Byline: Ekrem Selcuk Celik, Cybersecurity Researcher at Black Kite
Welcome to the January 2025 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.
The Black Kite Research & Intelligence Team (BRITE) tracked 546 ransomware incidents in January 2025, marking a sharp increase compared to January 2024, which saw approximately 300 cases. This significant rise indicates that ransomware activity is escalating at an alarming pace. Among these incidents, 274 were recorded in the United States, 32 in Canada, 23 in the United Kingdom, and 18 in France.
Manufacturing was the most targeted sector, followed by technical services. Closing out December with 535 cases, ransomware groups have historically shown a tendency to slow down at the beginning of the year. However, this year is proving to be an exception.
The Clop ransomware group took the lead in January 2025 by a significant margin with 115 publicly disclosed victims. As usual, RansomHub remained among the top-ranking groups with 42 victims. One of the most notable groups this month was Lynx, which saw a major surge with 42 victims in January. They were followed by the Akira group, which recorded 38 victims.
Nearly all of the 115 Clop attacks were linked to the CLEO vulnerability, continuing the momentum from Clop’s December disclosures. Initially, only 50 victims were expected, but as the group continues to release names in alphabetical order, the final number could reach 500.
Among these 115 victims, the United States was the most affected, with 79 cases, followed by Canada with 12 and the Netherlands with 4.
In terms of industry impact among these attacks, the manufacturing sector suffered the highest number of attacks, with 34 victims. It was followed by the transportation sector with 18 victims, the information technology sector with 17, and the technical services sector with 14.
Two years ago, during the MoveIT disclosures, Clop was at the center of global media attention. Now, despite its high ransomware activity, the group seems to be struggling to capture the same level of interest. They kept postponing victim disclosures, which was unusual for them, and then starting sharing victims in a different way to seek attention. Whether this signals Clop’s waning influence or a shift in public perception remains to be seen, but one thing is certain: the group appears increasingly frustrated by the lack of attention.
FunkSec continued its aggressive expansion in January, making headlines with its unconventional tactics:
Key takeaways from their recent interview:
FunkSec’s erratic yet calculated moves make them one of the most unpredictable actors in the ransomware ecosystem. Their expansion beyond traditional ransomware operations suggests a broader ambition that could redefine the threat landscape.
A new leak site emerged in January claiming to be affiliated with Babuk, publishing 60 alleged victims. While this sparked speculation that the notorious ransomware group had returned, our analysis revealed that most of the disclosed victims had already been published by FunkSec, RansomHub, and LockBit.
Shortly after the site gained traction, access was restricted, leaving its authenticity in question. Whether this marks the actual return of Babuk or merely an opportunistic attempt to capitalize on the name remains unclear.
Ransomware groups continue to surface at an increasing rate, and the rise of Ransomware-as-a-Service (RaaS) is undoubtedly fueling this trend. However, despite this growth, these groups seem to do little more than mimic each other. Many simply replicate existing leak sites, making it increasingly difficult to track them as they blur into one another.
In previous years, such copycat behavior was less common, but now it’s becoming the norm. This shift strongly suggests that experienced cybercriminals are being replaced by younger, less-skilled actors. As a result, while the number of ransomware groups grows, innovation within the ecosystem seems to be stagnating.
While ransomware attacks surged in 2024, total ransom payments dropped by 35%, amounting to $813.55 million. Companies are increasingly adopting robust cybersecurity measures, improving backup strategies, and benefiting from law enforcement crackdowns on cybercriminals.
Notably, the international operation “Operation Cronos” disrupted LockBit’s infrastructure, demonstrating the growing impact of coordinated cybercrime enforcement. However, despite these advancements, ransomware groups are evolving their tactics, becoming more aggressive in their extortion methods.
In response, the UK government is considering stricter regulations, including:
Authorities believe these measures will curb ransomware groups’ financial streams and act as a deterrent. If enacted, these regulations could reshape how organizations respond to ransomware threats.
January 2025 set a record-breaking pace for ransomware incidents.
For cybersecurity teams, 2025 is already shaping up to be one of the most challenging years yet. Black Kite’s Ransomware Susceptibility Index® (RSITM) offers a proactive approach by assessing the likelihood of a ransomware attack throughout the third-party ecosystem. By leveraging RSI, risk managers can identify high-risk vendors before an attack strikes, prioritize remediation efforts, and ultimately safeguard their organizations against the escalating threat.
Stay tuned for more monthly Ransomware Reviews on our blog and LinkedIn Newsletter.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The post Ransomware Review January 2025: Clop’s CLEO Exploit Fuels a Record Month appeared first on Black Kite.
Written by: Ferdi Gül
In this week’s Focus Friday, we examine high-impact vulnerabilities affecting Palo Alto Networks PAN-OS, Ivanti Connect Secure, Zimbra Collaboration, and Cacti, all of which pose significant third-party risk concerns. These vulnerabilities range from remote code execution (RCE) flaws to SQL injection attacks that could lead to data breaches, system takeovers, and supply chain risks.
Organizations relying on network security appliances, email collaboration tools, and monitoring frameworks must take proactive measures to assess their exposure and secure their vendor ecosystem against these threats. In this blog, we provide an in-depth Third-Party Risk Management (TPRM) perspective, detailing how these vulnerabilities could impact vendor security postures and what questions security teams should ask to mitigate risks.
Additionally, we highlight how Black Kite’s FocusTags™ provide real-time insights into vendor exposure, helping organizations prioritize remediation efforts and streamline their risk management processes.
Two high-severity vulnerabilities have been identified in Palo Alto Networks PAN-OS, affecting network security devices:
Both vulnerabilities were published on February 12, 2025. One proof-of-concept exploit is available on github.com. There is no evidence of active exploitation or inclusion in CISA’s KEV catalog at this time. However, PAN-OS vulnerabilities have been targeted in the past, making proactive mitigation crucial.
Third-party risk management (TPRM) professionals should be concerned due to the critical role of PAN-OS in enterprise cybersecurity.
For vendors relying on PAN-OS for perimeter security, exploitation of these vulnerabilities could lead to network-wide security breaches, data exposure, and compromised firewall configurations.
To assess vendor exposure, TPRM professionals should ask:
To mitigate the risk associated with these vulnerabilities, vendors should:
✔ Upgrade PAN-OS to patched versions:
✔ Update OpenConfig plugin to version 2.1.2 or later (if enabled).
✔ Restrict management interface access to trusted internal IPs only.
✔ Disable the OpenConfig plugin if not in use to reduce the attack surface.
✔ Monitor system logs for unusual access or command execution activity.
✔ Apply Palo Alto Networks’ Threat Prevention rules to block potential exploits (Threat IDs 510000, 510001).
Black Kite has tagged this issue as “PAN-OS – Feb2025” with a VERY HIGH confidence level.
The FocusTag™ was published on February 13, 2025, allowing TPRM teams to take proactive measures before potential exploitation.
Multiple critical vulnerabilities have been identified in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products:
These vulnerabilities were publicly disclosed on February 11, 2025. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Other vulnerabilities to be mindful of include CVE-2024-12058 (arbitrary file read), CVE-2024-13842 (sensitive data exposure), and CVE-2024-13843 (cleartext storage of sensitive information), which, despite their lower CVSS scores, should still be carefully considered.
Third-Party Risk Management (TPRM) professionals should be concerned due to the following reasons:
To assess vendor exposure, TPRM professionals should inquire:
To mitigate the risks associated with these vulnerabilities, vendors should:
✔ Update to Patched Versions:
✔ Restrict Administrative Privileges:
✔ Implement Multi-Factor Authentication (MFA):
✔ Monitor System Logs:
✔ Apply Security Best Practices:
Black Kite has tagged these vulnerabilities under “Ivanti Connect Secure – Feb2025” with a HIGH confidence level.
Zimbra Collaboration (formerly known as Zimbra Collaboration Suite or ZCS) is an open-source and commercial groupware email platform. It includes features such as email, calendaring, contacts, task management, instant messaging, and file sharing, designed for enterprises, government institutions, and service providers.
CVE-2025-25064 is a critical SQL injection vulnerability affecting Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. This flaw arises from insufficient sanitization of user-supplied parameters in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this vulnerability by manipulating specific request parameters to inject arbitrary SQL queries, potentially allowing unauthorized retrieval of email metadata and other sensitive information. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 0.05%. It was publicly disclosed on February 9, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-25064 due to its potential impact on email security. Zimbra Collaboration is widely used by organizations for email and collaboration services. Exploitation of this vulnerability could allow attackers to access sensitive email metadata, leading to unauthorized disclosure of confidential information. If a vendor utilizes vulnerable Zimbra Collaboration products, their compromised systems could serve as entry points for attackers, resulting in data breaches and disruptions that may affect connected organizations.
To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:
Vendors using affected Zimbra Collaboration products should:
Black Kite has proactively addressed this issue by publishing the “Zimbra – Feb2025” FocusTag™ on February 11, 2025. This tag enables TPRM professionals to identify vendors potentially affected by CVE-2025-25064. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.
Cacti is an open-source network monitoring and graphing tool designed to collect, store, and visualize performance data for IT infrastructure. It is widely used by network administrators and IT professionals to monitor network devices, servers, and applications in real time.
CVE-2025-22604 is a critical security flaw in Cacti, an open-source network monitoring and fault management framework. This vulnerability allows authenticated users with device management permissions to execute arbitrary commands on the server by injecting malformed Object Identifiers (OIDs) into SNMP responses. When processed by functions like ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), parts of these OIDs are used as keys in an array that becomes part of a system command, leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.1. It was publicly disclosed on January 26, 2025. There is no evidence of proof of exploitation at the moment.
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-22604 because Cacti is widely used by organizations to monitor network performance and availability. A successful exploit of this vulnerability could allow attackers to execute arbitrary commands on the server, potentially compromising system integrity and data security. This could lead to unauthorized access to sensitive information, disruption of network monitoring capabilities, and further exploitation within the organization’s network. Given the critical nature of this vulnerability and the availability of proof-of-concept exploit code, it is imperative for organizations to assess their exposure and ensure that their vendors have addressed this issue.
To assess the risk associated with this vulnerability, TPRM professionals should consider asking vendors the following questions:
Vendors should take the following actions to remediate the risk associated with CVE-2025-22604:
Black Kite has published a FocusTag™ titled “Cacti – Feb2025” to help organizations identify potential exposure to CVE-2025-22604. TPRM professionals can utilize this tag to assess their vendors’ risk related to this vulnerability. By leveraging Black Kite’s platform, professionals can identify vendors using vulnerable versions of Cacti and take proactive steps to mitigate potential risks. This includes obtaining asset information such as IP addresses and subdomains associated with the vendors’ systems, which is crucial for effective risk assessment and management.
With high-profile vulnerabilities such as PAN-OS authentication bypass (CVE-2025-0108), Ivanti Connect Secure RCE (CVE-2025-22467), Zimbra SQL injection (CVE-2025-25064), and Cacti remote code execution (CVE-2025-22604), organizations must rapidly assess third-party security risks to prevent cascading impacts. Black Kite’s FocusTags™ enable security teams to efficiently identify, analyze, and mitigate these threats by offering:
✅ Real-Time Risk Identification – Instant visibility into which vendors are affected by the latest vulnerabilities, allowing organizations to take immediate action.
✅ Risk Prioritization – Insights into vendor importance and vulnerability severity, helping security teams allocate resources effectively.
✅ Informed Vendor Engagement – Targeted discussions with vendors about their security measures and remediation strategies for identified vulnerabilities.
✅ Comprehensive Security Posture Enhancement – A holistic view of third-party risks, enabling organizations to make data-driven security decisions.
By leveraging Black Kite’s FocusTags™, organizations can stay ahead of evolving cyber threats, ensuring proactive risk mitigation in their third-party ecosystems. These tags provide critical intelligence, transforming complex vulnerability data into actionable insights for better vendor security management.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2025-0108
https://nvd.nist.gov/vuln/detail/CVE-2025-0110
https://security.paloaltonetworks.com/CVE-2025-0108
https://security.paloaltonetworks.com/CVE-2025-0110
https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os
https://forums.ivanti.com/s/article/KB29805?language=en_US
https://nvd.nist.gov/vuln/detail/CVE-2025-22467
https://nvd.nist.gov/vuln/detail/CVE-2024-10644
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://nvd.nist.gov/vuln/detail/CVE-2025-25064
https://nvd.nist.gov/vuln/detail/CVE-2025-22604
https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36
https://securityonline.info/cve-2025-22604-cvss-9-1-remote-code-execution-flaw-in-cacti-poc-released
The post Focus Friday: Addressing Third-Party Risks in PAN-OS, Ivanti Connect Secure, Zimbra, and Cacti Vulnerabilities appeared first on Black Kite.
Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer
Every breach tells a story. In 2024, that story was about third-party vulnerabilities becoming the preferred entry point for attackers. From ransomware attacks that threatened supply chains to credential misuse that compromised entire industries, third-party breaches surged in both scale and sophistication.
Black Kite’s 2025 Third-Party Breach Report takes a deep dive into these incidents, analyzing the most significant third-party breaches of 2024 to identify the key trends shaping the future of cybersecurity. This year’s findings highlight critical shifts in the third-party risk landscape: ransomware affiliates are becoming more aggressive, unauthorized network access remains the most exploited attack vector, and regulatory frameworks are driving improvements — but not evenly across industries.
For cybersecurity leaders looking to adapt their strategies for the year ahead, here are a few notable findings from this year’s report — and what they mean for your approach to third-party risk management.
In 2024, the Cleo File Transfer ransomware attack was a wake-up call that exposed the shortcomings of traditional third-party risk management. Attackers exploited unpatched vulnerabilities in widely used file transfer software, impacting dozens of organizations across industries. Traditional security assessments failed to catch these risks, but proactive monitoring tools could have flagged these vulnerabilities before attackers did.
For example, for too long, third-party risk management (TPRM) has relied on security questionnaires. Organizations track response rates, completion metrics, and compliance checklists — but breaches keep happening. The problem? These assessments measure vendor effort, not actual security posture, and for one point in time at that..
Meanwhile, ransomware groups aren’t wasting time with paperwork. They’re studying supply chains, buying marketing intelligence, and doing everything they can to learn more about their victims and their supply chains. Questionnaires are no defense against this kind of sophisticated, intentional approach.
Organizations need to move beyond static assessments and embrace real-time risk intelligence to detect vulnerabilities before they’re exploited. Instead of relying solely on vendors’ self-reported security measures, organizations should implement continuous monitoring tools that provide real-time visibility into third-party risks. During the Cleo File Transfer ransomware campaign, for example, Black Kite’s FocusTags™ helped organizations identify at-risk vendors and implement rapid mitigation strategies to prevent further breaches.
Ransomware operations underwent a major shift in 2024, driven by changes in the underground cybercrime economy. The February attack on Change Healthcare didn’t just impact pharmacies, doctors, and hospitals — it reshaped the entire ransomware market. A payment dispute between an affiliate and a major ransomware group led to a structural change, where affiliates gained greater control and financial incentives.
This affiliate-led model has fueled a spike in ransomware activity. Now, instead of centralized ransomware groups leading the charge, affiliates are operating with more autonomy, deploying multiple types of ransomware and significantly increasing the frequency of attacks.
Healthcare bore the brunt of these attacks in 2024, accounting for over 40% of all third-party breaches. And unlike ransomware groups that historically followed an informal “twisted code of conduct” — where healthcare organizations were considered off-limits — modern affiliates have no such boundaries. They prioritize financial gain over all else, choosing targets based on likelihood to pay. The Cencora ransomware attack, for instance, allegedly resulted in a $75 million ransom payment, exposing sensitive patient data and revealing the cascading impact of third-party breaches.
This shift in ransomware tactics means organizations can no longer rely on past attack patterns to predict future threats. With financially motivated affiliates now driving attacks, businesses must invest in tools designed to proactively monitor and manage third-party risks to ensure a rapid response to disruptive events.
Regulatory frameworks like DORA, HIPAA, and GDPR have been catalysts for critical risk management improvements, particularly in industries with strict compliance mandates. According to our findings, among vendors that experienced a breach and subsequently improved their cyber rating by at least 3 points, 72% serve the healthcare industry — an indication that regulatory enforcement is driving significant improvements in incident response and vendor risk management practices.
However, not all industries are keeping pace. Only 14% of vendors with improved scores following a breach support the financial services sector. Similarly, only 14% of vendors in the manufacturing sector showed progress in enhancing their cyber ratings.
The progress observed in sectors like healthcare, where regulations drove notable improvements, serves as a model for other industries to follow. But regulations aren’t enough on their own either. While regulatory frameworks establish baseline security standards, they must be backed by proactive risk management strategies. Organizations that implement continuous third-party risk monitoring, leverage real-time threat intelligence tools, and enforce vendor accountability through contractual security requirements are significantly better positioned to identify and mitigate emerging threats.
Unauthorized network access accounted for over 50% of publicly disclosed third-party breaches in 2024. But what does that really mean? Too often, “unauthorized access” is used as a vague, catch-all explanation when organizations lack clarity on the root cause of an attack or choose not to disclose specific details. This makes it difficult to determine whether breaches were caused by stolen credentials, misconfigurations, or unpatched vulnerabilities.
The lack of transparency in incident reporting presents a serious challenge for CISOs. Without a clear picture of how attackers infiltrated a system, security teams struggle to remediate vulnerabilities and prevent future breaches. Instead of driving meaningful improvements, these incidents often fuel blame games and reactive security postures.
Given the sheer volume of breaches attributed to unauthorized access, security leaders must push for deeper analysis and clearer reporting. Creating a culture of transparency in incident reporting can help security teams better understand the root causes of unauthorized network access breaches, enabling more effective prevention strategies.
While we can’t predict exactly what’s next, there’s a lot we can learn from last year’s third-party breaches. By analyzing the trends, cybersecurity leaders can fine-tune their strategies to stay ahead of emerging threats. What’s clear from this year’s 2025 Third-Party Breach Report is that a proactive, collaborative approach to third-party risk management is now essential.
As we move into 2025, relying on reactive measures is no longer enough. Organizations must embrace real-time risk assessments, improve vendor communication using tools like Black Kite Bridge™, and invest in actionable remediation intelligence. Cyber threats are evolving fast, and so must the tools and strategies used to combat them. By adapting to these changes in the third-party risk landscape, companies can build a stronger, more resilient security posture and better protect themselves against the next wave of cyber threats.
Dive deeper into the insights — read the full 2025 Third-Party Breach Report now.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The post Key Takeaways from the 2025 Third-Party Breach Report appeared first on Black Kite.
In a highly interconnected, digital world, worries about cybercrime have significantly increased. Hackers now have many ways to get into your online accounts and steal personal information like bank details, driver’s licenses, Social Security Numbers, etc.
Once data is compromised, it can be sold onto black markets, leading to identity thefts, death threats, and so much more.
What could an open-source toolkit, a cannabis product supplier, an AI startup from China and a UK telecom giant have in common? Not much except they have been all been on the hitlist of cyber criminals. Information of millions of customers has been compromised, operations have been disrupted, and worst of all - healthcare service delivery was yet again impacted at the start of the year.
Get the lowdown on the biggest cyber attacks, data breaches and ransomware attacks that made headlines in January 2025.
Written by: Ekrem Çelik, Cybersecurity Researcher
Welcome to the December 2024 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.
The Black Kite Research & Intelligence Team (BRITE) tracked 535 ransomware incidents in December 2024. While it didn’t surpass the record-breaking 595 victims in November, December still proved to be a significant month. Of these incidents, an overwhelming 244 were in the United States and 27 in Canada, highlighting North America’s ongoing struggle as a primary target for ransomware attacks.
December marked a turning point in the ransomware landscape as FunkSec dethroned RansomHub to become the leading threat actor with 87 victims. What makes FunkSec’s rise particularly remarkable is that it is a relatively new group in the ecosystem. Their operations have not been limited to ransomware; the group has been actively selling admin access and super access for various companies, offering a troubling range of services to their buyers. FunkSec primarily targeted the information sector and public administration industries this month, demonstrating a calculated focus on critical and data-heavy sectors. Their rapid ascent highlights their aggressive strategies and growing influence in the ransomware ecosystem.
After dominating the leaderboard since July, RansomHub dropped to the second spot with 57 victims in December. Despite losing its leadership position, RansomHub maintained its reputation as a consistent player in the ransomware space, continuing to target high-value organizations globally.
The Akira group surged to the third position this month with 46 victims, showcasing one of its most active and aggressive months of the year. Akira’s operations this month highlighted their ability to capitalize on vulnerabilities and expand their victim pool, signaling their intent to climb higher in the ransomware hierarchy.
The Clop group added a chaotic twist to the month. Exploiting the CLEO vulnerability in December, they initially promised to release victim data “within 48 hours.” Then they postponed to December 30, only to announce they were “taking a holiday break” and would publish data after their return.
In total, Clop announced 66 victims, but BRITE believes the actual number is higher. Their erratic behavior has left many wondering if the group is losing its grip or simply playing for attention. Regardless, Clop’s actions remind us of the unpredictable nature of threat actors and the challenges of staying ahead of them.
One thing is clear: Clop, despite its chaotic actions, refuses to be forgotten and remains a noteworthy player in the ransomware ecosystem.
LockBit, once the industry leader, seems to be struggling to reclaim its former prominence. December saw the launch of LockBit 4.0, a move that many interpreted as an attempt to stay relevant. Along with this update, the group introduced a Ransomware-as-a-Service (RaaS) pricing model for just $777, making their tools accessible to smaller players in the ecosystem.
This shift has raised eyebrows across the cybersecurity world. Is it a sign of innovation or desperation? Many believe this move reflects LockBit’s declining influence after facing increased law enforcement pressure and internal challenges.
What stands out most is that LockBit’s struggles highlight a harsh reality: nothing in the ransomware world is unbreakable. Even the strongest groups can fall, showing how unpredictable and tough this space can be.
At the same time, their collapse shows how much it affects the whole ecosystem. It’s also a reminder of how hard it is to keep a group running steadily and stay on top in such a challenging environment.
The rise of Ransomware-as-a-Service (RaaS) has been one of the defining trends of December.
RaaS not only increases the number of attacks but also lowers the barrier for entry, making it easier for less experienced actors to enter the game. This trend, if it continues, could make 2025 an even more challenging year for cybersecurity professionals.
2024 was a record-breaking year for ransomware. As groups continue to grow, tactics evolve, and victims are added to the lists, we can expect more records to be set in the coming months.
At Black Kite, the BRITE team remains committed to tracking threat actors in real time, analyzing their movements, and staying aware of emerging threats. As we enter 2025, staying one step ahead has never been more critical.For weekly updates on emerging cyber threats, please follow our Focus Friday blog series and LinkedIn account.
Learn more about the rising ransomware attacks in the full 2025 Healthcare Ransomware Report — accessible instantly, no download required.
The post Ransomware Review December 2024: FunkSec’s Meteoric Rise and the Growing Threat of RaaS appeared first on Black Kite.
Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer at Black Kite
The healthcare sector is under attack, and the numbers paint a stark picture of the growing ransomware crisis. Our latest infographic, drawn from the 2025 Healthcare Ransomware Report, uncovers the alarming rise in ransomware incidents targeting healthcare organizations and the reasons behind this surge.
Key insights from the infographic:
Rising from 7th place in just one year, the sector now accounts for 8% of all ransomware attacks—up from 5% in 2023. Overall, ransomware incidents in healthcare surged by 32.16% in the last year.
Ransomware groups are drawn to healthcare’s sensitive patient data and the urgency to restore disrupted services. Ransom demands in the sector can reach as high as $20 million, with both large hospitals and small practices feeling the impact.
Disruptions in the ransomware ecosystem, including the takedown of groups like LockBit and AlphV (BlackCat), and the growth in affiliates’ power, have led to the emergence of aggressive new players who don’t consider healthcare off-limits. For example, RansomHub offered affiliates a 90% payout with greater control over targets.
These attacks are not just financial concerns—they jeopardize patient care and trust. Delayed surgeries, blocked medical records, and spillover effects on supply chains are just a few of the devastating consequences.
Black Kite’s Ransomware Susceptibility Index® (RSI™) offers healthcare organizations vital insights into ransomware risks, enabling them to prioritize and address vulnerabilities before attackers strike.
This infographic provides a detailed look at how ransomware attackers are zeroing in on the healthcare sector, from the tactics they use to the far-reaching impacts of their attacks. Whether you’re part of a major hospital system or a small clinic, the stakes are too high to ignore.
For an even deeper dive, explore our report, Healthcare Under Ransomware Attack: Why Healthcare Is Now the 3rd Most Targeted Industry in the Ransomware Cybercrime Ecosystem. It offers actionable strategies to help healthcare organizations stay ahead of the ransomware epidemic.
Learn more about the rising ransomware attacks in the full 2025 Healthcare Ransomware Report — accessible instantly, no download required.
The post Infographic: Healthcare Under Siege – The Ransomware Epidemic appeared first on Black Kite.
Written by: Ferdi Gül
In today’s interconnected digital landscape, the rapid emergence of critical vulnerabilities demands an agile and informed approach to Third-Party Risk Management (TPRM). This week’s Focus Friday blog highlights high-profile incidents involving vulnerabilities in FortiGate firewalls, QNAP NAS systems, Mongoose, and the W3 Total Cache WordPress plugin. Each of these vulnerabilities poses unique challenges, from authentication bypasses enabling unauthorized access to database manipulation and SSRF attacks.
