Tag: Cyber Security

Security experts have been talking about Kerberoasting for over a decade, yet this attack continues to evade typical defense methods. Why? It’s because existing detections rely on brittle heuristics and static rules, which don’t hold up for detecting potential attack patterns in highly variable Kerberos traffic. They frequently generate false positives or miss “low-and-slow” attacks altogether.

Is there a better and more accurate way for modern organizations to detect subtle anomalies within irregular Kerberos traffic? The BeyondTrust research team sought to answer this question by combining security research insights with advanced statistics. This article offers a high-level look into the driving forces behind our research and our process of developing and testing a new statistical framework for improving Kerberos anomaly detection accuracy and reducing false positives.

An Introduction to Kerberoasting Attacks

Kerberoasting attacks take advantage of the Kerberos network authentication protocol within Windows Active Directory environments. The Kerberos authentication process works as follows:

1. AS-REQ: A user logs in and requests a Ticket Granting Ticket (TGT).

2. AS-REP: The Authentication Server verifies the user’s credentials and issues a TGT.

3. TGS-REQ: When the user wants to request access to a service, they request a Ticket Granting Service Ticket (TGS) using the previously received TGT. This action is recorded as Windows Event 4769^[1] on the domain controller.

4. TGS-REP: The TGS verifies the request and issues a TGS, which is encrypted using the password hash of the service account associated with the requested service.

5. KRB-AP-REQ: For the user to authenticate against a service using the TGS ticket, they send it to the application server, which then takes various actions to verify the user’s legitimacy and allow access to the requested service.

Attackers aim to exploit this process because Kerberos service tickets are encrypted with the hash of the service account’s password. To take advantage of Kerberos tickets, attackers first leverage LDAP (Lightweight Directory Access Protocol) to query the directory for any AD accounts that have Service Principal Names (SPNs) associated with them. An attacker will then request Ticket Granting Service (TGS) tickets for these accounts, which can be done without any administrative rights. Once they have requested these service tickets, they can crack the hash offline to uncover the credentials of the service account. Access to a service account can then enable the attacker to move laterally, escalate privileges, or exfiltrate data.

Many organizations have heuristic-based detection methods in place to flag irregular Kerberos behavior. One common method is volume-based detection, which can flag a spike in TGS request activity from a single account. If an attacker requests TGS tickets for all service principal names they can find using LDAP, this detection method will likely identify this spike as suspicious activity. Another method, encryption-type analysis, can detect if an attacker attempts to downgrade the encryption of the requested TGS tickets from the default AES to a weaker type, such as RC4 or DES, in hopes of making their own job easier when they start to crack the hash.

While both of these static rule-based methods can work in some cases, they produce a notorious number of false positives. Additionally, they don’t factor in the user’s behaviors and irregularities unique to each organization’s domain configurations.

A Statistical Model for Detecting Kerberoasting Attacks

With these limitations in mind, the BeyondTrust research team sought to find a method that would both improve anomaly detection capabilities and reduce false positives. We found statistical modeling to be the best method, in which a model would be created that could estimate probability distribution based on contextual data patterns. The ability to predict normal user behavior would be key to flagging any abnormalities.

Our team laid out four constraints for our prospective statistical model, based on existing Kerberoasting research^{[2, 3]}:

1. Explainability: The ability to interpret the output with respect to a recognized, normalized, and easy to explain and track measure.
2. Uncertainty: The ability to reflect sample size and confidence in estimates, as opposed to the output being a simple binary indicator.
3. Scalability: The ability to limit the amount of cloud computing and data storage needed for updating model parameters per run.
4. Nonstationarity: The capacity to adapt to trends or other data changes over time, and incorporating these shifts into how anomalies are defined

The BeyondTrust research team worked to build out a model that aligned with the above constraints, eventually developing a model that groups similar ticket-request patterns into distinct clusters and then uses histogram bins to track the frequency of certain activity levels over time. The goal: to learn what ‘normal’ looks like for each cluster. We aimed to reduce false positives by grouping these like data patterns together, as events that could look suspicious in isolation would become normal when compared to similar data patterns.

