members except the Team admin, who retains the option to use it for emergency access.
Once configured, new signups from your company domain will only be permitted via SSO. Team invitations are disabled, and all pending invites are deleted.
If there are Team members using a different email domain, enabling SSO will lock them out of the Team. In such instances, you can contact our support to update their emails, or they can make the changes before the admin enables SSO for the entire Team.
Users authenticated with SSO will have their browser sessions expire after 30 minutes upon closing the Inoreader tab. This measure ensures constant re-authentication in case of revoked rights.
Team admins will need to manually remove users from the Team if they are no longer part of the company. Otherwise, they will still occupy a slot in your Team plan, as Inoreader cannot distinguish between temporary or permanent access disablement.
Disabling SSO for a Team will reactivate Inoreader authentication for all members. If they have previously signed up via SSO, they will need to use the password reset function to create new passwords and log into their accounts.
A step towards enhanced efficiency
At Inoreader, we’re committed to providing solutions that empower our clients. With SSO, we’re simplifying account management and improving how Teams work together. Say goodbye to scattered user data and hello to a secure and efficient workflow with SAML Single Sign-On!
Ready to get started?
Take advantage of SSO’s power within your organization! Visit your Team dashboard to set up SSO and experience seamless account management like never before. Still not in a Team?
Note: Please be aware that the SSO login method is currently unavailable for Inoreader’s mobile apps. We’re working diligently to bring this functionality to all platforms soon.
Agents with the U.S. Customs and Border Protection (CBP) will no longer wear body cameras during field operations after a social media post publicized how to identify individual agents.
"All U.S. Border Patrol Agents will cease the use of body-worn cameras (BWC) in all operational environments," CBP said in a statement to NewsNation, which originally reported the news.
The directive comes after a post on Reddit claimed that the mobile application BLE Radar, which uses Bluetooth to scan for low-energy devices such as phones, smartwatches and speakers, can also track CBP body cameras from a distance of 100 yards and can also trigger improvised explosive devices.
CBP officials sent out a directive following the post informing agents of a "potential security risk" while immediately pulling body cameras from use in the field.
"Pending completion of investigation and risk mitigation, all Agents will stand down the use of their BWCs [body worn cameras] until further notice. Additional guidance and information will be disseminated as it is received," the directive said.
Sources told NewsNation that the cameras used by CBP agents are Avon body cams, which the social media post claims are devices BLE Radar, which was developed by F-Droid, can detect.
The directive comes as both CBP and U.S. Immigration and Customs Enforcement (ICE) agents have ramped up enforcement efforts in the weeks since President Donald Trump took office, an effort that was a cornerstone of the president's campaign to return to the White House.
Since the beginning of February, the daily average of gotaways, or illegal immigrants who successfully enter the U.S. without being apprehended, at the southern border has fallen to just 132 per day, a 93% drop from highs seen under former President Joe Biden, a senior Department of Homeland Security source told Fox News.
Data obtained by Fox News showed that during FY 2023, 670,674 known gotaways were recorded by the agency, or more than 1,800 per day.
Login
