Overview:

• Phish Tale of the Week
• Iranian Hackers Maintain Long-Term Access to Middle East CNI via VPN Exploits and Malware
• Citrix Bleed 2 and SAP GUI Flaws: Critical Vulnerabilities Expose Sensitive Data
• How can Netizen help?

---

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, telling us that our Coinbase account was logged in from Belgium, and we need to call support. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to fall for this phish:

1. The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I do not have a Coinbase account. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
2. The second warning signs in this email is the messaging. This message tries to create a sense of urgency in order to get you to take action by using language such as “logging in from Belgium.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
3. The final warning sign for this email is the wording; in our case the smisher suggests we call a random number, something that Coinbase support would never do. All of these factors point to the above being a smishing text, and a very unsophisticated one at that.

General Recommendations:

A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
2. Verify that the sender is actually from the company sending the message.
3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
4. Do not give out personal or company information over the internet.
5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

---

Cybersecurity Brief

In this month’s Cybersecurity Brief:

Iranian Hackers Maintain Long-Term Access to Middle East CNI via VPN Exploits and Malware

In a report published on May 3, 2025, FortiGuard Incident Response (FGIR) team detailed a significant cyberattack campaign attributed to an Iranian state-sponsored hacker group. This campaign targeted a Middle Eastern Critical National Infrastructure (CNI) entity over a two-year period, from at least May 2023 to February 2025. The attack was marked by extensive espionage and strategic network prepositioning, often used to secure persistent access for future operations.

The threat actor behind the breach has been linked to the Iranian state-sponsored hacking group Lemon Sandstorm (also known as Rubidium, Parisite, Pioneer Kitten, and UNC757). This group has been active since at least 2017 and has targeted multiple sectors across the globe, including aerospace, oil and gas, water, and electricity infrastructure in the U.S., Europe, the Middle East, and Australia. The group’s modus operandi involves exploiting vulnerabilities in VPN technologies and deploying a variety of malware to maintain long-term access.

The cyberattack campaign made use of known vulnerabilities in popular VPN systems, including Fortinet, Pulse Secure, and Palo Alto Networks, to gain initial access to the target’s network. Once inside, the attackers deployed a series of backdoors and malware to maintain persistent access. According to the report, the attack unfolded in multiple stages:

1. Stage 1 (May 2023 – April 2024): The attackers established their foothold by using stolen login credentials to access the victim’s SSL VPN system. They dropped web shells on public-facing servers and deployed three backdoors—Havoc, HanifNet, and HXLibrary—for long-term access.
2. Stage 2 (April 2024 – November 2024): The attackers consolidated their access by planting more web shells and deploying an additional backdoor, NeoExpressRAT. The attackers used tools such as Plink and Ngrok to move deeper into the network, exfiltrating sensitive emails and conducting lateral movements to the virtualization infrastructure.
3. Stage 3 (November 2024 – December 2024): After the victim took containment measures, the attackers responded by deploying additional web shells and backdoors, including MeshCentral Agent and SystemBC.
4. Stage 4 (December 2024 – Present): The attackers attempted to infiltrate the network again by exploiting vulnerabilities in ZKTeco BioTime devices (CVE-2023-38950, CVE-2023-38951, and CVE-2023-38952). They also launched spear-phishing attacks targeting 11 employees to harvest Microsoft 365 credentials after the organization successfully removed the adversary’s access.

The attackers used several malware families throughout the intrusion, including both open-source tools and custom-built malware. Notable among them were:

• Havoc: A C2 backdoor written in C++ and Golang that was injected into a newly created “cmd.exe” process. Havoc supports various commands to control compromised hosts and uses HTTP, HTTPS, and SMB protocols for communication with the C2 server.
• HanifNet: A .NET executable used to retrieve and execute commands from the C2 server. First deployed in August 2023, it helped maintain control over compromised systems.
• HXLibrary: A malicious IIS module that retrieves text files from Google Docs to connect to the C2 server. Deployed in October 2023, it was used to execute commands on the infected systems.
• NeoExpressRAT: A backdoor deployed in August 2024 that retrieves a configuration from the C2 server, likely using Discord for follow-on communications.
• MeshCentral Agent and SystemBC: Deployed as additional backdoors after initial containment efforts, used to maintain access and perform lateral movements within the network.

Other tools included CredInterceptor (for harvesting credentials), RemoteInjector (for loading next-stage payloads), and RecShell (a web shell used for reconnaissance).