Kerberoasting Statistical Model: Results

The team then tested the model across 50 days of data or roughly 1,200 hourly evaluation periods. The model’s results are as follows:

• Consistently achieved processing times under 30 seconds, including histogram updates, clustering operations, score calculations, percentile ranking, and result storage.
• Identified six anomalies with notable temporal patterns, such as uncorrelated spikes in narrow time windows, increased variance, and significant temporary shifts. Two were identified as penetration tests, one was the team’s simulated Kerberoasting attack, and three were related to large changes in Active Directory infrastructure that caused inadvertent spikes in Kerberos service ticket requests.
• Handled extreme variability in heavy-tailed accounts exceptionally well, appropriately down-weighting anomaly scores after observing just two consecutive spikes through dynamic sliding window updates and real-time percentile ranking. This level of adaptability is notably faster than standard anomaly detection methods

After conducting this research, the BeyondTrust research team was able to report early success by combining security expertise with advanced statistical techniques. Because there are inherent limitations of pure anomaly detection methodologies, collaboration between experts in security and data science was necessary for this success. While statisticians can create an adaptive model that takes variable behaviors into consideration, security researchers can offer needed context for identifying notable features within flagged events.

Conclusion

Altogether, this research proves that, even when considering decade-old attack patterns like Kerberoasting, there are clear paths forward in iterating and evolving on detection and response capabilities. Alongside considering the possibilities of novel detection capabilities, such as the ones described in this research, teams should also evaluate proactive identity security measures that reduce Kerberoasting risks before they ever occur.

Some solutions with identity threat detection and response (ITDR) capabilities, such as BeyondTrust Identity Security Insights, can help teams proactively identify accounts that are vulnerable to Kerberoasting due to improper use of service principals and the use of weak ciphers.

Precise, proactive measures, combined with smarter, more context-aware detection models, are essential as security teams continuously work to cut through noise and stay ahead of growing complexity and scale.

About the Authors:

Christopher Calvani, Associate Security Researcher, BeyondTrust

Christopher Calvani is a Security Researcher on BeyondTrust’s research team, where he blends vulnerability research with detection engineering to help customers stay ahead of emerging threats. A recent graduate of the Rochester Institute of Technology with a B.S. in Cybersecurity, Christopher previously supported large‑scale infrastructure at Fidelity Investments as a Systems Engineer intern and advanced DevSecOps practices at Stavvy.

Cole Sodja, Principal Data Scientist, BeyondTrust

Cole Sodja is a Principal Data Scientist at BeyondTrust with over 20 years of applied statistics experience across major technology companies including Amazon and Microsoft. He specializes in time series analysis, bringing deep expertise in forecasting, changepoint detection, and behavioral monitoring to complex business challenges.

Jul 23, 2025Ravie LakshmananSoftware Integrity / DevSecOps

Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks.

“As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers,” Matthew Suozzo, Google Open Source Security Team (GOSST), said in a blog post this week.

The project aims to provide build provenance for packages across the Python Package Index (Python), npm (JS/TS), and Crates.io (Rust) package registries, with plans to extend it to other open-source software development platforms.

With OSS Rebuild, the idea is to leverage a combination of declarative build definitions, build instrumentation, and network monitoring capabilities to produce trustworthy security metadata, which can then be used to validate the package’s origin and ensure it has not been tampered with.

“Through automation and heuristics, we determine a prospective build definition for a target package and rebuild it,” Google said. “We semantically compare the result with the existing upstream artifact, normalizing each one to remove instabilities that cause bit-for-bit comparisons to fail (e.g., archive compression).”

Once the package is reproduced, the build definition and outcome is published via SLSA Provenance as an attestation mechanism that allows users to reliably verify its origin, repeat the build process, and even customize the build from a known-functional baseline.

In scenarios where automation isn’t able to fully reproduce the package, OSS Rebuild offers a manual build specification that can be used instead.

OSS Rebuild, the tech giant noted, can help detect different categories of supply chain compromises, including –

• Published packages that contain code not present in the public source repository (e.g., @solana/web3.js)
• Suspicious build activity (e.g., tj-actions/changed-files)
• Unusual execution paths or suspicious operations embedded within a package that are challenging to identify through manual review (e.g., XZ Utils)

Besides securing the software supply chain, the solution can improve Software Bills of Materials (SBOMs), speed up vulnerability response, strengthen package trust, and eliminate the need for CI/CD platforms to be in charge of an organization’s package security.