Leveraging Black Kite’s FocusTags™, we delve into the impact of these vulnerabilities from a TPRM perspective. This article offers detailed insights into the risks, remediation strategies, and questions TPRM professionals should be asking vendors to protect their ecosystems against potential breaches.
CVE-2022-40684 is a critical authentication bypass vulnerability affecting Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager products. This flaw allows unauthenticated attackers to perform administrative operations via specially crafted HTTP or HTTPS requests. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 97.26%, reflecting the significant likelihood of exploitation. First identified in October 2022, this vulnerability has been actively exploited in the wild, with reports of threat actors leveraging it to download device configurations and add unauthorized super_admin accounts. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-40684 to its Known Exploited Vulnerabilities catalog on October 11, 2022.
As part of Black Kite Research & Intelligence Team (BRITE), we have proactively addressed the exposure of configuration files, IP addresses, and VPN credentials belonging to over 15,000 FortiGate devices identified and analyzed on the dark web.
Third-Party Risk Management (TPRM) professionals should be particularly vigilant regarding CVE-2022-40684 due to its potential impact on network security. The recent leak of configuration files and VPN credentials for over 15,000 FortiGate devices underscores the risk of unauthorized access to sensitive systems. If a vendor utilizes vulnerable FortiGate products, their compromised systems could serve as entry points for attackers, leading to data breaches and disruptions that may cascade to connected organizations. Given the critical role of firewalls in protecting network perimeters, any compromise can have far-reaching consequences.
To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:
Vendors using affected Fortinet products should:
Black Kite has proactively addressed this issue by publishing the “FortiGate Leakage” FocusTag™ on January 17, 2025. This tag enables TPRM professionals to identify vendors potentially affected by the FortiGate data leak. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.
CVE-2024-53691 is a link following a vulnerability in QNAP’s QTS and QuTS hero operating systems. It allows remote attackers with user access to traverse the file system to unintended locations, potentially leading to unauthorized access to sensitive files and system compromise. This vulnerability has a CVSS score of 8.7.
CVE-2023-39298 is a missing authorization vulnerability affecting several QNAP operating system versions. It permits local authenticated users to access data or perform actions they should not be allowed to via unspecified vectors. This vulnerability has a CVSS score of 7.8. As of January 23, 2025, neither vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog.
QNAP NAS devices are widely used for storing and managing critical business data. Exploitation of these vulnerabilities could lead to unauthorized access, data breaches, and potential system compromises. For Third-Party Risk Management (TPRM) professionals, it’s crucial to assess whether vendors utilize vulnerable QNAP systems, as a compromise could indirectly affect your organization’s data integrity and security.
To evaluate the risk associated with these vulnerabilities, TPRM professionals should inquire:
Vendors utilizing affected QNAP systems should:
Black Kite released the “QNAP QTS – Jan2025” FocusTag™ on January 23, 2025, to help organizations identify vendors potentially affected by these vulnerabilities. This tag provides detailed information, including the specific assets (IP addresses and subdomains) associated with vulnerable QNAP systems within a vendor’s infrastructure. By utilizing this intelligence, TPRM professionals can prioritize assessments and remediation efforts, ensuring that vendors have addressed these critical vulnerabilities.
Mongoose is specifically an Object Data Modeling (ODM) library designed for Node.js, enabling easy interaction with MongoDB databases. It simplifies the management, validation, and modeling of data in MongoDB, providing developers with a more structured and secure working environment.
CVE-2025-23061 is a critical code injection vulnerability affecting Mongoose, a MongoDB object modeling tool widely used for Node.js and Deno applications. It has a CVSS score of 9.0, emphasizing its severity, while the EPSS score is 0.05%, suggesting a lower probability of exploitation at present. This vulnerability arises from improper handling of nested $where filters used with the populate() function’s match option, enabling attackers to manipulate search queries and access sensitive data.
This flaw is linked to an incomplete fix for CVE-2024-53900, another critical issue involving the $where operator’s improper handling. The vulnerability impacts Mongoose versions prior to 8.9.5. Although PoC exploit code is unavailable and it has not been added to CISA’s Known Exploited Vulnerabilities catalog, its potential impact is significant due to Mongoose’s wide adoption, with over 2.7 million weekly downloads.
TPRM professionals should consider this vulnerability a high-priority concern due to Mongoose’s extensive use in applications that store sensitive data. If a vendor utilizes an unpatched version of Mongoose, their database integrity could be compromised, resulting in data manipulation, unauthorized access, or even larger breaches affecting downstream partners and customers. The prevalence of Mongoose as a dependency in critical systems underscores the potential ripple effect of an exploit.
To evaluate vendor risk associated with this vulnerability, consider asking:
Vendors using Mongoose should:
Black Kite published the “Mongoose” FocusTag™ on January 22, 2025, to help organizations identify vendors potentially affected by this vulnerability. This tag provides high-confidence identification of systems using vulnerable Mongoose versions, offering actionable insights into affected assets, including IP addresses and subdomains. TPRM professionals can leverage this intelligence to prioritize their vendor risk assessments and ensure remediation efforts are effectively targeted.
W3 Total Cache (W3TC) is a well-known and powerful caching and performance optimization plugin designed for WordPress websites. This plugin enhances website speed, reduces loading times, and improves the overall user experience. It is particularly effective in delivering significant performance improvements for high-traffic websites.
CVE-2024-12365 is a high-severity missing authorization vulnerability in the W3 Total Cache plugin for WordPress, affecting versions up to and including 2.8.1. With a CVSS score of 8.5 and an EPSS score of 0.09%, this vulnerability allows authenticated users with Subscriber-level access to exploit the is_w3tc_admin_page function to retrieve the plugin’s nonce value. Attackers can leverage this to perform unauthorized actions, potentially leading to information disclosure and server-side request forgery (SSRF).
Exploitation of this flaw could allow attackers to query internal services, including metadata on cloud-based applications, and consume service plan limits. While no PoC exploit code is currently available, more than a million WordPress sites using this plugin are at risk. As of January 22, 2025, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Third-Party Risk Management (TPRM) professionals should be highly attentive to this vulnerability due to its potential to expose sensitive internal data and compromise WordPress-based websites. Many businesses rely on WordPress as their primary web platform, and vulnerabilities in widely-used plugins like W3 Total Cache can create significant risks.
If a vendor’s website is compromised through this flaw, it may lead to:
Given the widespread use of WordPress and this specific plugin, the impact of unpatched systems can extend across interconnected organizations and their customers.
To evaluate vendor risk, TPRM professionals can ask the following targeted questions:
Vendors using the W3 Total Cache plugin should take the following steps:
Black Kite released the “W3 Total Cache” FocusTag™ on January 22, 2025, to help organizations identify vendors potentially impacted by this vulnerability. By providing very high-confidence information, such as asset-level details (e.g., IP addresses and subdomains), Black Kite enables TPRM professionals to quickly assess and mitigate risks. This FocusTag™ is instrumental in narrowing down affected vendors and ensuring targeted remediation efforts.
Black Kite’s FocusTags™ are transformative tools designed to empower Third-Party Risk Management (TPRM) professionals with actionable insights in the face of an ever-evolving threat landscape. With this week’s vulnerabilities spanning multiple platforms and industries, the value of these FocusTags™ becomes especially apparent:
By translating complex cybersecurity data into practical intelligence, Black Kite’s FocusTags™ help TPRM professionals navigate the complexities of vendor risk management with precision and confidence. These tools are essential for maintaining resilience in today’s fast-paced digital environment, where proactive risk mitigation can mean the difference between security and compromise.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2022-40684
https://breachforums.st/Thread-FortiGate-15K-Targets-Configs-VPN-Passwords
https://securityonline.info/15000-fortigate-firewalls-exposed-massive-leak-includes-vpn-credentials
https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684
https://github.com/horizon3ai/CVE-2022-40684
https://www.qnap.com/en/security-advisory/qsa-24-28
https://nvd.nist.gov/vuln/detail/CVE-2024-53691
https://nvd.nist.gov/vuln/detail/CVE-2023-39298
https://securityonline.info/cve-2024-53691-poc-exploit-released-for-severe-qnap-rce-flaw
https://github.com/C411e/CVE-2024-53691
https://nvd.nist.gov/vuln/detail/CVE-2025-23061
https://github.com/advisories/GHSA-vg7j-7cwx-8wgw
https://github.com/Automattic/mongoose/releases/tag/8.9.5
CVE-2025-2306 (CVSS 9.0): Mongoose Flaw Leaves Millions of Downloads Exposed to Search Injection
https://nvd.nist.gov/vuln/detail/CVE-2024-12365
The post FOCUS FRIDAY: TPRM Insights on FortiGate, QNAP, Mongoose, and W3 Total Cache Vulnerabilities with Black Kite’s FocusTags™ appeared first on Black Kite.
Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer at Black Kite
Cybercriminals are becoming increasingly bold — and no industry is safe, even those once considered untouchable. Last year, ransomware attacks in the healthcare industry skyrocketed, propelling it from the 7th most targeted industry to 3rd in just one year with attacks increasing by over 32%. The sector now accounts for 8% of ransomware attacks — up from just 5% a year ago — ranking behind only manufacturing and professional services.
What’s driving this surge? Cybercriminals are exploiting vulnerabilities unique to healthcare — making it one of the most lucrative targets. From sensitive patient data to operational disruptions that could jeopardize lives, the stakes couldn’t be higher. With 303 attacks in a single year on major hospitals to small clinics, no corner of healthcare is immune.
Our latest report, Healthcare Under Ransomware Attack, breaks down what’s behind this alarming trend — and what healthcare organizations can do to shore up their defenses.
Healthcare’s rise as a prime ransomware target marks a turning point in the tactics of cybercriminals. Once considered “off-limits” under an informal (yet twisted) code of conduct, healthcare now finds itself firmly in the crosshairs. Today’s ransomware groups prioritize ease of access and high ransom potential, and the unique pressures within healthcare — where patient safety and operational continuity are at stake — make the sector especially attractive.
This shift can be traced to two main catalysts: the high-profile attack on Change Healthcare and the dismantling of prominent ransomware groups like LockBit and AlphV (BlackCat).
The February 2024 ransomware attack on Change Healthcare disrupted vital services for healthcare facilities across the U.S. Although the company acted quickly to minimize the impact, the incident exposed vulnerabilities in healthcare operations. It also revealed growing tensions within the ransomware ecosystem. During the attack, a failed payment to an affiliate (an independent attacker partnering with a ransomware operator) sparked disputes, leading to an uprising by affiliates seeking to shift the power away from large ransomware groups.
The exit of AlphV (BlackCat) in December 2023 and the disruption of LockBit in February 2024 further impacted the ransomware landscape. While these events temporarily reduced attack volumes, the lull was quickly followed by an influx of new groups, many of which now lead attacks and work off an affiliate-led model. Emerging groups like RansomHub attracted many affiliates disillusioned with how ransomware groups were previously structured, offering affiliates greater control and payouts as high as 90%.
The shift in how ransomware groups operate also means affiliates are in high demand. Now, they transition freely between groups, spreading their knowledge further and making attacks by new, more aggressive players more likely. They’re also taking a carefully planned approach to which companies they target next.
Healthcare’s ethical responsibility to ensure continuity of care for patients sets it apart from other industries and makes it uniquely vulnerable to attacks. When systems are compromised, the consequences can be a matter of life and death — delayed surgeries, inaccessible medical records, and compromised patient safety. This means that when attacked, healthcare companies are often pressured to pay ransoms to avoid disruptions to life-saving care.
Smaller healthcare providers, with less robust cybersecurity defenses, are especially vulnerable. But no organization — large or small — is immune. Attackers aren’t picking targets at random — they are following a deliberate, calculated strategy based on:
While legacy ransomware groups tended to favor negotiation, modern groups are more likely to demand fast payments of a one-time ransom, with no room for negotiation. And sensitive patient data combined with high-stakes operations makes it more likely that affected companies will pay. In healthcare, ransom demands have climbed as high as $20M, driven by the urgent need to restore operations and protect patient outcomes.
The impact of these attacks goes far beyond finances. Attacks ripple through the healthcare ecosystem, exacting a human toll on providers, patients, and their families. The effects can also spill over to vendors and suppliers, putting your entire third-party ecosystem at risk. With no subindustry of healthcare safe — and ransomware groups targeting practices both large and small — maintaining the status quo is no longer an option.
With the chances of an attack becoming increasingly likely, it’s time to take a proactive approach to protect healthcare organizations and third-party ecosystems from attacks. Here’s how to start building a robust line of defense:
Healthcare organizations need to focus on monitoring risk factors that could increase the chance of an attack. Consider what your ecosystem looks like to attackers. Unpatched systems, outdated defenses, and weak links in your third-party ecosystem are common entry points.
