Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

An image from one Chinese phishing group’s Telegram channel shows various toll road phish kits available.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.

CARDING REINVENTED

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill has been studying the evolution of several China-based smishing gangs, and found that most of them feature helpful and informative video tutorials in their sales accounts on Telegram. Those videos show the thieves are loading multiple stolen digital wallets on a single mobile device, and then selling those phones in bulk for hundreds of dollars apiece.

“Who says carding is dead?,” said Merrill, who presented about his findings at the M3AAWG security conference in Lisbon earlier today. “This is the best mag stripe cloning device ever. This threat actor is saying you need to buy at least 10 phones, and they’ll air ship them to you.”

One promotional video shows stacks of milk crates stuffed full of phones for sale. A closer inspection reveals that each phone is affixed with a handwritten notation that typically references the date its mobile wallets were added, the number of wallets on the device, and the initials of the seller.

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different UK financial institutions.

Merrill said one common way criminal groups in China are cashing out with these stolen mobile wallets involves setting up fake e-commerce businesses on Stripe or Zelle and running transactions through those entities — often for amounts totaling between $100 and $500.

Merrill said that when these phishing groups first began operating in earnest two years ago, they would wait between 60 to 90 days before selling the phones or using them for fraud. But these days that waiting period is more like just seven to ten days, he said.

“When they first installed this, the actors were very patient,” he said. “Nowadays, they only wait like 10 days before [the wallets] are hit hard and fast.”

GHOST TAP

Criminals also can cash out mobile wallets by obtaining real point-of-sale terminals and using tap-to-pay on phone after phone. But they also offer a more cutting-edge mobile fraud technology: Merrill found that at least one of the Chinese phishing groups sells an Android app called “ZNFC” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“The software can work from anywhere in the world,” Merrill said. “These guys provide the software for $500 a month, and it can relay both NFC enabled tap-to-pay as well as any digital wallet. The even have 24-hour support.”

The rise of so-called “ghost tap” mobile software was first documented in November 2024 by security experts at ThreatFabric. Andy Chandler, the company’s chief commercial officer, said their researchers have since identified a number of criminal groups from different regions of the world latching on to this scheme.

Chandler said those include organized crime gangs in Europe that are using similar mobile wallet and NFC attacks to take money out of ATMs made to work with smartphones.

“No one is talking about it, but we’re now seeing ten different methodologies using the same modus operandi, and none of them are doing it the same,” Chandler said. “This is much bigger than the banks are prepared to say.”

A November 2024 story in the Singapore daily The Straits Times reported authorities there arrested three foreign men who were recruited in their home countries via social messaging platforms, and given ghost tap apps with which to purchase expensive items from retailers, including mobile phones, jewelry, and gold bars.

“Since Nov 4, at least 10 victims who had fallen for e-commerce scams have reported unauthorised transactions totaling more than $100,000 on their credit cards for purchases such as electronic products, like iPhones and chargers, and jewelry in Singapore,” The Straits Times wrote, noting that in another case with a similar modus operandi, the police arrested a Malaysian man and woman on Nov 8.

Three individuals charged with using ghost tap software at an electronics store in Singapore. Image: The Straits Times.

ADVANCED PHISHING TECHNIQUES

According to Merrill, the phishing pages that spoof the USPS and various toll road operators are powered by several innovations designed to maximize the extraction of victim data.

For example, a would-be smishing victim might enter their personal and financial information, but then decide the whole thing is scam before actually submitting the data. In this case, anything typed into the data fields of the phishing page will be captured in real time, regardless of whether the visitor actually clicks the “submit” button.

Merrill said people who submit payment card data to these phishing sites often are then told their card can’t be processed, and urged to use a different card. This technique, he said, sometimes allows the phishers to steal more than one mobile wallet per victim.

Many phishing websites expose victim data by storing the stolen information directly on the phishing domain. But Merrill said these Chinese phishing kits will forward all victim data to a back-end database operated by the phishing kit vendors. That way, even when the smishing sites get taken down for fraud, the stolen data is still safe and secure.

Another important innovation is the use of mass-created Apple and Google user accounts through which these phishers send their spam messages. One of the Chinese phishing groups posted images on their Telegram sales channels showing how these robot Apple and Google accounts are loaded onto Apple and Google phones, and arranged snugly next to each other in an expansive, multi-tiered rack that sits directly in front of the phishing service operator.

The ashtray says: You’ve been phishing all night.

In other words, the smishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

Notably, none of the phishing sites spoofing the toll operators or postal services will load in a regular Web browser; they will only render if they detect that a visitor is coming from a mobile device.

“One of the reasons they want you to be on a mobile device is they want you to be on the same device that is going to receive the one-time code,” Merrill said. “They also want to minimize the chances you will leave. And if they want to get that mobile tokenization and grab your one-time code, they need a live operator.”

Merrill found the Chinese phishing kits feature another innovation that makes it simple for customers to turn stolen card details into a mobile wallet: They programmatically take the card data supplied by the phishing victim and convert it into a digital image of a real payment card that matches that victim’s financial institution. That way, attempting to enroll a stolen card into Apple Pay, for example, becomes as easy as scanning the fabricated card image with an iPhone.

An ad from a Chinese SMS phishing group’s Telegram channel showing how the service converts stolen card data into an image of the stolen card.

“The phone isn’t smart enough to know whether it’s a real card or just an image,” Merrill said. “So it scans the card into Apple Pay, which says okay we need to verify that you’re the owner of the card by sending a one-time code.”