“Rebuilds are derived by analyzing the published metadata and artifacts and are evaluated against the upstream package versions,” Google said. “When successful, build attestations are published for the upstream artifacts, verifying the integrity of the upstream artifact and eliminating many possible sources of compromise.”

Jul 23, 2025Ravie LakshmananVulnerability / Software Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws impacting SysAid IT support software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities in question are listed below –

• CVE-2025-2775 (CVSS score: 9.3) – An improper restriction of XML external entity (XXE) reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives
• CVE-2025-2776 (CVSS score: 9.3) – An improper restriction of XML external entity (XXE) reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives

Both shortcomings were disclosed by watchTowr Labs researchers Sina Kheirkhah and Jake Knott back in May, alongside CVE-2025-2777 (CVSS score: 9.3), a pre-authenticated XXE within the /lshw endpoint.

The three vulnerabilities were addressed by SysAid in the on-premise version 24.4.60 build 16 released in early March 2025.

The cybersecurity firm noted that the vulnerabilities could allow attackers to inject unsafe XML entities into the web application, resulting in a Server-Side Request Forgery (SSRF) attack, and in some cases, remote code execution when chained with CVE-2024-36394, a command injection flaw revealed by CyberArk last June.

It’s currently not known how CVE-2025-2775 and CVE-2025-2776 are being exploited in real-world attacks. Nor is any information available regarding the identity of the threat actors, their end goals, or the scale of these efforts.

To safeguard against the active threat, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by August 12, 2025.

Jul 23, 2025Ravie LakshmananVulnerability / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on July 22, 2025, added two Microsoft SharePoint flaws, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

To that end, Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by July 23, 2025.

“CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers,” the agency said in an updated advisory.

The inclusion of the two shortcomings, a spoofing vulnerability and a remote code execution vulnerability collectively tracked as ToolShell, to the KEV catalog comes after Microsoft revealed that Chinese hacking groups like Linen Typhoon and Violet Typhoon leveraged these flaws to breach on-premises SharePoint servers since July 7, 2025.

As of writing, the tech giant’s own advisories only list CVE-2025-53770 as being exploited in the wild. What’s more, it describes the four flaws as below –

• CVE-2025-49704 – SharePoint Remote Code Execution
• CVE-2025-49706 – SharePoint Post-auth Remote Code Execution
• CVE-2025-53770 – SharePoint ToolShell Authentication Bypass and Remote Code Execution
• CVE-2025-53771 – SharePoint ToolShell Path Traversal

The fact that CVE-2025-53770 is both an authentication bypass and a remote code execution bug indicates that CVE-2025-53771 is not necessary to build the exploit chain. CVE-2025-53770 and CVE-2025-53771 are assessed to be patch bypasses for CVE-2025-49704 and CVE-2025-49706, respectively.

“The root cause [of CVE-2025-53770] is a combination of two bugs: An authentication bypass (CVE-2025-49706) and an insecure deserialization vulnerability (CVE-2025-49704),” the Akamai Security Intelligence Group said.

When reached for comment regarding the exploitation status of CVE-2025-53771 and other flaws, a Microsoft spokesperson told The Hacker News that the information published in its advisories is correct “at the time of original publication” and that it does not typically update post-release.

“Microsoft also assists CISA with the Known Exploited Vulnerabilities Catalog which provides regularly updated information on exploited vulnerabilities,” the spokesperson added.

The development comes as watchTowr Labs told the publication that it has internally devised a method exploiting CVE-2025-53770 such that it bypasses Antimalware Scan Interface (AMSI), a mitigation step outlined by Microsoft to prevent unauthenticated attacks.

“This has allowed us to continue identifying vulnerable systems even after mitigations like AMSI have been applied,” watchTowr CEO Benjamin Harris said. “AMSI was never a silver bullet, and this outcome was inevitable. But we’re concerned to hear that some organizations are choosing to ‘enable AMSI’ instead of patching. This is a very bad idea.”

“Now that exploitation has been linked to nation-state actors, it would be naive to think they could leverage a SharePoint zero-day but somehow not bypass AMSI. Organizations must patch. Should go without saying – all the public PoCs will trigger AMSI, and mislead organizations into believing the mitigations are comprehensive/the host is no longer vulnerable. This would be incorrect.”