By continuously monitoring for changes in risk factors — both within your organization and across your third-party network — it’s easier to take action before vulnerabilities are exploited.
An early warning system is one of the best ways to assess your company’s vulnerability to attack. Proactive tools like Black Kite’s Ransomware Susceptibility Index® (RSI™) provide insights into your organization’s risk of a ransomware attack. RSI™ uses machine learning and data analysis to assess vulnerability on a scale from 0 (low risk) to 1 (high risk). Scores above 0.50 indicate a heightened likelihood of attack, allowing organizations to prioritize and remediate vulnerabilities before they become problematic.
What makes RSI™ particularly powerful is that it mirrors the factors ransomware attackers themselves evaluate when choosing targets. By identifying and addressing any vulnerabilities before they’re picked up on by attackers, you can stay off their radar and keep sensitive patient data safe.
Healthcare providers preach the power of preventative care — and the same goes for cybersecurity. Taking a proactive approach to ransomware defense, you can assess the risks to your organization and its third-party ecosystem, protecting against the growing risk of attacks before it’s too late.
With attacks on the healthcare industry becoming more frequent and aggressive, the cost of inaction is too great — not just in financial losses but in disruptions to patient care. Protecting your organization from these threats isn’t just a cybersecurity priority — it’s a critical investment in the safety and well-being of the patients and communities you serve.
Learn more about the rising ransomware attacks in the full 2025 Healthcare Ransomware Report — accessible instantly, no download required.
The post Why Healthcare Is Now in the Bullseye for Ransomware Groups appeared first on Black Kite.
Written by: Ferdi Gül
Welcome to this week’s Focus Friday, where we dive into key vulnerabilities impacting widely used technologies. This installment highlights three significant incidents that pose unique challenges to third-party risk management (TPRM) teams. From Juniper Junos OS to Rsync and SimpleHelp, we explore how these vulnerabilities affect the security posture of vendors and their downstream supply chains. By examining these issues, we aim to provide actionable insights and strategies to help organizations mitigate risks and maintain robust third-party relationships.
CVE-2025-21598 is an out-of-bounds read vulnerability in the routing protocol daemon (rpd) of Junos OS and Junos OS Evolved. When a device is configured with BGP packet receive trace options, an unauthenticated attacker can send malformed BGP packets that cause the rpd process to crash. This vulnerability has a CVSS score of 8.2, making it a high-severity issue. It was first disclosed on January 14, 2025, and there are currently no reports of active exploitation. CISA’s KEV catalog does not yet list this vulnerability. Proof-of-concept (POC) is not available.
CVE-2025-21599 is a critical vulnerability affecting specific versions of Junos OS Evolved. It requires IPv6 to be enabled and involves attackers sending malformed IPv6 packets persistently to exhaust memory. Exploitation does not require authentication but needs network access to the device. The affected versions are:
Versions prior to 22.4R1-EVO are unaffected. This vulnerability was excluded from the FocusTag™ scope due to its limitation to EVO versions and no detection by external clients specific to EVO.
This vulnerability impacts network infrastructure devices, which are critical to business operations. If left unpatched, it could result in significant service interruptions, loss of connectivity, and reduced reliability of the affected network environment. Organizations that rely on these devices could face disruptions in their supply chain communications and business operations, making it essential for TPRM professionals to assess the risk and ensure proper mitigation measures are in place.
Black Kite published this FocusTag™ to help organizations pinpoint the vendors affected by CVE-2025-21598. By providing detailed asset information—including relevant subdomains and vulnerable IPs—Black Kite enables TPRM professionals to rapidly identify which vendors need immediate attention. This targeted approach reduces time spent on outreach and allows more efficient mitigation efforts.
Rsync, a widely-used file synchronization tool, has six significant vulnerabilities in versions 3.3.0 and earlier. These flaws pose risks such as arbitrary code execution, information leakage, and unauthorized system access, particularly for organizations relying on Rsync for backups.
Six vulnerabilities have been identified in Rsync, posing significant security risks. These include a heap-buffer overflow (CVE-2024-12084) in the Rsync daemon that allows attackers to execute code by controlling checksum lengths (s2length) and gaining server access. An information leak vulnerability (CVE-2024-12085) exposes uninitialized memory during file checksum comparisons. Additionally, malicious servers can exploit crafted checksums to extract arbitrary files from clients (CVE-2024-12086). Path traversal is possible due to improper symlink checks with the default –inc-recursive option (CVE-2024-12087), while a –safe-links bypass flaw (CVE-2024-12088) allows arbitrary file writes and further path traversal. Finally, a symbolic-link race condition (CVE-2024-12747) could lead to privilege escalation or data leakage by exploiting timing issues during file transfers. Exploitation of these vulnerabilities requires specific conditions, such as server access or manipulated configurations.
Currently, no publicly available POC exists, and these vulnerabilities are not listed in CISA’s Known Exploited Vulnerabilities catalog. Affected versions include Rsync ≥3.2.7 and <3.4.0 for CVE-2024-12084, while other CVEs impact Rsync 3.3.0 and earlier. Organizations relying on Rsync for synchronization or backups should apply patches or mitigations promptly to mitigate risks of unauthorized access and data breaches.
Many organizations rely on Rsync for critical backup operations. Unaddressed vulnerabilities could lead to severe disruptions, including unauthorized data exposure, system compromise, and operational downtime. These risks demand immediate attention from TPRM professionals to ensure that vendors and their supply chain partners have implemented the necessary remediations.
Black Kite’s FocusTag™ for Rsync, published in January 2025, helps TPRM professionals identify vendors at risk from these vulnerabilities. By providing detailed information on affected versions, associated IPs, and potentially vulnerable assets, Black Kite enables organizations to narrow their outreach to only those vendors requiring immediate action. This targeted approach not only streamlines risk management processes but also helps protect sensitive data and critical systems from emerging threats.
Recent security assessments have uncovered critical vulnerabilities in SimpleHelp, a widely used remote support software.
CVE-2024-57726: A privilege escalation flaw that allows users with technician-level access to elevate their privileges to administrator due to missing backend authorization checks. This vulnerability has a CVSS score of 8.2, making it a high-severity issue. This vulnerability has a CVSS score of 8.8, making it a high-severity issue.
CVE-2024-57727: A path traversal vulnerability allowing unauthenticated attackers to download arbitrary files, including sensitive configuration files. This vulnerability has a CVSS score of 7.5, making it a high-severity issue.
CVE-2024-57728: An arbitrary file upload vulnerability enabling attackers with administrative privileges to upload malicious files anywhere on the server, potentially leading to remote code execution. This vulnerability has a CVSS score of 8.8, making it a high-severity issue.
These vulnerabilities can be chained to compromise the entire server, leading to sensitive information disclosure and potential remote code execution. They affect SimpleHelp versions 5.5.7 and earlier. Currently, there are no reports of these vulnerabilities being exploited in the wild, no available PoC, and no listing in CISA’s Known Exploited Vulnerabilities catalog.
SimpleHelp is widely used for remote support, making these vulnerabilities particularly concerning. A compromised SimpleHelp server could expose sensitive client information, provide attackers with persistent remote access, and lead to unauthorized actions such as executing malicious scripts. TPRM professionals must ensure that vendors relying on SimpleHelp have patched their systems and implemented necessary security controls to avoid supply chain disruptions and data breaches.
Black Kite provides a detailed FocusTag™ highlighting these vulnerabilities, including a list of affected versions and mitigation steps. By using Black Kite’s asset information—such as associated IP addresses and potentially vulnerable subdomains—TPRM professionals can quickly identify which vendors require immediate attention, streamlining the risk mitigation process.
As the cyber threat landscape continues to evolve, maintaining a resilient Third-Party Risk Management (TPRM) framework is more crucial than ever. Black Kite’s FocusTags™ provide a unique advantage, allowing organizations to identify and respond to high-profile vulnerabilities quickly and effectively. By incorporating FocusTags into their TPRM processes, organizations gain:
Timely Vendor Risk Identification: Quickly determine which vendors are impacted by emerging threats, enabling prompt and strategic action.
Prioritized Risk Management: Focus on the most critical vulnerabilities and vendors, ensuring that resources are allocated where they’re needed most.
Enhanced Vendor Collaboration: Conduct more informed and productive discussions with vendors, addressing their specific exposure and improving overall security measures.
Broader Security Insight: Gain a comprehensive view of the current threat landscape, helping TPRM teams anticipate future risks and strengthen their cybersecurity defenses.
With Black Kite’s FocusTags™, TPRM professionals have the tools they need to transform complex threat data into actionable intelligence. This capability not only improves risk management efficiency but also helps ensure that organizations can confidently manage their third-party ecosystem in an increasingly unpredictable digital environment.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2025-21598
https://nvd.nist.gov/vuln/detail/CVE-2024-12086
https://nvd.nist.gov/vuln/detail/CVE-2024-12087
https://nvd.nist.gov/vuln/detail/CVE-2024-12747
https://nvd.nist.gov/vuln/detail/CVE-2024-12084
https://nvd.nist.gov/vuln/detail/CVE-2024-12088
https://nvd.nist.gov/vuln/detail/CVE-2024-12085
https://www.openwall.com/lists/oss-security/2025/01/14/3
https://nvd.nist.gov/vuln/detail/CVE-2024-57726
https://nvd.nist.gov/vuln/detail/CVE-2024-57727
https://nvd.nist.gov/vuln/detail/CVE-2024-57728
https://simple-help.com/kb—security-vulnerabilities-01-2025#upgrading-to-v5-5-8
https://thehackernews.com/2025/01/critical-simplehelp-flaws-allow-file.html
https://securityonline.info/simplehelp-urgents-to-patch-critical-security-vulnerabilities
https://thehackernews.com/2023/04/iranian-hackers-using-simplehelp-remote.html
The post FOCUS FRIDAY: Third-Party Risks From Critical Juniper Junos, Rsync, and SimpleHelp Vulnerabilities appeared first on Black Kite.
The digital era has transformed education by making knowledge more accessible and communication easier. However, this convenience poses serious concerns, particularly to personal data. Cyber criminals exploit awareness and security weaknesses in students, who are frequently tech-savvy. In social networking and online banking, personal data is valuable. Unfortunately, many students disregard its relevance and share critical information.
Written by: Jason McLarney
You wake up one morning to a news alert: A new Zero-Day vulnerability is emerging, and it’s already being exploited in the wild. You race into the office and sit down at your computer to…write and send generic emails to each of your 1,000 vendors. “Have you been breached? If so, to what extent? Is our data exposed? What’s your plan to respond to it?”
Radio silence. At best, you get a trickle of responses, but most of your emails go unanswered because your vendors are busy figuring out what happened and how to mitigate fallout.
Organizations must immediately kick into high gear to mitigate damages or business disruptions when a Zero-Day event or other time-sensitive third-party threat occurs. A key step in this process is contacting vendors to communicate risk intelligence and ensure they take remedial action.
However, this process is easier said than done — especially when vendors are getting inundated by hundreds of frantic and panicked customers.
Most organizations make the mistake of sending vague “hunches” that a vendor is impacted by an incident, followed by a generic security questionnaire. In other words, they’re sharing no new information. In fact, it can come off as hostile policing. This is, obviously, not very motivating for a vendor and typically results in low, delayed, or nonexistent responses. This means risk is not being reduced, either for you or the vendor.
We built the Black Kite Bridge™ with exactly these challenges in mind. It offers the first end-to-end vulnerability response tool for:
Third-party risk management (TPRM) teams can now share trusted, vetted Black Kite intelligence directly with their vendors. This information is far more specific and actionable, leading to proven vendor engagement.
Since its inception, Black Kite has been focused on providing the most accurate, transparent, and timely risk intelligence on the market, empowering customers to take control of their third-party risk.
As a result, customers organically started sharing that intelligence and asking for more ways to give their vendorstm access to it to improve their own cyber risk postures. We heard their feedback, so we built the Black Kite Bridge™ to enable TPRM professionals to:
One of the most significant challenges in responding to an emerging Zero-Day event is knowing which vendors are impacted and what type of data to share with them.
Instead of casting the net wide and contacting vendors that may or may not pose a risk to your company, customers can leverage Black Kite to:
We arm you with insights, such as:
When you can share this information directly with a vendor through the Black Kite Bridge™, it gives you both a clear way forward. Instead of saying, “We think you were affected by X event — tell us if you were and what you’re doing to remediate it,” you can approach the vendor with clear evidence of what happened and hard recommendations to fix it.
Vendor communications about risk and the risk intelligence itself should live in the same location.
Why? Organizations already struggle with the sheer volume of vendors they rely on. If they need to communicate with all of them through one-off channels like email and without embedded context, this can easily become too complex and error-prone to scale.