PROFITS

How profitable are these mobile phishing kits? The best guess so far comes from data gathered by other security researchers who’ve been tracking these advanced Chinese phishing vendors.

In August 2023, the security firm Resecurity discovered a vulnerability in one popular Chinese phish kit vendor’s platform that exposed the personal and financial data of phishing victims. Resecurity dubbed the group the Smishing Triad, and found the gang had harvested 108,044 payment cards across 31 phishing domains (3,485 cards per domain).

In August 2024, security researcher Grant Smith gave a presentation at the DEFCON security conference about tracking down the Smishing Triad after scammers spoofing the U.S. Postal Service duped his wife. By identifying a different vulnerability in the gang’s phishing kit, Smith said he was able to see that people entered 438,669 unique credit cards in 1,133 phishing domains (387 cards per domain).

Based on his research, Merrill said it’s reasonable to expect between $100 and $500 in losses on each card that is turned into a mobile wallet. Merrill said they observed nearly 33,000 unique domains tied to these Chinese smishing groups during the year between the publication of Resecurity’s research and Smith’s DEFCON talk.

Using a median number of 1,935 cards per domain and a conservative loss of $250 per card, that comes out to about $15 billion in fraudulent charges over a year.

Merrill was reluctant to say whether he’d identified additional security vulnerabilities in any of the phishing kits sold by the Chinese groups, noting that the phishers quickly fixed the vulnerabilities that were detailed publicly by Resecurity and Smith.

FIGHTING BACK

Adoption of touchless payments took off in the United States after the Coronavirus pandemic emerged, and many financial institutions in the United States were eager to make it simple for customers to link payment cards to mobile wallets. Thus, the authentication requirement for doing so defaulted to sending the customer a one-time code via SMS.

Experts say the continued reliance on one-time codes for onboarding mobile wallets has fostered this new wave of carding. KrebsOnSecurity interviewed a security executive from a large European financial institution who spoke on condition of anonymity because they were not authorized to speak to the press.

That expert said the lag between the phishing of victim card data and its eventual use for fraud has left many financial institutions struggling to correlate the causes of their losses.

“That’s part of why the industry as a whole has been caught by surprise,” the expert said. “A lot of people are asking, how this is possible now that we’ve tokenized a plaintext process. We’ve never seen the volume of sending and people responding that we’re seeing with these phishers.”

To improve the security of digital wallet provisioning, some banks in Europe and Asia require customers to log in to the bank’s mobile app before they can link a digital wallet to their device.

Addressing the ghost tap threat may require updates to contactless payment terminals, to better identify NFC transactions that are being relayed from another device. But experts say it’s unrealistic to expect retailers will be eager to replace existing payment terminals before their expected lifespans expire.

And of course Apple and Google have an increased role to play as well, given that their accounts are being created en masse and used to blast out these smishing messages. Both companies could easily tell which of their devices suddenly have 7-10 different mobile wallets added from 7-10 different people around the world. They could also recommend that financial institutions use more secure authentication methods for mobile wallet provisioning.

Neither Apple nor Google responded to requests for comment on this story.

To connect billions of devices all around the world, the Internet of Things (IoT) has brought technology to an unprecedented level of interaction with us. IoT Security has integrated itself seamlessly into everything from smart homes, wearables, and automation systems to industrial and healthcare. Nevertheless, the Cybersecurity Challenges increase with their use. 

Byline: Ekrem Selcuk Celik, Cybersecurity Researcher at Black Kite

Welcome to the January 2025 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.

The Black Kite Research & Intelligence Team (BRITE) tracked 546 ransomware incidents in January 2025, marking a sharp increase compared to January 2024, which saw approximately 300 cases. This significant rise indicates that ransomware activity is escalating at an alarming pace. Among these incidents, 274 were recorded in the United States, 32 in Canada, 23 in the United Kingdom, and 18 in France.

Manufacturing was the most targeted sector, followed by technical services. Closing out December with 535 cases, ransomware groups have historically shown a tendency to slow down at the beginning of the year. However, this year is proving to be an exception.

Top Threat Actors in January 2025

The Clop ransomware group took the lead in January 2025 by a significant margin with 115 publicly disclosed victims. As usual, RansomHub remained among the top-ranking groups with 42 victims. One of the most notable groups this month was Lynx, which saw a major surge with 42 victims in January. They were followed by the Akira group, which recorded 38 victims.

Clop Is No Joke, But It’s Not What It Used to Be

Nearly all of the 115 Clop attacks were linked to the CLEO vulnerability, continuing the momentum from Clop’s December disclosures. Initially, only 50 victims were expected, but as the group continues to release names in alphabetical order, the final number could reach 500.

Among these 115 victims, the United States was the most affected, with 79 cases, followed by Canada with 12 and the Netherlands with 4.

In terms of industry impact among these attacks, the manufacturing sector suffered the highest number of attacks, with 34 victims. It was followed by the transportation sector with 18 victims, the information technology sector with 17, and the technical services sector with 14.

Two years ago, during the MoveIT disclosures, Clop was at the center of global media attention. Now, despite its high ransomware activity, the group seems to be struggling to capture the same level of interest. They kept postponing victim disclosures, which was unusual for them, and then starting sharing victims in a different way to seek attention. Whether this signals Clop’s waning influence or a shift in public perception remains to be seen, but one thing is certain: the group appears increasingly frustrated by the lack of attention.