Jul 22, 2025Ravie LakshmananVulnerability / Threat Intelligence

Microsoft has formally tied the exploitation of security flaws in internet-facing SharePoint Server instances to two Chinese hacking groups called Linen Typhoon and Violet Typhoon as early as July 7, 2025, corroborating earlier reports.

The tech giant said it also observed a third China-based threat actor, which it tracks as Storm-2603, weaponizing the flaws as well to obtain initial access to target organizations.

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the tech giant said in a report published today.

A brief description of the threat activity clusters is below –

• Linen Typhoon (aka APT27, Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), which is active since 2012 and has been previously attributed to malware families like SysUpdate, HyperBro, and PlugX
• Violet Typhoon (aka APT31, Bronze Vinewood, Judgement Panda, Red Keres, and Zirconium), which is active since 2015 and has been previously attributed attacks targeting the United States, Finland, and Czechia
• Storm-2603, a suspected China-based threat actor that has deployed Warlock and LockBit ransomware in the past

The vulnerabilities, which affect on-premises SharePoint servers, have been found to leverage incomplete fixes for CVE-2025-49706, a spoofing flaw, and CVE-2025-49704, a remote code execution bug. The bypasses have been assigned the CVE identifiers CVE-2025-53771 and CVE-2025-53770, respectively.

In the attacks observed by Microsoft, the threat actors have been found exploiting on-premises SharePoint servers through a POST request to the ToolPane endpoint, resulting in an authentication bypass and remote code execution.

As disclosed by other cybersecurity vendors, the infection chains pave the way for the deployment of a web shell named “spinstall0.aspx” (aka spinstall.aspx, spinstall1.aspx, or spinstall2.aspx) that allows the adversaries to retrieve and steal MachineKey data.

Cybersecurity researcher Rakesh Krishnan said “three distinct Microsoft Edge invocations were identified” during forensic analysis of a SharePoint exploit. This includes Network Utility Process, Crashpad Handler, and GPU Process.

“Each serves a unique function within Chromium’s architecture, yet collectively reveals a strategy of behavioral mimicry and sandbox evasion,” Krishnan noted, while also calling attention to the web shell’s use of Google’s Client Update Protocol (CUP) to “blend malicious traffic with benign update checks.”

To mitigate the risk posed by the threat, it’s essential that users apply the latest update for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016, rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.

It’s also recommended to integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or similar solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode.

“Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately,” Microsoft said.

While the confirmation from Microsoft is the latest hacking campaign linked to China, it is also the second time Beijing-aligned threat actors have targeted the Windows maker. In March 2021, the adversarial collective tracked as Silk Typhoon (aka Hafnium) was tied to a mass-exploitation activity that leveraged multiple then-zero-days in Exchange Server.

Earlier this month, a 33-year-old Chinese national, Xu Zewei, was arrested in Italy and charged with carrying out cyber attacks against American organizations and government agencies by weaponizing the Microsoft Exchange Server flaws, which came to be known as ProxyLogon.

Mexican organizations are still being targeted by threat actors to deliver a modified version of AllaKore RAT and SystemBC as part of a long-running campaign.

The activity has been attributed by Arctic Wolf Labs to a financially motivated hacking group called Greedy Sponge. It’s believed to be active since early 2021, indiscriminately targeting a wide range of sectors, such as retail, agriculture, public sector, entertainment, manufacturing, transportation, commercial services, capital goods, and banking.

“The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud,” the cybersecurity company said in an analysis published last week.

Details of the campaign were first documented by the BlackBerry Research and Intelligence Team (which is now part of Arctic Wolf) in January 2024, with the attacks employing phishing or drive-by compromises to distribute booby-trapped ZIP archives that ultimately facilitate the deployment of AllaKore RAT.

Attack chains analyzed by Arctic Wolf show that the remote access trojan is designed to optionally deliver secondary payloads like SystemBC, a C-based malware that turns compromised Windows hosts into SOCKS5 proxies to allow attackers to communicate with their C2 servers.

Besides dropping potent proxy tools, Greedy Sponge has also refined and updated its tradecraft to incorporate improved geofencing measures as of mid-2024 in an attempt to thwart analysis.