Today, the relevant intelligence often lives in a separate tool from vendor communications (e.g., a GRC or VRM tool). Or worse yet, it lives in long email threads and offline spreadsheets. When TPRM is handled manually like this, progress becomes impossible to track, details slip through the cracks, and, ultimately, risk is not reduced.
A better way:
Since communications and intelligence live in one tool, reporting becomes a breeze. Your CISO wants a status update on that Zero-Day event? No problem.
With out-of-the-box reporting, you can immediately measure an incident’s initial exposure, vendor response rates, remediation progress, mean time to remediate (MTTR), and more across all vendors. Say goodbye to time-consuming, manual tracking in spreadsheets.
The Black Kite Bridge™ lets customers share unprecedented, ungated access to the intelligence they trust and rely on with their third-party vendors. Our customers have seen huge improvements in response rates and better relationships as a result of the benefits their vendors receive:
For large organizations with hundreds or thousands of suppliers, scaling vendor engagement processes and TPRM can feel impossible. With the Black Kite Bridge™, responding to emerging cyber incidents becomes a breeze. Learn more about the challenges and opportunities of vendor outreach in our latest ebook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. And learn more about Black Kite with a personalized demo.
To learn more practical strategies for building stronger vendor partnerships, check out our ebook: Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events.
The post How to Solve Vendor Outreach During Security Crisis Events appeared first on Black Kite.
Written by: Ferdi Gül
Welcome to this week’s Focus Friday blog, where we analyze high-profile vulnerabilities and incidents from a Third-Party Risk Management (TPRM) perspective. As organizations grapple with the growing complexities of cybersecurity threats, identifying and addressing vendor-related risks becomes paramount. This week, we had a busy week focusing on vulnerabilities. In this week’s article, we examined critical vulnerabilities in widely used products, including SonicWall SonicOS, Ivanti Connect Secure, Progress WhatsUp Gold, and GoCD. These vulnerabilities underscore the importance of swift action and strategic prioritization in TPRM processes. Read on to explore actionable insights and strategies to mitigate these risks.
The SonicWall SonicOS platform has been found vulnerable to multiple issues that could severely impact network security. Below are the key vulnerabilities:
CVE-2024-40762: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in the SSLVPN authentication token generator. This flaw allows attackers to predict authentication tokens, potentially leading to authentication bypass. (CVSS Score: 7.1)
CVE-2024-53704: Authentication Bypass vulnerability in the SSLVPN mechanism that could enable remote attackers to gain unauthorized system access. (CVSS Score: 8.2)
CVE-2024-53706: Local Privilege Escalation vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions). This allows attackers to escalate privileges to root, potentially leading to arbitrary code execution. (CVSS Score: 7.8)
CVE-2024-53705: Server-Side Request Forgery (SSRF) vulnerability in the SSH management interface. Attackers could establish TCP connections to arbitrary IP addresses and ports, enabling further attacks. (CVSS Score: 6.5, EPSS Score: 0.04%)
These vulnerabilities were disclosed in SonicWall’s security advisory on January 7, 2025. While no active exploitation has been reported yet, similar vulnerabilities have been targeted by Chinese threat actors in the past, raising the likelihood of exploitation in future attack campaigns. As of now, these vulnerabilities are not listed in CISA’s KEV catalog.
The vulnerabilities in SonicWall SonicOS present significant risks for organizations that rely on these devices for network security:
These vulnerabilities directly affect SonicWall Gen6/6.5, Gen7, and TZ80 devices, often used by organizations as a critical part of their perimeter defense. Exploitation could result in compromised networks, data breaches, or service interruptions, which would affect operational and business continuity.
To mitigate the risks associated with these vulnerabilities, vendors should:
Black Kite published the FocusTag™ SonicWall SonicOS – Jan2025 on January 8, 2025 to help TPRM professionals quickly identify vendors at risk. The tag provides:
Using this tag, professionals can narrow the scope of their risk assessments, focus efforts on high-priority vendors, and expedite their response to these vulnerabilities.
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateway products are affected by two critical vulnerabilities:
CVE-2025-0282: A Critical Stack-Based Buffer Overflow Vulnerability that permits unauthenticated remote code execution. This vulnerability affects Ivanti Connect Secure versions 22.7R2 through 22.7R2.4, Policy Secure versions 22.7R1 through 22.7R1.2, and Neurons for ZTA Gateways versions 22.7R2 through 22.7R2.3. It has a CVSS score of 9.0, reflecting its high severity, and an EPSS score of 0.83%, indicating a notable likelihood of exploitation.
CVE-2025-0283: A High-Severity Stack-Based Buffer Overflow Vulnerability that enables local authenticated attackers to escalate their privileges. This issue impacts the same product versions as CVE-2025-0282. It has a CVSS score of 7.0 and an EPSS score of 0.04%, suggesting a moderate risk of exploitation.
Both vulnerabilities were disclosed on January 8, 2025. CVE-2025-0282 has been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025, and is being exploited in limited incidents, particularly targeting Connect Secure appliances. Mandiant has attributed these exploitations to UNC5337, a suspected subgroup of the China-based espionage group UNC5221. No exploitation of CVE-2025-0283 has been reported.
These vulnerabilities present significant risks to organizations using Ivanti products:
The active exploitation of CVE-2025-0282 highlights the urgency of addressing these vulnerabilities, particularly for organizations relying on these products for secure remote access and network security.
To mitigate the risks associated with these vulnerabilities, vendors should:
Black Kite’s FocusTag™ Ivanti Connect Secure – Jan2025 enables TPRM professionals to identify vendors at risk of exposure to these vulnerabilities. This tag provides:
The tag was published on January 9, 2025. Leveraging this tag can streamline risk management efforts and enhance the security posture of third-party ecosystems.
The Progress WhatsUp Gold network monitoring software has been identified as vulnerable to the following critical and medium-severity security issues:
The vulnerabilities affecting Progress WhatsUp Gold include the following:
CVE-2024-12108: An Authentication Bypass by Spoofing Vulnerability that allows attackers to gain complete control of the WhatsUp Gold server via the public API. This vulnerability has a CVSS score of 9.6 and an EPSS score of 0.07%, making it critical in severity.
CVE-2024-12106: A Missing Authentication for Critical Function Vulnerability that enables unauthenticated attackers to configure LDAP settings, potentially leading to unauthorized access and data breaches. While this vulnerability is rated Critical with a CVSS score of 9.4 by the CNA, the NIST CVSS score is 7.5. Its EPSS score is 0.05%.
CVE-2024-12105: A Path Traversal Vulnerability that allows authenticated users to extract sensitive information through specially crafted HTTP requests. This vulnerability is rated Medium with a CVSS score of 6.5 and an EPSS score of 0.05%.
These vulnerabilities affect WhatsUp Gold versions prior to 24.0.2. Progress issued a security bulletin on December 12, 2024, urging users to upgrade. While no evidence of active exploitation exists, similar vulnerabilities have historically attracted threat actors targeting network monitoring systems.
The WhatsUp Gold vulnerabilities present critical risks to network security due to the product’s integral role in monitoring and managing network devices. Exploitation of these vulnerabilities could result in:
These risks make these vulnerabilities particularly concerning for third-party risk management (TPRM) professionals monitoring vendor ecosystems. The critical CVSS scores of CVE-2024-12108 and CVE-2024-12106 highlight the need for immediate action.
To address these vulnerabilities, vendors should:
Black Kite provides the FocusTag™ Progress WhatsUp Gold, published on January 2, 2025, to help TPRM professionals identify and address potential risks in their vendor ecosystems. This tag allows users to:
CVE-2024-56320 is a Critical Improper Authorization Vulnerability affecting GoCD versions prior to 24.5.0. This flaw enables authenticated users to persistently escalate their privileges to admin level, compromising the system’s integrity and security. The vulnerability arises from insufficient access controls in the admin “Configuration XML” UI feature and its associated API. The vulnerability has a CVSS score of 9.4 and an EPSS score of 0.05%, and it was published in January 2025.
This vulnerability cannot be exploited without prior authentication, requiring an attacker to have a valid GoCD user account. It poses a significant insider threat but does not currently have publicly available exploit code. As of now, it is not listed in CISA’s Known Exploited Vulnerabilities catalog.
The critical nature of CVE-2024-56320 makes it a significant concern for TPRM professionals. As GoCD is a continuous delivery server, its exploitation could:
This vulnerability highlights the importance of securing insider accounts and CI/CD environments, both critical for maintaining operational and data security.
To mitigate the risks of CVE-2024-56320, vendors should:
Black Kite’s FocusTag™ GoCD provides actionable intelligence to help TPRM professionals identify vendors potentially impacted by CVE-2024-56320. The tag enables users to:
This FocusTag™ was published on January 8, 2025. Black Kite users can operationalize this tag to prioritize remediation efforts and minimize exposure to insider threats.
Black Kite’s FocusTags™ are indispensable tools for refining TPRM strategies in today’s dynamic cybersecurity landscape. This week’s vulnerabilities in SonicWall SonicOS, Ivanti Connect Secure, Progress WhatsUp Gold, and GoCD highlight the critical role of FocusTags™ in proactive risk management. Here’s how these tags empower TPRM professionals:
Black Kite’s FocusTags™ simplify the complexity of cybersecurity threats by translating intricate technical data into actionable intelligence. This capability is critical for managing third-party risks effectively and proactively, ensuring that organizations remain one step ahead in mitigating potential threats.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2024-40762
https://nvd.nist.gov/vuln/detail/CVE-2024-53704
https://nvd.nist.gov/vuln/detail/CVE-2024-53706
https://nvd.nist.gov/vuln/detail/CVE-2024-53705
https://nvd.nist.gov/vuln/detail/CVE-2025-0282
https://nvd.nist.gov/vuln/detail/CVE-2025-0283
https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html
https://nvd.nist.gov/vuln/detail/CVE-2024-12108
https://nvd.nist.gov/vuln/detail/CVE-2024-12106
https://nvd.nist.gov/vuln/detail/CVE-2024-12105
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2024
https://research.checkpoint.com/2025/6th-january-threat-intelligence-report
https://nvd.nist.gov/vuln/detail/CVE-2024-56320
https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j
https://securityonline.info/gocd-patches-critical-vulnerability-allowing-user-privilege-escalation
The post Focus Friday: Addressing Critical Vulnerabilities in SonicWall, Ivanti, Progress, and GoCD appeared first on Black Kite.
Written by: Jeffrey Wheatman, Senior Vice President, Cyber Risk Strategist
The traditional third-party risk management process often treats vendors with suspicion, mistrust, and skepticism, focusing on control rather than collaboration. This one-way “policing” mindset undermines what should be a productive and mutually beneficial partnership, creating an environment of contention and inefficiency.
Instead of working together to manage risks, organizations often overwhelm vendors with scattershot questions about vulnerability management, patching strategies, SOC 2 compliance, and more — usually without providing clear context or guidance. Vendors are left feeling frustrated and disconnected, expected to comply without fully understanding the purpose or value of their efforts. This approach feels more like an interrogation, turning what should be a partnership into more of a power struggle.
To strengthen defenses and improve the overall risk posture of their ecosystems, organizations need to move beyond this outdated approach of managing third-party risk. After all, cyberattackers don’t work in isolation — they share intelligence, coordinate strategies, and collaborate to exploit weaknesses. To combat this, organizations must adopt a similar mindset, shifting from control to collaboration. Lone wolves simply cannot prevail against well-coordinated efforts.
Embracing partnership over policing, organizations can build trust and create a culture of shared responsibility — transforming third-party risk management into a proactive, collaborative strategy that benefits everyone involved. To understand why the current approach falls short, let’s examine the consequences of this policing mindset.
Policing vendors has long been a common approach in third-party risk management, but it usually creates more problems than it solves. Instead of building a collaborative, trust-based relationship, it positions vendors as adversaries under constant scrutiny. Vendors may feel like they are being targeted — not by cybercriminals, but by the very organizations they’re supposed to support.
This sense of distrust will lead to counterproductive outcomes. Rather than being transparent about potential risks or vulnerabilities, vendors may withhold critical information to avoid blame or punitive consequences, leaving organizations blind to potential risks.
The resulting lack of transparency can lead to delayed responses – or none at all – and missed opportunities for risk mitigation. After all, you can’t address risks you don’t know about. Distrust and resentment are partners in crime, and vendors may feel resentful that their time is being wasted by time-consuming questionnaires. As a result, vendors deprioritize or ignore these tasks and organizations waste valuable time chasing incomplete responses.
Beyond the operational inefficiencies, policing represents a major misstep in risk management. It doesn’t just sour relationships — it’s fundamentally shortsighted. Since it focuses narrowly on identifying and resolving immediate vulnerabilities, it misses the broader opportunity to build a shared, proactive, and long-term defense strategy.