A significant aspect of the attack was the targeting of the victim’s restricted Operational Technology (OT) network. While there is no evidence to suggest the OT network was breached, the adversary’s extensive reconnaissance indicates that it was a primary target. The threat actors’ careful, multi-stage exploitation of the network suggests a focused attempt to disrupt OT-adjacent systems that could have led to more severe impacts on the CNI infrastructure.

The attacker’s persistence and ability to avoid detection were notable. The report reveals that throughout the intrusion, the group used multiple proxies and custom implants to bypass network segmentation, a strategy commonly employed to ensure continued access to sensitive systems. In later stages of the attack, the attackers chained together several proxy tools to access internal network segments, demonstrating sophisticated techniques for maintaining long-term access.

In a follow-up report published on June 23, 2025, Fortinet provided additional details about the Havoc C2 framework. This backdoor, written in C++ and Golang, has a modular design that allows for the flexible execution of multiple commands. It supports a variety of functionalities, including process enumeration, lateral movement, and token manipulation. Havoc also enables attackers to inject shellcode into the memory of compromised systems, further enhancing its ability to control infected devices remotely.

To read more about this article, click here.

---

Citrix Bleed 2 and SAP GUI Flaws: Critical Vulnerabilities Expose Sensitive Data

Two recently disclosed vulnerabilities—Citrix Bleed 2 and SAP GUI input history flaws—have raised alarms across the cybersecurity industry, putting sensitive data at risk.

Citrix has patched a critical vulnerability in its NetScaler ADC (Application Delivery Controller) and NetScaler Gateway, tracked as CVE-2025-5777. This flaw, rated CVSS 9.3, allows attackers to bypass authentication protections and potentially steal valid session tokens from memory through malformed requests. This vulnerability affects appliances configured as a Gateway or AAA virtual server.

Discovered by security researcher Kevin Beaumont, this flaw shares similarities with CVE-2023-4966, a high-profile vulnerability that resulted in widespread exploitation two years ago. Citrix has already issued patches for affected versions of NetScaler ADC and NetScaler Gateway, with the updates being available for versions 14.1-43.56 and later. The vulnerability also impacts older NetScaler ADC versions (13.1 and 12.1).

To mitigate the risks, Citrix recommends running commands to terminate all active ICA and PCoIP sessions after the patches have been applied. Additionally, users of unsupported versions (12.1 and 13.0) are urged to upgrade to a supported version, as these versions are now end-of-life (EOL) and no longer receive official support.

While there is no evidence that this vulnerability has been weaponized, Benjamin Harris, CEO at watchTowr, emphasized its severity, comparing it to Citrix Bleed, a vulnerability that caused significant damage in previous years. Harris noted that changes in the CVE description suggest that the vulnerability is more critical than initially understood.

In another cybersecurity alert, vulnerabilities discovered in SAP GUI for both Windows and Java have exposed sensitive information stored locally on devices. Tracked as CVE-2025-0055 and CVE-2025-0056, these vulnerabilities involve the insecure storage of SAP GUI input history. This feature, intended to enhance user efficiency by storing past inputs, inadvertently saved sensitive data, such as usernames, social security numbers, bank account numbers, and internal SAP table names, in an insecure manner.

The flaw exists because SAP GUI for Windows uses weak XOR encryption to store input history in SAPHistory.db files, making it easily decryptable. Meanwhile, SAP GUI for Java stores this information unencrypted as Java serialized objects. Both cases present significant risks, as an attacker with access to the victim’s directory could easily retrieve the sensitive data stored in these files.

The vulnerability is particularly dangerous for environments where attackers can gain administrative privileges or access the user directory, allowing them to exfiltrate valuable data. Pathlock researcher Jonathan Stross warned that data exfiltration can occur through USB Rubber Ducky (HID injection attacks) or phishing tactics.

In response, SAP issued patches in its January 2025 updates, addressing the flaws and recommending that organizations disable input history functionality and delete the historical data files to mitigate potential risks.

For Citrix users, upgrading to the latest supported versions is crucial, as CVE-2025-5777 poses a significant risk of session hijacking. Administrators should also follow Citrix’s recommendations to terminate existing sessions as part of the remediation process. For SAP GUI users, securing local machines and deleting unencrypted input history files is necessary to protect sensitive data from unauthorized access.

For detailed guidance on mitigating these vulnerabilities, organizations should consult Citrix and SAP’s official advisories and consider engaging in regular penetration testing and vulnerability scanning to identify and address security gaps in their infrastructure.

To read more about this article, click here.

---

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

---