FunkSec: From Ransomware to Full-Fledged Cybercrime Group

FunkSec continued its aggressive expansion in January, making headlines with its unconventional tactics:

• Launched FunkBID, a data leak auction platform.
• Announced a partnership with Fsociety for joint ransomware operations.
• Gave media interviews, shedding light on their internal workings.
• Released FunkSec V1.2, their own Ransomware-as-a-Service (RaaS) for $100.
• Threatened a cybersecurity researcher who had written about them.
• Established their own forum to further expand their operations.

Key takeaways from their recent interview:

• They claim to be entirely self-taught with no external affiliations.
• AI plays a role in their operations, but they state it accounts for only 20%.
• They have developed their own GPT model for internal use.
• Their primary goal is financial gain, but they explicitly state hostility toward Israel and the U.S.
• The group consists of four members.
• While hacking remains their focus, they employ specialized ransomware developers.
• They use tools like Shodan Premium and Burp Pro, alongside advanced custom brute force tools.
• Rust is their programming language of choice.

FunkSec’s erratic yet calculated moves make them one of the most unpredictable actors in the ransomware ecosystem. Their expansion beyond traditional ransomware operations suggests a broader ambition that could redefine the threat landscape.

Is Babuk Back? Or Just an Imposter?

A new leak site emerged in January claiming to be affiliated with Babuk, publishing 60 alleged victims. While this sparked speculation that the notorious ransomware group had returned, our analysis revealed that most of the disclosed victims had already been published by FunkSec, RansomHub, and LockBit.

Shortly after the site gained traction, access was restricted, leaving its authenticity in question. Whether this marks the actual return of Babuk or merely an opportunistic attempt to capitalize on the name remains unclear.

New Groups Keep Emerging, but Originality Is Fading

Ransomware groups continue to surface at an increasing rate, and the rise of Ransomware-as-a-Service (RaaS) is undoubtedly fueling this trend. However, despite this growth, these groups seem to do little more than mimic each other. Many simply replicate existing leak sites, making it increasingly difficult to track them as they blur into one another.

In previous years, such copycat behavior was less common, but now it’s becoming the norm. This shift strongly suggests that experienced cybercriminals are being replaced by younger, less-skilled actors. As a result, while the number of ransomware groups grows, innovation within the ecosystem seems to be stagnating.

Attacks Are Increasing, but Ransom Payments Are Decreasing

While ransomware attacks surged in 2024, total ransom payments dropped by 35%, amounting to $813.55 million. Companies are increasingly adopting robust cybersecurity measures, improving backup strategies, and benefiting from law enforcement crackdowns on cybercriminals.

Notably, the international operation “Operation Cronos” disrupted LockBit’s infrastructure, demonstrating the growing impact of coordinated cybercrime enforcement. However, despite these advancements, ransomware groups are evolving their tactics, becoming more aggressive in their extortion methods.

In response, the UK government is considering stricter regulations, including:

• Banning public institutions and critical infrastructure providers from making ransom payments.
• Mandating all victims to report ransomware incidents to authorities.

Authorities believe these measures will curb ransomware groups’ financial streams and act as a deterrent. If enacted, these regulations could reshape how organizations respond to ransomware threats.

Key Takeaways

January 2025 set a record-breaking pace for ransomware incidents.

• Clop led the charge but may be struggling to maintain its past level of influence.
• FunkSec is rapidly expanding its operations beyond ransomware, building a cybercrime ecosystem.
• The alleged return of Babuk remains uncertain, raising questions about its legitimacy.
• While ransom payments are declining, attack volume is increasing, prompting tighter regulations.

For cybersecurity teams, 2025 is already shaping up to be one of the most challenging years yet. Black Kite’s Ransomware Susceptibility Index® (RSI^TM) offers a proactive approach by assessing the likelihood of a ransomware attack throughout the third-party ecosystem. By leveraging RSI, risk managers can identify high-risk vendors before an attack strikes, prioritize remediation efforts, and ultimately safeguard their organizations against the escalating threat.

Stay tuned for more monthly Ransomware Reviews on our blog and LinkedIn Newsletter.

The post Ransomware Review January 2025: Clop’s CLEO Exploit Fuels a Record Month appeared first on Black Kite.

Written by: Ferdi Gül

In this week’s Focus Friday, we examine high-impact vulnerabilities affecting Palo Alto Networks PAN-OS, Ivanti Connect Secure, Zimbra Collaboration, and Cacti, all of which pose significant third-party risk concerns. These vulnerabilities range from remote code execution (RCE) flaws to SQL injection attacks that could lead to data breaches, system takeovers, and supply chain risks.

Organizations relying on network security appliances, email collaboration tools, and monitoring frameworks must take proactive measures to assess their exposure and secure their vendor ecosystem against these threats. In this blog, we provide an in-depth Third-Party Risk Management (TPRM) perspective, detailing how these vulnerabilities could impact vendor security postures and what questions security teams should ask to mitigate risks.

Additionally, we highlight how Black Kite’s FocusTags™ provide real-time insights into vendor exposure, helping organizations prioritize remediation efforts and streamline their risk management processes.

CVE-2025-0108, CVE-2025-0110: Authentication Bypass & Command Injection in PAN-OS

What are the PAN-OS Authentication Bypass and Command Injection Vulnerabilities?