Cyberattackers don’t work in a vacuum — they operate in networks, share intel and strategies, and collaborate on attack timings. In contrast, many organizations and their vendors remain stuck in reactive, adversarial relationships — pointing fingers, struggling with miscommunication, and ultimately, leaving critical risks untreated.
A partnership-driven approach flips this dynamic, creating an environment where organizations and vendors collaborate, learn from each other, and pool their resources and expertise. Open communication also eliminates data silos and barriers, meaning it’s easier to act quickly during critical moments. When everyone in your supply chain sees the same accurate, actionable data, responses are faster and more effective.
Vendors treated as integral allies rather than external risks are more likely to engage openly, prioritize security initiatives, and align with your goals. This approach strengthens relationships, closes security gaps more efficiently, and creates a continuous improvement cycle that benefits both parties.
Modernizing your third-party risk management process starts with rethinking how you work with vendors. These tips will help you shift from a policing mindset to a more collaborative approach, building mutually beneficial partnerships that strengthen security:
Partnerships start with transparency. During vendor onboarding, clearly communicate how you assess security posture and why it matters. This sets expectations and reinforces the mutual benefits of an open, collaborative approach.
For existing vendors, revisit your goals and outline plans to strengthen collaboration. Engage your vendors in these discussions — ask for their input on improving collaboration and listen actively to their feedback.
Using tools like Black Kite’s Ransomware Susceptibility Index® can provide insights into which companies in your ecosystem are most likely to be hit by a ransomware attack, so that you can work with your vendors proactively to reduce that risk.
Regular communication is essential for maintaining trust and efficiency. Establish direct, security-to-security communication channels to expedite responses during critical moments. Sharing trustworthy, actionable data also reduces the burden on vendors who may be working with hundreds or even thousands of customers — who are all expecting their attention.
Tools like Black Kite Bridge™ streamline this process by centralizing communication, automating outreach, and sharing real-time intelligence. With a tool that shares asset-level vulnerability intelligence and real-time ratings updates, vendors know exactly what they need to do to address your concerns. Vendors also appreciate such solutions as they help them scale efficiently — remediations to one client’s concerns are immediately visible to other clients, saving time.
Security incidents are inevitable, making it essential to develop a proactive process for identifying and addressing them. Effective incident response depends on access to precise, actionable information shared transparently with vendors.
The traditional approach of inundating vendors with unstructured data leads to delays and confusion. Without clear guidance, vendors may struggle to prioritize their actions. A better option is to use a tool like Black Kite’s FocusTags™ to offer specific, actionable steps for addressing vulnerabilities. This makes it much easier for vendors to know what exactly needs to be done and why.
When incidents occur, the response shouldn’t end with mitigation. Collaborating with your vendors to conduct post-mortem reviews is much more constructive than pointing fingers. It also shifts the focus to learning and improvement rather than fault-finding. By honestly evaluating what went wrong, it’s easier to take the necessary steps to improve your, and their, response in the future.
Taking a team-oriented approach to post-incident reviews strengthens your collective defenses. These collaborative discussions show a commitment to mutual success and ongoing improvement, reinforcing your shared responsibility in maintaining a strong security posture.
Vendor partnerships aren’t just about managing risk — they’re about building relationships that deliver mutual value. Collaboration shifts the dynamic from adversarial into one rooted in trust, transparency, and shared objectives. Partnerships accelerate threat responses, streamline third-party risk management processes, and enable both organizations and vendors to strengthen their defenses.
The real power of partnership lies in its ability to create a symbiotic cybersecurity ecosystem, where each party contributes to a stronger collective defense. Vendors become trusted allies, working alongside you to identify vulnerabilities, mitigate risks, and stay ahead of threats. In this unified ecosystem, the sum truly is greater than the parts.
To learn more practical strategies for building stronger vendor partnerships, check out our ebook: Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events.
The post From Policing to Partnering: Rethinking the Third-Party Risk Management Process appeared first on Black Kite.
In December 2024, a series of high-profile cyber attacks, data breaches, and ransomware incidents underscored the unrelenting threat landscape confronting businesses today. From telecommunications giant BT and healthcare platform ConnectOnCall to educational institutions such as Texas Tech University, the month witnessed a disturbing uptick in both frequency and severity of malicious activities.
Major engineering and technological services firms, including ENGlobal and Blue Yonder, were not spared, nor were critical infrastructure providers like Telecom Namibia. Healthcare also took a hit, with Anna Jaques Hospital suffering significant disruptions. Kadokawa, the renowned Japanese game maker, experienced breaches that rattled the gaming community.
Even global energy players like Electrica Group were caught in the crosshairs, alongside medical device company Artivion, proving that no sector is immune to cyber threats. Our monthly compilation delves into the biggest cyber attacks and breaches in December 2024. It also explores how these organisations navigated the aftermath of December’s most significant cyber incidents.
Written by: Ferdi Gül
Welcome! We’ve come together for the last Focus Friday blog post of 2024. As we close out 2024, I wish everyone a safe, happy, and healthy new year. At the same time, we’ve completed another significant year in cybersecurity. This year, we witnessed important developments in the cybersecurity world and encountered many critical vulnerabilities. Throughout the year, we have explored numerous high-profile vulnerabilities to help organizations manage third-party risks. Today, in this final post of 2024, we will focus on critical security flaws in widely used services like Gogs Server, CrushFTP, and Apache Tomcat. In this post, we will explore what these vulnerabilities mean for Third-Party Risk Management (TPRM) professionals and how Black Kite’s FocusTags™ can provide a more effective approach to managing these risks.
Apache Tomcat has been identified with two critical RCE vulnerabilities: CVE-2024-50379 and CVE-2024-56337. These vulnerabilities arise from Time-of-Check to Time-of-Use (TOCTOU) race conditions, allowing attackers to execute unauthorized code on affected systems.
CVE-2024-50379 occurs during JavaServer Pages (JSP) compilation in Apache Tomcat, enabling RCE on case-insensitive file systems when the default servlet is configured with write functionality (non-default configuration). Similarly, CVE-2024-56337 results from the incomplete mitigation of CVE-2024-50379, affecting systems under the same configuration but requiring additional configuration depending on the Java version. Both vulnerabilities have a CVSS score of 9.8, indicating critical severity.
These vulnerabilities were first reported on December 17, 2024. While proof-of-concept (PoC) exploit code is available, no evidence of active exploitation has been reported. They have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and no advisory has been published by CISA.
Apache Tomcat is widely used to deploy Java-based web applications, making these vulnerabilities highly impactful. The risks associated with these vulnerabilities include:
To assess the risk posed by these vulnerabilities, TPRM professionals can ask the following questions:
Vendors should take the following actions to mitigate these vulnerabilities:
Black Kite offers a FocusTag titled “Apache Tomcat RCE” which provides the following benefits:
This FocusTag™ ensures efficient vendor management and proactive risk mitigation, empowering TPRM professionals to address critical vulnerabilities effectively.
CrushFTP, a widely used file transfer server, has disclosed a critical vulnerability identified as CVE-2024-53552. This flaw affects versions prior to 10.8.3 in the 10.x series and prior to 11.2.3 in the 11.x series. The vulnerability arises from improper handling of password reset functionalities, enabling attackers to craft malicious password reset links. If a user clicks on such a link, their account can be compromised, granting unauthorized access to sensitive data and system controls. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. This issue was first reported on November 11, 2024. While PoC exploit code is not available, there is no evidence of active exploitation in the wild. The vulnerability has not been added to the CISA’s KEV catalog, and no advisory has been published by CISA.
CrushFTP is widely used for secure file transfers in enterprise environments. This vulnerability poses significant risks, including:
To assess the risk posed by this vulnerability, consider asking vendors the following questions:
Vendors should take the following actions to mitigate this vulnerability:
Black Kite offers a FocusTag titled “CrushFTP Account Takeover,” which provides:
Gogs, an open-source self-hosted Git service, has been identified with two critical path traversal vulnerabilities. CVE-2024-55947 is a vulnerability in the file update API of Gogs that allows authenticated users to write files to arbitrary paths on the server. Exploiting this flaw could enable an attacker to gain unauthorized SSH access, compromising the integrity of the server. Similarly, CVE-2024-54148 affects the file editing UI of Gogs, where authenticated users can commit and edit crafted symbolic link (symlink) files within a repository. This manipulation can lead to unauthorized SSH access to the server, posing significant security risks. Both vulnerabilities have a CVSS score of 8.7, indicating high severity, with an EPSS score of 0.05%, suggesting a low likelihood of exploitation. These vulnerabilities were first reported on December 23, 2024. While PoC exploit code is publicly available, there is no evidence of active exploitation in the wild, and the vulnerabilities have not yet been added to the CISA’s KEV catalog. No advisory has been published by CISA at this time.
Gogs is widely used for managing Git repositories, making it a critical component in many enterprise environments. These vulnerabilities can expose organizations to significant risks. Exploiting these flaws allows attackers to gain unauthorized SSH access to servers, which can lead to unauthorized access to sensitive data, server compromises, or even the manipulation of critical code repositories. Such breaches could lead to service disruption, data loss, and severe reputational damage. Given the high severity of these vulnerabilities and their potential impact on systems that rely on Gogs for version control and collaboration, TPRM professionals should prioritize assessing the exposure of their vendors.
To assess the risk posed by these vulnerabilities, TPRM professionals should ask the following questions:
Vendors should take the following actions to mitigate the risks posed by these vulnerabilities:
Black Kite offers a FocusTag titled “Gogs Server,” which provides the following benefits:
In the face of increasingly sophisticated cyber threats, Black Kite’s FocusTags™ stand as a beacon for proactive Third-Party Risk Management (TPRM). This week’s vulnerabilities highlight the pressing need for targeted, efficient, and informed risk management strategies. Here’s how FocusTags™ enhance TPRM practices:
By transforming complex cybersecurity data into actionable insights, Black Kite’s FocusTags™ revolutionize TPRM, ensuring businesses can protect their supply chains and partners against even the most sophisticated cyber threats. As vulnerabilities continue to emerge, these tags provide the clarity and precision needed for proactive and effective risk management.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2024-56337
https://nvd.nist.gov/vuln/detail/CVE-2024-50379
https://securityonline.info/cve-2024-56337-apache-tomcat-patches-critical-rce-vulnerability
https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp
https://github.com/Alchemist3dot14/CVE-2024-50379
https://nvd.nist.gov/vuln/detail/CVE-2024-53552
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
https://securityonline.info/cve-2024-53552-cvss-9-8-crushftp-flaw-exposes-users-to-account-takeover
https://nvd.nist.gov/vuln/detail/CVE-2024-55947
https://nvd.nist.gov/vuln/detail/CVE-2024-54148
https://github.com/gogs/gogs/releases
The post Focus Friday: TPRM Insights on Apache Tomcat, CrushFTP, and Gogs Server Vulnerabilities appeared first on Black Kite.
Written by: Ferdi Gül
Welcome to this week’s Focus Friday, where we delve into high-profile vulnerabilities and provide actionable insights from a Third-Party Risk Management (TPRM) perspective. This edition explores critical vulnerabilities in Cleo File Transfer, BeyondTrust PRA RS, and Ivanti Cloud Services Application. These vulnerabilities, including remote code execution and command injection, could potentially compromise sensitive data and disrupt operations across industries. These vulnerabilities demand immediate attention from TPRM professionals to mitigate risks effectively. Let’s explore the risks, the recommended remediations, and how Black Kite’s FocusTags™ streamline the risk management process for these pressing concerns.
In our Focus Friday blog post last week, we discussed Cleo’s critical vulnerability, CVE-2024-50623. This week, we need to focus on CVE-2024-55956, which affects Cleo File Transfer products, and the systemic risks these vulnerabilities pose.
In our December 18 article titled “CL0P’s Exploitation of Cleo Directly Endangers the Supply Chain,” we detailed how the CL0P ransomware group has been exploiting vulnerabilities in Cleo’s software to threaten supply chains.
Two critical vulnerabilities have been identified in Cleo Harmony®, Cleo VLTrader®, and Cleo LexiCom® products:
CVE-2024-55956 is the Remote Code Execution Vulnerability in Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.24, enabling unauthenticated users to execute arbitrary Bash or PowerShell commands by exploiting default settings in the Autorun directory.
Both vulnerabilities have been actively exploited. CVE-2024-50623 was added to CISA’s Known Exploited Vulnerabilities catalog on December 13, 2024. CISA CVE-2024-55956 was added on December 17, 2024. Cleo has released patches to address these issues, and users are strongly advised to update to the latest versions to mitigate potential risks.
Both vulnerabilities have public PoC exploit codes, and exploitation has been observed targeting industries like logistics and shipping. They enable unauthorized file uploads and remote execution of malicious commands.