“Historically, geofencing to the Mexican region took place in the first stage, via a .NET downloader included in the trojanized Microsoft software installer (MSI) file,” the company said. “This has now been moved server-side to restrict access to the final payload.”

The latest iteration sticks to the same approach as before, distributing ZIP files (“Actualiza_Policy_v01.zip”) containing a legitimate Chrome proxy executable and a trojanized MSI file that’s engineered to drop AllaKore RAT, a malware with capabilities for keylogging, screenshot capture, file download/upload, and remote control.

The MSI file is configured to deploy a .NET downloader, which is responsible for retrieving and launching the remote access trojan from an external server (“manzisuape[.]com/amw”), and a PowerShell script for cleanup actions.

This is not the first time AllaKore RAT has been used in attacks targeting Latin America. In May 2024, HarfangLab and Cisco Talos revealed that an AllaKore variant known as AllaSenha (aka CarnavalHeist) has been used to single out Brazilian banking institutions by threat actors from the country.

“Having spent those four years-plus actively targeting Mexican entities, we would deem this threat actor persistent, but not particularly advanced,” Arctic Wolf said. “The strictly financial motivation of this actor coupled with their limited geographic targeting is highly distinctive.”

“Additionally, their operational longevity points to probable operational success – meaning they’ve found something that works for them, and they are sticking with it. Greedy Sponge has held the same infrastructure models for the duration of their campaigns.”

Attack Flow of Campaign Using Ghost Crypt

The development comes as eSentire detailed a May 2025 phishing campaign that employed a new crypter-as-a-service offering known as Ghost Crypt to deliver and run PureRAT.

“Initial access was gained through social engineering, where the threat actor impersonated a new client and sent a PDF containing a link to a Zoho WorkDrive folder containing malicious zip files,” the Canadian company noted. “The attacker also created a sense of urgency by calling the victim and requesting that they extract and execute the file immediately.”

Further examination of the attack chain has revealed that the malicious file contains a DLL payload that’s encrypted with Ghost Crypt, which then extracts and injects the trojan (i.e., the DLL) into a legitimate Windows csc.exe process using a technique called process hypnosis injection.

Ghost Crypt, which was first advertised by an eponymous threat actor on cybercrime forums on April 15, 2025, offers the ability to bypass Microsoft Defender Antivirus, and serve several stealers, loaders, and trojans like Lumma, Rhadmanthys, StealC, BlueLoader, PureLoader, DCRat, and XWorm, among others.

The discovery also follows the emergence of a new version of Neptune RAT (aka MasonRAT) that’s distributed via JavaScript file lures, allowing the threat actors to extract sensitive data, take screenshots, log keystrokes, drop clipper malware, and download additional DLL payloads.

In recent months, cyber attacks have employed malicious Inno Setup installers that serve as a conduit for Hijack Loader (aka IDAT Loader), which then delivers the RedLine information stealer.

The attack “leverages Inno Setup’s Pascal scripting capabilities to retrieve and execute the next-stage payload in a compromised or targeted host,” the Splunk Threat Research Team said. “This technique closely resembles the approach used by a well-known malicious Inno Setup loader called D3F@ck Loader, which follows a similar infection pattern.”

Jul 22, 2025Ravie LakshmananNetwork Security / Vulnerability

Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation.

“In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild,” the company said in an alert.

The network equipment vendor did not disclose which vulnerabilities have been weaponized in real-world attacks, the identity of the threat actors exploiting them, or the scale of the activity.

Cisco ISE plays a central role in network access control, managing which users and devices are allowed onto corporate networks and under what conditions. A compromise at this layer could give attackers unrestricted access to internal systems, bypassing authentication controls and logging mechanisms—turning a policy engine into an open door.

The vulnerabilities outlined in the alert are all critical-rated bugs (CVSS scores: 10.0) that could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user –

• CVE-2025-20281 and CVE-2025-20337 – Multiple vulnerabilities in a specific API that could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root
• CVE-2025-20282 – A vulnerability in an internal API that could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root

While the first two flaws are the result of insufficient validation of user-supplied input, the latter stems from a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system.

As a result, an attacker could leverage these shortcomings by submitting a crafted API request (for CVE-2025-20281 and CVE-2025-20337) or uploading a crafted file to the affected device (for CVE-2025-20282).