Two high-severity vulnerabilities have been identified in Palo Alto Networks PAN-OS, affecting network security devices:

• CVE-2025-0108 (Authentication Bypass – CVSS: 8.8):
  This vulnerability affects the management web interface of PAN-OS. An unauthenticated attacker with network access can bypass authentication and invoke specific PHP scripts. While it does not allow remote code execution, it compromises system integrity and confidentiality.
• CVE-2025-0110 (Command Injection – CVSS: 8.6):
  Found in the OpenConfig plugin, this vulnerability enables an authenticated administrator with gNMI request privileges to inject and execute arbitrary commands. The commands run as the _openconfig user, which has Device Administrator privileges, potentially leading to full system compromise.

Both vulnerabilities were published on February 12, 2025. One proof-of-concept exploit is available on github.com. There is no evidence of active exploitation or inclusion in CISA’s KEV catalog at this time. However, PAN-OS vulnerabilities have been targeted in the past, making proactive mitigation crucial.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

Third-party risk management (TPRM) professionals should be concerned due to the critical role of PAN-OS in enterprise cybersecurity.

• Authentication Bypass (CVE-2025-0108):
  Attackers could exploit this flaw to gain unauthorized access to PAN-OS management functions, leading to potential misconfigurations, unauthorized changes, or exposure of sensitive network settings.
• Command Injection (CVE-2025-0110):
  If the OpenConfig plugin is enabled, an attacker with administrator access could execute arbitrary system commands, escalating privileges or deploying persistent malware on PAN-OS devices.

For vendors relying on PAN-OS for perimeter security, exploitation of these vulnerabilities could lead to network-wide security breaches, data exposure, and compromised firewall configurations.

What Questions Should TPRM Professionals Ask Vendors?

To assess vendor exposure, TPRM professionals should ask:

1. Have you identified any PAN-OS devices in your environment that are running vulnerable versions (before PAN-OS 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, 10.1.14-h9)?
2. Do you use the OpenConfig plugin in PAN-OS? If so, have you verified that it is updated to version 2.1.2 or later?
3. What access controls are in place to restrict exposure of the PAN-OS management web interface to untrusted networks?
4. Have you applied Palo Alto Networks’ recommended mitigations, such as disabling unused plugins and restricting management access?

Remediation Recommendations for Vendors Subject to this Risk

To mitigate the risk associated with these vulnerabilities, vendors should:

✔ Upgrade PAN-OS to patched versions:

• PAN-OS 11.2 → Upgrade to 11.2.4-h4 or later
• PAN-OS 11.1 → Upgrade to 11.1.6-h1 or later
• PAN-OS 10.2 → Upgrade to 10.2.13-h3 or later
• PAN-OS 10.1 → Upgrade to 10.1.14-h9 or later
• If running PAN-OS 11.0 (EoL), upgrade to a supported version.

✔ Update OpenConfig plugin to version 2.1.2 or later (if enabled).
✔ Restrict management interface access to trusted internal IPs only.
✔ Disable the OpenConfig plugin if not in use to reduce the attack surface.
✔ Monitor system logs for unusual access or command execution activity.
✔ Apply Palo Alto Networks’ Threat Prevention rules to block potential exploits (Threat IDs 510000, 510001).

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite has tagged this issue as “PAN-OS – Feb2025” with a VERY HIGH confidence level.

• The FocusTag™ identifies vendors potentially affected by CVE-2025-0108 and CVE-2025-0110.
• Black Kite provides asset intelligence, including IP addresses and subdomains hosting vulnerable PAN-OS instances.

The FocusTag™ was published on February 13, 2025, allowing TPRM teams to take proactive measures before potential exploitation.

CVE-2025-22467, CVE-2024-38657, CVE-2024-10644: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure

What Are the Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure?

Multiple critical vulnerabilities have been identified in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products:

• CVE-2025-22467 (CVSS: 9.9): A stack-based buffer overflow vulnerability in ICS versions prior to 22.7R2.6. This flaw allows a remote authenticated attacker with low privileges to execute arbitrary code, potentially leading to full system compromise.
• CVE-2024-38657 (CVSS: 9.1): An external control of file name or path vulnerability affecting ICS (before 22.7R2.4) and IPS (before 22.7R1.3). A remote authenticated attacker with administrative privileges can write arbitrary files on the system, which may lead to unauthorized file manipulation or system compromise.
• CVE-2024-10644 (CVSS: 9.1): A code injection vulnerability in ICS (before 22.7R2.4) and IPS (before 22.7R1.3). This allows a remote authenticated attacker with administrative privileges to execute arbitrary commands on the system, potentially resulting in complete system control.

These vulnerabilities were publicly disclosed on February 11, 2025. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Other vulnerabilities to be mindful of include CVE-2024-12058 (arbitrary file read), CVE-2024-13842 (sensitive data exposure), and CVE-2024-13843 (cleartext storage of sensitive information), which, despite their lower CVSS scores, should still be carefully considered.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

Third-Party Risk Management (TPRM) professionals should be concerned due to the following reasons:

• Remote Code Execution Risks: Exploitation of these vulnerabilities could allow attackers to execute arbitrary code or commands, leading to unauthorized access, data breaches, and potential lateral movement within the network.
• Privilege Escalation: Attackers with low-level access could exploit these flaws to escalate privileges, gaining administrative control over critical systems.
• Supply Chain Impact: Vendors utilizing vulnerable versions of ICS and IPS may inadvertently expose connected organizations to security risks, emphasizing the importance of assessing third-party security postures.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

To assess vendor exposure, TPRM professionals should inquire:

1. Which versions of Ivanti Connect Secure and Ivanti Policy Secure are currently deployed within your environment?
2. Have the identified vulnerabilities (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644) been remediated by updating to the latest recommended versions?
3. What measures are in place to monitor and detect potential exploitation attempts related to these vulnerabilities?
4. Is multi-factor authentication (MFA) enabled for all administrative access to these systems?