These vulnerabilities represent significant risks for organizations relying on Cleo file transfer solutions:
For organizations utilizing Cleo products, timely mitigation is essential to avoid disruption and ensure data security.
To address these vulnerabilities, vendors should:
Black Kite published the Cleo File Transfer FocusTag™ on December 13, 2024, providing actionable insights for TPRM professionals. This tag identifies vendors using affected versions and details exposed assets like subdomains and IP addresses.
With Black Kite, TPRM professionals can:
This FocusTag™ ensures efficient vendor management and proactive risk mitigation, empowering TPRM professionals to address critical vulnerabilities effectively.
The Ivanti Cloud Services Appliance (CSA) is an internet-facing device that facilitates secure communication between remote endpoints and the central Ivanti Endpoint Manager core server. It enables organizations to manage devices outside their corporate network, ensuring that endpoints can receive updates, patches, and policies regardless of their location. The key features of the Ivanti Cloud Services Appliance (CSA) include: Secure Remote Management, Certificate-Based Authentication, Support for Multiple Appliances, and Virtual Appliance Option.
These vulnerabilities impact versions of Ivanti CSA prior to 5.0.3 and include the following:
CVE-2024-11639 is an authentication bypass vulnerability in the admin web console of Ivanti Cloud Services Appliance (CSA) versions before 5.0.3, allowing remote unauthenticated attackers to gain administrative access.
CVE-2024-11772 is a command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3, enabling remote authenticated attackers with administrative privileges to execute arbitrary code on the server.
CVE-2024-11773 is an SQL injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3, allowing remote authenticated attackers with administrative privileges to execute arbitrary SQL statements.
All three vulnerabilities are critical, with CVE-2024-11639 having a CVSS score of 10.0, and both CVE-2024-11772 and CVE-2024-11773 each having a CVSS score of 9.1.
These vulnerabilities were first disclosed on December 10, 2024, with no current evidence of exploitation in the wild. However, considering the history of rapid exploitation of Ivanti vulnerabilities, immediate action is advised. They are not yet listed in CISA’s KEV catalog.
For TPRM professionals, these vulnerabilities in Ivanti CSA could lead to severe business risks:
Organizations leveraging Ivanti CSA for IT management need to ensure their vendors have addressed these risks to prevent potential disruptions and data breaches.
Vendors using Ivanti CSA should implement the following recommendations:
Black Kite published the Ivanti Cloud Services Application FocusTag™ on December 13, 2024, providing actionable insights. This tag identifies vendors potentially exposed to these vulnerabilities, detailing the affected assets, including subdomains and IP addresses.
By leveraging these insights, TPRM professionals can:
Black Kite’s FocusTags™ eliminate the guesswork in identifying vulnerable vendors, streamlining the risk assessment process for TPRM professionals.
CVE-2024-12356 is a critical command injection vulnerability affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions. It allows unauthenticated remote attackers to execute operating system commands as the site user by sending malicious client requests. A vulnerability with a CVSS score of 9.8 has been identified, affecting PRA and RS software versions up to and including 24.3.1. Publicly disclosed on December 16, 2024, this vulnerability poses a significant security risk due to the availability of PoC exploit code, making it a high-priority target for attackers despite no reports of active exploitation thus far. The vulnerability’s critical nature has also led to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog on December 19, 2024. With an EPSS score of 0.05%, organizations using the affected versions are urged to address this issue promptly to mitigate potential risks.
The vulnerability stems from improper neutralization of special elements used in commands, making it exploitable via a low-complexity attack. BeyondTrust has released patches for all supported versions (22.1.x and above).
BeyondTrust’s PRA and RS solutions are widely used for privileged remote access and IT support, making them an attractive target for attackers. Exploitation of this vulnerability could:
Organizations using BeyondTrust products need to address this vulnerability urgently to protect against potential exploitation.
To mitigate the risks associated with CVE-2024-12356, vendors should:
Black Kite released the BeyondTrust PRA RS FocusTag™ on December 19, 2024, offering detailed insights into vendors potentially impacted by CVE-2024-12356. The tag provides:
TPRM professionals can use these insights to:
In the face of increasingly sophisticated cyber threats, Black Kite’s FocusTags™ stand as a beacon for proactive Third-Party Risk Management (TPRM). This week’s vulnerabilities—spanning critical systems like Cleo File Transfer, BeyondTrust PRA RS, and Ivanti Cloud Services Application—highlight the pressing need for targeted, efficient, and informed risk management strategies. Here’s how FocusTags™ enhance TPRM practices:
By transforming complex cybersecurity data into actionable insights, Black Kite’s FocusTags™ revolutionize TPRM, ensuring businesses can protect their supply chains and partners against even the most sophisticated cyber threats. As vulnerabilities continue to emerge, these tags provide the clarity and precision needed for proactive and effective risk management.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2024-55956
https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis
https://nvd.nist.gov/vuln/detail/CVE-2024-11639
https://nvd.nist.gov/vuln/detail/CVE-2024-11772
https://nvd.nist.gov/vuln/detail/CVE-2024-11773
https://www.beyondtrust.com/trust-center/security-advisories/bt24-10
https://nvd.nist.gov/vuln/detail/CVE-2024-12356
The post Focus Friday: TPRM Insights On Cleo File Transfer, BeyondTrust PRA and RS, and Ivanti Cloud Services Application Vulnerabilities appeared first on Black Kite.
Written by: Ferhat Dikbiyik
Contributor: Yavuz Han & Ekrem Celik
Cl0p is back—and this time, they’ve set their sights on Cleo, a critical tool for supply chain integration. By exploiting vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, Cl0p has reignited concerns of another large-scale ransomware campaign, echoing the chaos caused by their MOVEit, GoAnywhere, and Accelion attacks. With thousands of companies relying on Cleo for seamless data transfers and partner integrations, the risk isn’t just direct—it’s systemic.
Cleo released patches addressing a critical vulnerability (CVE-2024-50623) in its Managed File Transfer (MFT) products, including Harmony, VLTrader, and LexiCom. The flaw allowed unrestricted file uploads, enabling unauthenticated remote code execution. Cleo urged customers to upgrade to version 5.8.0.21 to mitigate the risk.
Weeks later, Blue Yonder, a major SaaS provider for supply chain management, fell victim to a ransomware attack. The Termite ransomware group claimed responsibility, leveraging vulnerabilities and credential exposure to compromise systems.
While Blue Yonder’s attack and the Termite group initially seemed isolated, Cleo systems emerged as Indicators of Compromise (IoCs) in Termite’s operations. This incident highlighted how supply chain integration tools could be weaponized to cause widespread operational disruption. For more details on Blue Yonder and Termite, refer to our previous analysis here.
In early December, signs of active exploitation began surfacing. Sophos X-Ops confirmed that attacks on Cleo products began on December 6, 2024, targeting 50+ unique hosts in North America, primarily in the retail sector. On December 13, the Cl0p ransomware group publicly claimed responsibility for exploiting Cleo’s vulnerabilities. Cl0p, known for its mass exploitation of Managed File Transfer products like MOVEit and GoAnywhere, followed their established playbook: exploit, exfiltrate, and pressure victims with double extortion. Their announcement signaled that victims were already under negotiation, and further disclosures were imminent.
Also, on December 13, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of CVE-2024-50623 and added it to the Known Exploited Vulnerabilities (KEV) Catalog. CISA mandated that all U.S. federal agencies apply patches by January 3, 2025, highlighting the urgency of remediation.
A second critical vulnerability (CVE-2024-55956) was identified in Cleo’s MFT solutions, further escalating the threat. This zero-day flaw, combined with CVE-2024-50623, expands the attack surface for threat actors, allowing even broader exploitation. According to new findings, these vulnerabilities remain attractive due to Cleo’s widespread usage in supply chain integration, especially in the retail and logistics industries.
Cl0p ransomware groups announced two new victims on December 18. Based on their initial announcement on the 13th, it is very highly likely that these victims are part of the campaign of mass exploitation of Cleo vulnerabilities.
As of mid-December, reports from Huntress and Arctic Wolf revealed that:
The interconnected risks continue to grow. Cleo systems have become central to ransomware groups’ strategies, echoing Cl0p’s MOVEit campaign in scale and complexity. The exploitation of Cleo vulnerabilities as a campaign is ongoing, and the number of victims is expected to rise over the coming weeks.
The ripple effects across the global supply chain—especially in retail, logistics, and other interconnected industries—demonstrate the systemic impact of vulnerabilities in widely adopted tools like Cleo.
Cl0p is a ransomware group notorious for large-scale exploitation campaigns targeting Managed File Transfer (MFT) software. Their operations are characterized by a “hit-and-run” mentality, focusing on mass exploitation rather than continuous attacks. Unlike opportunistic ransomware groups, Cl0p carefully identifies vulnerabilities in widely adopted tools, weaponizes them, and exploits them at scale. Their operations combine technical precision with a clear strategy: maximize impact and leverage high-value data for extortion.
Cl0p has been linked to several high-profile attacks:
These incidents highlight Cl0p’s signature approach: they don’t operate year-round. Instead, they focus on mass exploitation campaigns—finding and exploiting critical vulnerabilities in widely used enterprise tools, launching large-scale attacks, and rapidly monetizing stolen data.
Cl0p’s tactics have a distinct pattern:
The exploitation of Cleo’s vulnerabilities mirrors Cl0p’s previous large-scale campaigns on Managed File Transfer (MFT) solutions like MOVEit and GoAnywhere. These campaigns targeted zero-day vulnerabilities, allowing Cl0p to breach organizations en masse and exfiltrate sensitive data for double extortion. In December 2024, Cl0p publicly claimed responsibility for exploiting Cleo’s MFT products, specifically CVE-2024-50623 and CVE-2024-55956, stating they already had “a lot of companies” under their fingertips. This public declaration strongly suggests that exploitation began weeks earlier, consistent with Cl0p’s strategy of quietly breaching systems, stealing data, and only later announcing their activities to intensify pressure on victims yet to pay.
Given Cleo’s widespread adoption—particularly in retail and logistics, where it facilitates end-to-end supply chain integration—the scale of potential disruption is significant. Cl0p’s focus on tools that connect organizations across ecosystems amplifies the risk far beyond a single company, creating a ripple effect throughout supply chains.
This pattern is not new. During the MOVEit exploitation campaign in 2023, Black Kite Research and Intelligence Team (BRITE) observed 600 MOVEit assets exposed to the internet at the time of discovery. Given Cl0p’s spray-and-exploit approach, we estimate most of those assets were attacked. In total, Cl0p’s MOVEit campaign impacted hundreds of direct victims and indirectly affected more than 2,700 organizations, including downstream third- and fourth-party dependencies.
Within three months, Cl0p announced 270 victims tied to MOVEit on their leak site. Other victims were listed afterward, though it remains unclear if these were MOVEit-related. Notably, Cl0p claimed to have deleted stolen data for some organizations, such as non-profits and public institutions, likely for reputational reasons.
While Cl0p currently dominates the headlines, it is worth noting that the Termite ransomware group has also been associated with Cleo-related Indicators of Compromise (IoCs). Though there is no confirmed link between Cl0p and Termite, this overlap highlights how critical tools like Cleo become prime targets for multiple ransomware operators seeking high-impact opportunities.
Cl0p’s resurgence with Cleo is yet another example of their ability to disrupt systems at scale. Their hit-and-run mentality—periodically focusing on MFT vulnerabilities for maximum effect—demonstrates their precision and understanding of how interconnected systems amplify ransomware risks. Organizations must respond decisively to such threats, as delayed action could leave critical data and operations exposed in the interconnected web of modern supply chains.
The first critical vulnerability identified in Cleo’s MFT solutions—CVE-2024-50623—was disclosed in October 2024. This flaw allows for unauthenticated file uploads, enabling attackers to place malicious files directly onto targeted servers. Under certain conditions, this results in remote code execution (RCE), giving threat actors the ability to execute arbitrary commands.
The vulnerability impacts Cleo Harmony, VLTrader, and LexiCom products widely used for secure file transfers, partner onboarding, and supply chain automation. Organizations with internet-exposed Cleo systems running unpatched versions were immediately placed at risk.
On December 15, 2024, a second vulnerability—CVE-2024-55956—surfaced, further exacerbating the risk. This zero-day flaw allows for unrestricted file downloads, enabling attackers to exfiltrate sensitive data without authentication. In combination with CVE-2024-50623, this creates a powerful attack vector where threat actors can both infiltrate and exfiltrate data, a hallmark of ransomware operations.
Researchers from Huntress have raised concerns that even fully patched systems remain vulnerable under specific misconfigurations or incomplete remediations. This complicates mitigation efforts, as organizations may incorrectly assume they are protected after applying initial patches.
