Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen Cybersecurity Bulletin (March 27th, 2025)

Posted on 27 Mar 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Overview:

  • Phish Tale of the Week
  • Alleged Oracle Cloud Breach Sparks Controversy
  • Windows Zero-Day Exposes NTLM Credentials—Unofficial Patch Now Available
  • How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, telling us that a new device was added to our Coinbase account, and that it’s imperative that we contact the number below. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to fall for this phish:

  1. The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I did not recently add any device to my Coinbase account. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
  2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “if this was not you, contact us.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
  3. The final warning sign for this email is the wording; in our case the smisher uses the incomplete sentence “Verification code to add a new device is 156232.” All of these factors point to the above being a smishing text, and a very unsophisticated one at that.


General Recommendations:

phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

  1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  2. Verify that the sender is actually from the company sending the message.
  3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  4. Do not give out personal or company information over the internet.
  5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

Alleged Oracle Cloud Breach Sparks Controversy

Despite Oracle’s denial of a breach in its Oracle Cloud federated SSO login servers, multiple companies have confirmed that data samples shared by the threat actor are valid. The claim, initially made by a threat actor known as ‘rose87168,’ alleges the theft of authentication data and encrypted passwords belonging to 6 million users.

Last week, ‘rose87168’ claimed to have infiltrated Oracle Cloud servers and began selling what they claimed to be authentication data, including SSO and LDAP passwords. The attacker further asserted that the stolen credentials could be decrypted with the information contained in the stolen files. As proof, they offered to share portions of the data with anyone who could assist in recovering the passwords.

The threat actor also released multiple text files, including what appeared to be a database, LDAP data, and a list of 140,621 domains linked to various companies and government agencies. However, some of the domains appear to be test accounts, and multiple domains are associated with single companies, raising questions about the full extent of the breach.

Alongside the leaked data, ‘rose87168’ provided an Archive.org link containing a text file allegedly tied to Oracle’s systems. BleepingComputer analyzed these files and reached out to impacted organizations, some of whom confirmed that the data matches real customer or employee information.

Despite these confirmations, Oracle has maintained that no breach has occurred. The company has yet to publicly address whether an internal investigation is underway or provide further clarification regarding the authenticity of the leaked records.

Security Operations Center (SOC) teams should remain vigilant and take proactive measures in light of this potential breach. Organizations using Oracle Cloud services should:

  • Conduct an immediate review of access logs for any suspicious authentication attempts.
  • Enforce password resets for all users, particularly those with SSO and LDAP access.
  • Strengthen authentication mechanisms by implementing multi-factor authentication (MFA).
  • Monitor threat intelligence sources for further updates on the breach and associated risks.

Until Oracle provides more transparency, SOC teams must assume a heightened security posture to mitigate potential exploitation of compromised credentials.

To read more about this article, click here.

Windows Zero-Day Exposes NTLM Credentials—Unofficial Patch Now Available

A newly discovered Windows zero-day vulnerability allows remote attackers to steal NTLM credentials by simply tricking victims into viewing malicious files in Windows Explorer. This vulnerability, which has not yet been assigned a CVE-ID, affects all Windows versions from Windows 7 to the latest Windows 11 release, as well as Server 2008 R2 through Server 2025.

NTLM authentication has long been a target for attackers due to its susceptibility to relay and pass-the-hash attacks. In these scenarios, threat actors force network devices to authenticate to attacker-controlled servers or use stolen NTLM hashes to impersonate users and gain unauthorized access to systems. Once inside, attackers can move laterally within a network, exfiltrate sensitive data, and escalate privileges.

ACROS Security researchers uncovered this new SCF File NTLM hash disclosure flaw while working on fixes for a separate NTLM vulnerability. The exploit requires minimal user interaction—simply previewing a malicious file in Windows Explorer can trigger the attack, leaking NTLM hashes to a remote adversary.

While Microsoft has yet to release an official fix, ACROS Security has developed a free, unofficial micropatch through its 0patch platform. The micropatch prevents the flaw from being exploited, offering an immediate safeguard for users and organizations concerned about NTLM hash theft.

Microsoft has acknowledged the risks associated with NTLM authentication and has previously announced plans to phase it out in future Windows 11 versions. However, with NTLM still widely used in corporate environments, this new vulnerability underscores the urgent need for organizations to transition to more secure authentication methods, such as Kerberos or modern multifactor authentication solutions.

SOC teams should immediately assess their exposure to this vulnerability and consider deploying the 0patch micropatch as a temporary mitigation. Additionally, organizations should enforce NTLM relay attack mitigations, monitor network traffic for suspicious authentication attempts, and prioritize upgrading authentication protocols to reduce reliance on NTLM.

To read more about this article, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub
    YouTube

Copyright © Netizen Corporation. All Rights Reserved.