Remediation Recommendations for Vendors Subject to This Risk

To mitigate the risks associated with these vulnerabilities, vendors should:

✔ Update to Patched Versions:

• For Ivanti Connect Secure, upgrade to version 22.7R2.6 or later.
• For Ivanti Policy Secure, upgrade to version 22.7R1.3 or later.

✔ Restrict Administrative Privileges:

• Limit administrative access to essential personnel.
• Enforce principle of least privilege to reduce risk.

✔ Implement Multi-Factor Authentication (MFA):

• Ensure MFA is enabled for all administrative and remote access.

✔ Monitor System Logs:

• Regularly review logs for unusual activities or signs of attempted exploitation.

✔ Apply Security Best Practices:

• Follow Ivanti’s security guidelines to mitigate risks associated with authenticated users.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite has tagged these vulnerabilities under “Ivanti Connect Secure – Feb2025” with a HIGH confidence level.

• The FocusTag™ provides detailed information on vendors potentially affected by these vulnerabilities.
• Black Kite’s asset intelligence helps identify IP addresses and subdomains hosting vulnerable instances.
• This enables TPRM teams to proactively assess and address risks associated with these vulnerabilities.

CVE-2025-25064: Zimbra Collaboration SQL Injection Vulnerability

Zimbra Collaboration (formerly known as Zimbra Collaboration Suite or ZCS) is an open-source and commercial groupware email platform. It includes features such as email, calendaring, contacts, task management, instant messaging, and file sharing, designed for enterprises, government institutions, and service providers.

What is CVE-2025-25064?

CVE-2025-25064 is a critical SQL injection vulnerability affecting Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. This flaw arises from insufficient sanitization of user-supplied parameters in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this vulnerability by manipulating specific request parameters to inject arbitrary SQL queries, potentially allowing unauthorized retrieval of email metadata and other sensitive information. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 0.05%. It was publicly disclosed on February 9, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned About CVE-2025-25064?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-25064 due to its potential impact on email security. Zimbra Collaboration is widely used by organizations for email and collaboration services. Exploitation of this vulnerability could allow attackers to access sensitive email metadata, leading to unauthorized disclosure of confidential information. If a vendor utilizes vulnerable Zimbra Collaboration products, their compromised systems could serve as entry points for attackers, resulting in data breaches and disruptions that may affect connected organizations.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-25064?

To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:

1. Have you updated all instances of Zimbra Collaboration to versions 10.0.12 or 10.1.4, where CVE-2025-25064 has been patched?
2. Can you confirm if you have implemented access restrictions to the ZimbraSync Service SOAP endpoint to trusted networks and users as recommended?
3. Have you deployed Web Application Firewalls (WAFs) to detect and block SQL injection attempts targeting Zimbra Collaboration?
4. Do you regularly monitor server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service?

Remediation Recommendations for Vendors

Vendors using affected Zimbra Collaboration products should:

• Update Software: Upgrade to Zimbra Collaboration versions 10.0.12 or 10.1.4, where this vulnerability has been addressed.
• Restrict Access: Limit access to the ZimbraSync Service SOAP endpoint to trusted networks and users to minimize potential exploitation vectors.
• Implement Web Application Firewalls (WAF): Deploy WAFs to detect and block SQL injection attempts and other malicious activities targeting web applications.
• Monitor Logs: Regularly review server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite has proactively addressed this issue by publishing the “Zimbra – Feb2025” FocusTag™ on February 11, 2025. This tag enables TPRM professionals to identify vendors potentially affected by CVE-2025-25064. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.

CVE-2025-22604: Critical Remote Code Execution Vulnerability in Cacti

Cacti is an open-source network monitoring and graphing tool designed to collect, store, and visualize performance data for IT infrastructure. It is widely used by network administrators and IT professionals to monitor network devices, servers, and applications in real time.

What is the Cacti Remote Code Execution Vulnerability?

CVE-2025-22604 is a critical security flaw in Cacti, an open-source network monitoring and fault management framework. This vulnerability allows authenticated users with device management permissions to execute arbitrary commands on the server by injecting malformed Object Identifiers (OIDs) into SNMP responses. When processed by functions like ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), parts of these OIDs are used as keys in an array that becomes part of a system command, leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.1. It was publicly disclosed on January 26, 2025. There is no evidence of proof of exploitation at the moment.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-22604 because Cacti is widely used by organizations to monitor network performance and availability. A successful exploit of this vulnerability could allow attackers to execute arbitrary commands on the server, potentially compromising system integrity and data security. This could lead to unauthorized access to sensitive information, disruption of network monitoring capabilities, and further exploitation within the organization’s network. Given the critical nature of this vulnerability and the availability of proof-of-concept exploit code, it is imperative for organizations to assess their exposure and ensure that their vendors have addressed this issue.

What Questions Should TPRM Professionals Ask Vendors About CVE-2025-22604?