Security researchers have published several Indicators of Compromise related to Cleo exploitation, including:
Organizations are urged to monitor for these IoCs and conduct thorough forensic reviews of Cleo servers to identify unauthorized file uploads or unusual system behavior.
While Cleo released patches in October, real-world implementation has revealed challenges. Systems with incomplete configurations or unpatched instances remain vulnerable. Additionally, Huntress researchers have reported that fully updated Cleo environments could still be exploited under specific conditions, raising the risk for organizations that rely on Cleo for critical file transfer operations.
The combined exploitation of CVE-2024-50623 and CVE-2024-55956 highlights the evolving sophistication of ransomware groups like Cl0p. These vulnerabilities create a near-perfect opportunity for attackers to infiltrate systems, steal sensitive data, and leverage supply chain disruptions for maximum impact. Organizations must act decisively to identify exposure, patch systems, and monitor for signs of compromise before attackers escalate their campaigns further.
Cleo’s Integration Cloud (CIC) and Managed File Transfer (MFT) solutions serve as critical infrastructure for businesses that rely on seamless data exchanges with trading partners, customers, and internal systems. These tools power API and EDI-based transactions, automate file transfers, and integrate with back-office applications, enabling operational efficiency across interconnected supply chains.
The exploitation of Cleo vulnerabilities poses direct and indirect risks to organizations, mirroring the cascading effects seen during the MOVEit and GoAnywhere campaigns:
Industries like retail, logistics, manufacturing, and healthcare depend heavily on Cleo to manage their supply chain workflows. From onboarding new partners to securely transferring sensitive business data, Cleo has become a central link in countless global operations. This widespread reliance creates an attractive target for ransomware groups like Cl0p, who aim to amplify the disruption by compromising a tool that connects thousands of organizations.
The Cleo exploitation highlights a broader issue: the fragility of interconnected systems. Organizations often underestimate their reliance on third-party tools and partners until an incident like this occurs. A single vulnerability in a widely adopted platform can disrupt hundreds—or thousands—of interconnected businesses, amplifying risks across entire ecosystems.
For organizations prioritizing supply chain resilience, visibility is critical:
Understanding these relationships and acting proactively can make the difference between business continuity and cascading failure.
As the Cleo vulnerabilities began to surface and exploitation intensified, Black Kite acted swiftly to provide actionable intelligence for our customers. Understanding the layered risks posed by Cleo’s interconnected products, we released two distinct FocusTags:
Both tags addressed critical aspects of the threat, helping customers identify exposure, prioritize outreach, and take decisive mitigation steps.
The Cleo File Transfer FocusTag™ focuses on the vulnerable software versions and internet-facing systems running Cleo Harmony®, VLTrader®, and LexiCom. This vulnerability-focused tag provides highly actionable intelligence for customers to address immediate technical risks.
Key details include:
Customers used this tag to quickly identify their own exposure and initiate remediation efforts, including monitoring for signs of exploitation and implementing defensive controls.
Black Kite published this first tag on November 27, 2024 for CVE-2024-50623 and updated it since then frequently so that it includes the new developments and vulnerabilities (CVE-2024-55956).
The Cleo Integration – Ransomware Risk FocusTag™ addresses a broader risk beyond the specific vulnerabilities. This tag highlights organizations connected to Cleo’s Integration Cloud (CIC) as application or trading partners, who may face direct or indirect risks of a ransomware attack.
The Cleo Integration tag is based on a combination of:
Through discussions with trading partners and confirmation from our customers, we’ve learned that Cleo integrations often touch sensitive data and critical systems, amplifying the potential for cascading impacts across the supply chain.
This tag enables customers to:
Black Kite published this tag on December 16, 2024, right after Cl0p announced it on their dark web blog. Black Kite has become the first source of intel for many Black Kite customers.
Customers who were identified as trading partners on Cleo’s public website began internal investigations to assess their exposure. IoCs provided with the tag—such as suspicious file patterns and malicious IPs—were shared with SOC teams to ensure no compromise had occurred. Organizations verified where Cleo touched their sensitive assets or critical systems and prepared incident response protocols as a precaution.
Black Kite customers leveraged these FocusTags to address both immediate risks and cascading vulnerabilities:
The swift release of these two FocusTags reflects Black Kite’s commitment to delivering timely and actionable intelligence. The BRITE (Black Kite Research and Intelligence) team worked around the clock to analyze risks, while our Customer Success, Support, and Product teams ensured customers could operationalize this intelligence effectively.
By addressing both technical vulnerabilities and supply chain risks, we enabled organizations to act decisively—protecting their systems, understanding their vendor relationships, and mitigating the cascading impacts of ransomware.
As the exploitation of Cleo vulnerabilities continues to unfold, organizations must move quickly to mitigate risks, both internally and across their supply chains. Given Cl0p’s history of targeting widely adopted Managed File Transfer (MFT) tools, delaying action could leave organizations exposed to ransomware deployment, data theft, and operational disruptions.
If your organization uses Cleo Harmony®, VLTrader®, or LexiCom, immediate technical measures must be prioritized:
Even if your organization does not use Cleo directly, there is significant indirect risk if your vendors, trading partners, or customers rely on Cleo systems. Cl0p’s attack campaigns historically spread across entire ecosystems, impacting organizations that were never direct targets.
Steps to address cascading risks include:
While the immediate priority is mitigating Cleo-related risks, this incident underscores the broader need for improved third-party risk management and supply chain resilience. In an interconnected world, risks like Cleo’s vulnerabilities don’t stay isolated—they ripple across entire ecosystems. Whether you’re a direct user of Cleo systems or part of a broader supply chain, visibility and decisive action are critical to minimizing ransomware risk.
Organizations should take steps to ensure they are prepared for future events:
By addressing vulnerabilities internally, working proactively with vendors, and strengthening long-term cyber resilience, organizations can mitigate the cascading impacts of supply chain ransomware attacks.
The Cleo exploitation campaign is another stark example of how quickly ransomware groups like Cl0p can exploit critical vulnerabilities to disrupt organizations and their interconnected supply chains. By targeting tools that sit at the heart of business operations, Cl0p has shown once again that the impacts of these attacks are rarely limited to direct victims.
At Black Kite, we believe that speed, visibility, and actionable intelligence are key to minimizing risk in moments like these. The release of the Cleo File Transfer FocusTag™ and the Cleo Integration – Ransomware Risk FocusTag™ allowed our customers to take immediate action—internally patching vulnerabilities, identifying at-risk vendors, and prioritizing outreach campaigns.
These efforts are a testament to the collaborative work of the BRITE team, who identified and tracked this threat, and the Customer Success, Support, and Product and Development teams, who made this intelligence actionable for our customers.
While the Cleo vulnerabilities may dominate headlines today, the lesson for tomorrow is clear:
Know your vendors. Know their dependencies. And act decisively when risk emerges.
The next wave of ransomware will come—it always does. Organizations that prioritize visibility, operationalize risk intelligence, and strengthen supply chain resilience will be the ones who weather it best.
https://arcticwolf.com/resources/blog-uk/cleopatras-shadow-a-mass-exploitation-campaign-uk
https://infosec.exchange/@SophosXOps/113631363563332166
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
The post Cl0p’s Exploitation of Cleo Puts the Supply Chain at Immediate Risk appeared first on Black Kite.
Written by: Jason McLarney
Gone are the days of working with a handful of long-time, trusted vendors. Today, 60% of enterprises work with up to 1,000 vendors at a time, with 71% reporting that their third-party network has exponentially increased in just three years. That means more risk to evaluate and therefore more vendor assessments to parse through.
The sheer volume of vendors in play and the length of traditional vendor risk assessments (often hundreds of questions) can make scaling this process feel impossible.
Fortunately, with the right third-party risk tools and strategic vendor risk assessment processes, scaling is very achievable.
Here are four practical steps organizations can take to get the data they need to make confident third-party risk decisions — quickly, efficiently, and accurately.
Traditionally, many organizations have evaluated all new vendors with the same level of scrutiny. Here’s the issue with this: Not all third-party relationships are the same.
A third-party partner with no access to critical data (such as a catering provider) should not receive the same vendor risk assessment as one with extensive access to critical data (such as a payment processor). Due to the nature of the relationship — and what’s being shared — these two vendors pose a very different level of risk. This is a good thing because it means you don’t have to be equally thorough and meticulous with every vendor.
A Strategic Approach to Vendor Risk Assessments
Prioritize and tier vendors based on the unique risk they each pose to business-critical operations, environments, and data. Third-party risk pros can start by asking the following questions about their network of vendors:
Based on those answers, organizations can start more effectively tiering their vendors into the following categories:
Think of it this way: If you were a 911 operator who answered two calls, one about a fender-bender and one about a 10-car pileup around the same time, you’d know where to send more resources.
Risk-based tiers are the basis that should dictate all engagement with that vendor — the risk thresholds you’re comfortable with, the compliance levels you require, how often you reassess them, and the level of communication you have with them. With vendors ranked in these risk-based tiers, teams can prioritize their efforts around the third-party partners most critical to their business — and the ones that raise the most red flags regarding potential impact.
That level of prioritization is exactly how organizations can go from treating 10,000 vendors exactly the same (and burning out the team, no matter how large) to using a streamlined team to focus on the riskiest vendors — without incurring unnecessary risk or feeling spread thin.
In a market where scaling fast is the goal, risk professionals are starting to recognize they need to move away from solely relying on questionnaires. That’s because general questionnaires, which can sometimes have over 300 questions, often result in general (read: unhelpful) responses.
Effective communication with vendors relies instead on obtaining — and sharing — the right data, and only when necessary. Organizations need a source of intelligence they can trust to make better risk decisions, including whether they need to engage the vendor in the first place. For example, if a vendor meets all of your security and compliance requirements and is tiered as a “Moderate Risk” vendor, do you really need to issue them a questionnaire? It depends on your risk appetite, but likely not.
Organizations need a transparent, standards-based cyber ratings platform where they can see for themselves how findings and scores are assembled. That gives teams the reliable, concrete data they need to have meaningful conversations with vendors and collaborate effectively to remediate risk.
Security teams should also consider investing in a third-party risk management (TPRM) tool that provides:
Baking in automation is the only way to scale your vendor risk assessment process. Manually sifting through questionnaires is not the solution; it only exhausts resource-constrained risk teams and introduces human error.
Manual vendor risk assessments can take anywhere from two to eight weeks on average. For any other project, that timeframe might be acceptable. But digital threats evolve much faster than that. Within a few weeks, the risk landscape (either yours as an organization or the market’s at large) can undergo a seismic shift that rapidly changes priorities. Whether due to a geopolitical upheaval or a new business expansion strategy, risk doesn’t remain constant.
With the right third-party risk automation tools, teams can reduce assessment cycles from weeks to hours. AI-driven engines can parse complex vendor documents (SOC2 reports, compliance policies, questionnaire responses, and more) and measure compliance with industry-wide frameworks such as NIST 800-53 R5, ISO27001, and more, giving you an immediate view into their risk.
That unlocks the ultimate key to scaling: Finding automated tools your teams can trust to work in the background while they handle more complex risk strategies.
Regarding third-party risk, it can be easy for organizations to fall into the trap of only communicating with vendors during procurement and onboarding… and then only if and when an incident occurs. That’s not due to any personal failure but because it can be nearly impossible to effectively communicate with hundreds or thousands of vendors regularly.
With effective prioritization, risk teams can collaborate with vendors rather than having a reactive (and often unnecessarily tense) relationship. They can also minimize the total amount of vendor assessments they need to send — and shorten and focus the ones they do send — all the while better mitigating actual risk.
Double down on the vendors that matter most to your organization’s security, financial health, and business-critical processes. Check in with them on risk and security developments — and identify any shared risks or weaknesses that you might have with each other.
Effective scaling starts with moving away from one-size-fits-all, time-consuming, and manual methods and instead towards:
These pillars make scaling possible and achievable, expanding your team’s reach and allowing you to double down on the value-adding tasks and relationships that matter most. However, all of these vendor risk mitigation strategies rely on one key factor: trustworthy, timely risk data. When organizations have data they can trust, they can prioritize, dial in their risk thresholds, and build out the third-party risk management structure they need to move ahead with confidence.
Scaling vendor risk assessments doesn’t have to feel impossible. With the right tools and processes, organizations can unlock efficiencies, strengthen their vendor relationships, and improve their overall risk posture. Black Kite Bridge™ makes collaboration easier by providing the trusted data and communication capabilities needed to drive faster, more meaningful vendor engagements.
If you’re ready to transform your approach to vendor engagement, don’t miss our eBook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. It’s packed with actionable insights to help you work more effectively with vendors during critical events — no download required.
Check out our interactive ebook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events
The post Vendor Risk Assessments: Why Scaling Feels Impossible (and What To Do About It) appeared first on Black Kite.
Login