To assess the risk associated with this vulnerability, TPRM professionals should consider asking vendors the following questions:

1. Have you identified any instances of Cacti within your infrastructure that are affected by CVE-2025-22604?
2. If so, have you updated all affected Cacti installations to version 1.2.29 or later to mitigate this vulnerability?
3. What measures have you implemented to restrict SNMP access to trusted users and networks?
4. Do you regularly monitor system logs and SNMP activity for unusual or unauthorized actions?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to remediate the risk associated with CVE-2025-22604:

• Upgrade Cacti: Update all Cacti installations to version 1.2.29 or later, as this version addresses the vulnerability.
• Restrict SNMP Access: Limit SNMP access to trusted users and networks to reduce potential attack vectors.
• Monitor Systems: Regularly review system logs and SNMP activity for any unusual or unauthorized actions.
• Review Permissions: Ensure that only necessary personnel have device management permissions within Cacti.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite has published a FocusTag™ titled “Cacti – Feb2025” to help organizations identify potential exposure to CVE-2025-22604. TPRM professionals can utilize this tag to assess their vendors’ risk related to this vulnerability. By leveraging Black Kite’s platform, professionals can identify vendors using vulnerable versions of Cacti and take proactive steps to mitigate potential risks. This includes obtaining asset information such as IP addresses and subdomains associated with the vendors’ systems, which is crucial for effective risk assessment and management.

Maximizing TPRM Effectiveness with Black Kite’s FocusTags™

With high-profile vulnerabilities such as PAN-OS authentication bypass (CVE-2025-0108), Ivanti Connect Secure RCE (CVE-2025-22467), Zimbra SQL injection (CVE-2025-25064), and Cacti remote code execution (CVE-2025-22604), organizations must rapidly assess third-party security risks to prevent cascading impacts. Black Kite’s FocusTags™ enable security teams to efficiently identify, analyze, and mitigate these threats by offering:

✅ Real-Time Risk Identification – Instant visibility into which vendors are affected by the latest vulnerabilities, allowing organizations to take immediate action.
✅ Risk Prioritization – Insights into vendor importance and vulnerability severity, helping security teams allocate resources effectively.
✅ Informed Vendor Engagement – Targeted discussions with vendors about their security measures and remediation strategies for identified vulnerabilities.
✅ Comprehensive Security Posture Enhancement – A holistic view of third-party risks, enabling organizations to make data-driven security decisions.

By leveraging Black Kite’s FocusTags™, organizations can stay ahead of evolving cyber threats, ensuring proactive risk mitigation in their third-party ecosystems. These tags provide critical intelligence, transforming complex vulnerability data into actionable insights for better vendor security management.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
• Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra – Feb2025: CVE-2025-25064, SQLi Vulnerability in Zimbra Collaboration.
• Cacti – Feb2025: CVE-2025-22604, Remote Code Execution Vulnerability in Cacti.
• FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.
• QNAP QTS – Jan2025: CVE-2024-53691, CVE-2023-39298, Remote Code Execution Vulnerability, Link Following Vulnerability, Missing Authorization Vulnerability in QNAP QTS.
• Mongoose: CVE-2025-23061, Search Injection Vulnerability in Mongoose.
• W3 Total Cache: CVE-2024-12365, Missing Authorization Vulnerability in WordPress’ W3 Total Cache Plugin.
• Juniper Junos: CVE-2025-21598, Out-of-bounds Read Vulnerability in Juniper’s Junos.
• Rsync: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, Heap-Buffer-Overflow Vulnerability, Remote Code Execution Vulnerability, Information Leak Vulnerability, File Leak Vulnerability, Path Traversal Vulnerability, Race Condition Vulnerability, Privilege Escalation Vulnerability in Rsync.
• SimpleHelp: CVE-2024-57727, CVE-2024-57728, CVE-2024-57726, Unauthenticated Path Traversal Vulnerability, Arbitrary File Upload Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in SimpleHelp.
• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0108

https://nvd.nist.gov/vuln/detail/CVE-2025-0110

https://security.paloaltonetworks.com/CVE-2025-0108

https://security.paloaltonetworks.com/CVE-2025-0110

https://securityonline.info/cve-2025-0108-cve-2025-0110-palo-alto-networks-fixes-high-severity-pan-os-vulnerabilities

https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US

https://forums.ivanti.com/s/article/KB29805?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2025-22467

https://nvd.nist.gov/vuln/detail/CVE-2024-10644

https://securityonline.info/cve-2025-22467-cvss-9-9-ivanti-connect-secure-vulnerability-allows-remote-code-execution

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://nvd.nist.gov/vuln/detail/CVE-2025-25064

https://securityonline.info/cve-2025-25064-cvss-9-8-critical-sql-injection-bug-in-zimbra-collaboration

https://nvd.nist.gov/vuln/detail/CVE-2025-22604

https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36

https://securityonline.info/cve-2025-22604-cvss-9-1-remote-code-execution-flaw-in-cacti-poc-released

The post Focus Friday: Addressing Third-Party Risks in PAN-OS, Ivanti Connect Secure, Zimbra, and Cacti Vulnerabilities appeared first on Black Kite.

The Israel Defense Forces (IDF) and Lebanese Armed Forces (LAF) redeployed Tuesday in accord with the ceasefire deal that ended the war with Hezbollah -- though Lebanon is formally objecting to Israel retaining a "buffer zone."

The post Israel, Lebanon Redeploy Forces as Ceasefire Holds; ‘Buffer Zone’ in Contention appeared first on Breitbart.

The Republican president had just replaced his unpopular Democratic predecessor.  A top issue for the new commander-in-chief: Ending a foreign war that had dragged on too long.  Looking at the problem with fresh eyes, the Republican made a deal to stop the fighting.  It wasn’t a glorious victory, but it wasn’t a defeat, either.  Most of all, it was an end to the bloodshed, allowing Americans to refocus on peaceful pursuits back home.

The post Pinkerton: Trump Embraces Eisenhower’s Successful Korean Model for Ukraine Peace appeared first on Breitbart.

A new protest movement is gathering strength in Iran, driven by public outrage over the death of 19-year-old Amir Mohammad Khaleghi, an undergraduate business student at the University of Tehran who was robbed and killed near the dormitory last week.

The post Protests Resurge in Iran After Teen Student Killed near Dorm appeared first on Breitbart.

Russia has reportedly freed a second American detained on drug charges, less than a week after releasing teacher Marc Fogel from three years in captivity.

The post Russia Frees Another U.S. Citizen Detained on Drug Charges appeared first on Breitbart.

South Africa has responded to President Donald Trump's criticism of its expropriation legislation and its foreign policy by suggesting that it is prepared to work with Iran and Russia in developing domestic nuclear power plants.

The post In Slap at Trump, South Africa Hints at Nuclear Deals with Iran, Russia appeared first on Breitbart.

The Israel Defense Forces (IDF) will hold five strategic posts inside southern Lebanon to maintain security and surveillance even after withdrawing from the region on Tuesday in accordance with the ceasefire with Hezbollah.

The post Israel To Hold 5 Posts Inside Southern Lebanon to Prevent Attack appeared first on Breitbart.

President Donald Trump met with Marc Fogel’s mother on July 13, 2024, in Butler, Pennsylvania, and vowed to bring her son home if elected, just before an assassination attempt nearly took his life. 

Rep. Mike Kelly, R-Pa., was there for the meeting between Trump and Malphine Fogel before the president took the stage. 

"The president survived the assassination attempt on July 13 in Butler, and he fulfilled his commitment to Mrs. Fogel that he would get her son home," Kelly told Fox News Digital. "It is an incredible, providential story." 

MOTHER OF FREED AMERICAN HOSTAGE MARC FOGEL THANKS PRESIDENT DONALD TRUMP: 'HE KEPT HIS PROMISE'

During the rally, after his meeting with Fogel's mother, Trump was showing off a chart highlighting how illegal immigration skyrocketed under the Biden-Harris administration. As he turned toward the chart, he was hit by a bullet that pierced the upper part of his right ear by the now-deceased would-be-assassin, Thomas Matthew Crooks. Trump credits the chart for saving his life. 

Kelly likened the situation to the classic movie "It’s a Wonderful Life." 

"The theme of the movie was that George Bailey was very frustrated, but he was given a glimpse of life and what would have happened if he hadn’t been there – if he hadn’t been born," Kelly recalled. "And if I go back to July 13, this is all providential." 

"Mrs. Fogel has a chance to talk to the president, and she talks about what is happening to Marc. The president vows to get him home," Kelly continued. "It is a take-off of ‘It’s a Wonderful Life’ and the opportunity, or the dilemma, that if you were never born, what would the consequences have been?" 

"If President Trump did not survive the assassination attempt on July 13, Marc Fogel wouldn’t be home today," Kelly said.  

Fogel, an American teacher from Western Pennsylvania, returned to the United States late Tuesday, after Trump secured his release. Fogel was arrested in 2021 at an airport in Russia for possession of medical marijuana and was sentenced to 14 years in a Russian prison. 

AMERICAN MARC FOGEL RELEASED FROM RUSSIAN CUSTODY

Kelly told Fox News Digital that "it is all about faith." 

"Having been there and witnessed it, I think to myself, ‘Oh my goodness, that tiny fraction of an inch, or whatever it was, is the difference between Marc Fogel being home and Marc Fogel not being home,’" he said. "Between making a promise to his mother and being able to keep it, as opposed to making a promise and never getting a chance to fulfill it." 

Malphine Fogel recalled the Butler meeting with Trump on Fox News Channel's "America Newsroom." 

"I met with President Trump, and he was just as cordial as he could be," she said. "He told me three different times, 'If I get in,' he said, 'I'll get him out' and I really think he's been instrumental." 

Malphine Fogel told Fox News that "it was a total surprise" when she heard from her son from the Moscow airport. 

"So, that meant that (they) had taken him out of the prison to Moscow.... The last week or so, for some crazy reason, I had a better feeling about things, but I hadn't heard from him in a week, so I thought that was odd and when he called…  it was just a total shock," she said. 

Meanwhile, Kelly told Fox News Digital, "There is a certain time in people’s lives where you realize you don’t have forever, you have right now, and you need to get it done." 

"Politically, there is no one on either side of the aisle that could look at what happened with Marc Fogel and not somehow say, this is truly providential – this is not a political move," Kelly said. "This doesn’t do anything for the president. He's already elected. He did this to keep a promise to a mother in her mid 90s – the only thing she wanted to see before she died was her son one more time." 

Kelly added: "This is a promise made. Promise kept. It is truly providential. It is. It is a wonderful life." 

Sen. Ron Wyden, D-Ore., and Rep. Andy Biggs, R-Ariz., penned a letter to newly sworn-in Director of National Intelligence Tulsi Gabbard, warning that the United Kingdom's reported new order demanding backdoor Apple data jeopardizes Americans.

The letter, obtained by Fox News Digital, referenced recent press reports that the U.K.’s home secretary "served Apple with a secret order last month, directing the company to weaken the security of its iCloud backup service to facilitate government spying." The directive reportedly requires the company to weaken the encryption of its iCloud backup service, giving the U.K. government the "blanket capability" to access customers’ encrypted files. 

Reports further state that the order was issued under the U.K.’s Investigatory Powers Act 2016, commonly known as the "Snoopers’ Charter," which does not require a judge’s approval. 

"Apple is reportedly gagged from acknowledging that it received such an order, and the company faces criminal penalties that prevent it from even confirming to the U.S. Congress the accuracy of these press reports," Wyden and Biggs note. 

TULSI GABBARD SWORN IN AT WHITE HOUSE HOURS AFTER SENATE CONFIRMATION

The United Kingdom has been increasingly cracking down on British citizens for opposition commentary, especially online posts and memes opposing mass migration. As riots broke out in the U.K. last August after a mass stabbing at a Taylor Swift-themed dance event left three girls dead and others wounded, London's Metropolitan Police chief warned that officials could also extradite and jail U.S. citizens for online posts about the unrest. 

The letter, however, described the threat of China, Russia and other adversaries spying on Americans.

Wyden, who sits on the Senate Intelligence Committee, and Biggs, who chairs a House Judiciary subcommittee on Crime and Federal Government Surveillance, asked Gabbard to "act decisively to protect the security of Americans’ communications from dangerous, shortsighted efforts by the United Kingdom (U.K.) that will undermine Americans’ privacy rights and expose them to espionage by China, Russia and other adversaries." 

The Washington Post was among the outlets to report about the U.K. order. 

"These reported actions seriously threaten the privacy and security of both the American people and the U.S. government," Wyden and Biggs wrote. "Apple does not make different versions of its encryption software for each market; Apple customers in the U.K. use the same software as Americans. If Apple is forced to build a backdoor in its products, that backdoor will end up in Americans’ phones, tablets, and computers, undermining the security of Americans’ data, as well as of the countless federal, state and local government agencies that entrust sensitive data to Apple products." 

The letter also references a Chinese hacking operation known as "Salt Typhoon." Last year, the Biden White House admitted the Chinese hacked at least nine U.S. telecommunications companies. 

"The Salt Typhoon hack of U.S. telephone carriers’ wiretapping systems last year – in which President Trump and Vice President Vance’s calls were tapped by China – provides a perfect example of the dangers of surveillance backdoors," the letter says. "They will inevitably be compromised by sophisticated foreign adversaries and exploited in ways harmful to U.S. national security. As the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI confirmed last November, People’s Republic of China (PRC)-affiliated actors were involved in ‘copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.’" 

TRUMP LANDS KEY TULSI GABBARD CONFIRMATION FOLLOWING UPHILL SENATE BATTLE

"While the U.K has been a trusted ally, the U.S. government must not permit what is effectively a foreign cyberattack waged through political means. If the U.K. does not immediately reverse this dangerous effort, we urge you to reevaluate U.S.-U.K. cybersecurity arrangements and programs as well as U.S. intelligence sharing with the U.K.," the letter says.

Citing a December 2023 report by the U.K. Parliament’s intelligence oversight committee, the letter states that the U.K. benefits greatly from a "mutual presumption towards unrestricted sharing of [Signals Intelligence]" between the U.S. and U.K. and that "[t]he weight of advantage in the partnership with the [National Security Agency] is overwhelmingly in [the U.K.’s] favour." 

"The bilateral U.S.-U.K. relationship must be built on trust. If the U.K. is secretly undermining one of the foundations of U.S. cybersecurity, that trust has been profoundly breached," Wyden and Biggs wrote. 

At her confirmation hearing, Gabbard stated that "backdoors lead down a dangerous path that can undermine Americans' Fourth Amendment rights and civil liberties." In written responses to senators' questions, she also said, "mandating mechanisms to bypass encryption or privacy technologies undermines user security, privacy, and trust and poses significant risks of exploitation by malicious actors."

"We urge you to put those words into action by giving the U.K. an ultimatum: back down from this dangerous attack on U.S. cybersecurity, or face serious consequences," Wyden and Biggs wrote.

The letter asks Gabbard specifically whether the Trump administration was made aware of the reported order, either by the U.K. or Apple, prior to the press reports and, if so, when and by whom. They also ask what the Trump administration's understanding is of U.K. law "and the bilateral CLOUD Act agreement with regard to an exception to gag orders for notice to the U.S. government." Wyden and Biggs asked what the Trump administration's understanding is "of its obligation to inform Congress and the American public about foreign government demands for U.S. companies to weaken the security of their products, pursuant to the CLOUD Act?" The letter asked that unclassified answers be provided by March 3. 

Fox News Digital reached out to Apple and the White House regarding the letter, but neither immediately responded.

Trump wants to deploy a “next-generation missile defense shield for the United States against ballistic, hypersonic, advanced cruise missiles, and other next-generation aerial attacks,” adding it “will be made all in the USA.”

The post Pinkerton: Trump’s Iron Dome Is About Defending the Homeland appeared first on Breitbart.