In light of active exploitation, it’s essential that customers upgrade to a fixed software release as soon as possible to remediate these vulnerabilities. These flaws are exploitable remotely without authentication, placing unpatched systems at high risk of pre-auth remote code execution—a top-tier concern for defenders managing critical infrastructure or compliance-driven environments.

Security teams should also review system logs for suspicious API activity or unauthorized file uploads, especially in externally exposed deployments.

Making the move from managing a security operations center (SOC) to being a chief information security officer (CISO) is a significant career leap. Not only do you need a solid foundation of tech knowledge but also leadership skills and business smarts.

This article will guide you through the practical steps and skills you’ll need to nab an executive cybersecurity job and make the promotion from SOC manager to CISO a reality.

Is the CISO role right for you?

It’s always a good idea to think about how you could move up and grow in your career. Aspiring to be a CISO can be a great career move.

Additionally, certain operational tasks in cybersecurity, especially in a SOC, are becoming increasingly automated, making it vital to develop strategic and leadership skills to stay ahead. Having ambitious goals helps you, as a SOC analyst or lead, stay relevant and valuable in what is a constantly changing field.

However, the role of CISO is significantly different from other roles in cybersecurity and comes with its own set of challenges. So, while it is a good option, it’s not the only path and might not suit everyone’s strengths and career goals. It’s my hope that this article will lay out what being a CISO is all about so you can determine if it’s the path you want to take.

Key skills for executive growth

For those looking to take on executive and leadership roles like CISO, it’s essential to develop skills beyond the scope of your typical IT role.

Having a comprehensive IT background is a significant advantage, especially when it comes to security vulnerabilities and how to respond to incidents. But you can’t focus solely on technical expertise at the expense of vital leadership, communication, and strategic thinking skills needed for the position of CISO.

Remember: You’ll have to relay complex security matters to stakeholders outside IT, and do so in a way that they can easily understand the issues at stake.

Let’s break down areas you’ll need for the role of executive.

Strategic thinking

Strategic thinking demands a firm grip on the organization’s core operations, particularly how it generates revenue and its key value streams. This perspective allows security professionals to align their efforts with business objectives, rather than operating in isolation.

Business acumen

This is related to strategic thinking but emphasizes knowledge of risk management and finance. Security leaders must factor in financial impacts to justify security investments and manage risks effectively.

Balancing security measures with user experience and system availability is another critical aspect. If security policies are too strict, productivity can suffer; if they’re too permissive, the company can be exposed to threats. Decisions must consider the impact of security actions on the broader business environment.

Exposure to legal aspects, such as data privacy laws and intellectual property rights, broadens the perspective necessary for the CISO role and interactions with both external and internal bodies such as the GRC within your organization. Here, formal education, including a degree in computer science or cybersecurity, combined with continuous learning via industry courses and certifications, strengthens your expertise; it also prepares you for leadership responsibilities and demonstrates your readiness to take on the challenges that come with the job.

Practical advice for career transition

To successfully transition and advance your cybersecurity career, you’ll need to take concrete strategic steps toward a CISO role.

Gaining visibility, building influence, and getting promoted

To advance your cybersecurity career, make your value known. Share your contributions and accomplishments, both within your team and also with other departments and leadership.

When presenting data, make it actionable by showing how the information drives improvements and supports business goals via tactical metrics and simple language. Also, actively look for opportunities to contribute to broader initiatives and offer solutions to challenges that extend beyond your current role and responsibilities.

To set yourself apart as someone ready for a promotion to the executive level, take initiative and demonstrate a willingness to lead.

Avoiding common pitfalls

One common mistake is to communicate based on your or another person’s assumptions. Always verify information, and remember, opinions are not facts.

Another pitfall is believing your angle or viewpoint is the only correct one. Other perspectives exist and hold value.

As much as possible, embrace a collaborative approach, focused on building consensus and defining the right direction rather than prioritizing speed. This means engaging in open discussions, listening to feedback, and working towards a shared understanding. This will yield a stronger foundation for initiatives and avoid potential disagreements or misinterpretations down the road.

What exactly does being a CISO entail?

To succeed at the executive level, you need to be aware of the nuances of the CISO job, expectations depending on your company’s structure, and the different roles you’ll have to fulfill before being entrusted with the title of CISO.

Who does your CISO report to?

The reporting structure of a chief information security officer varies widely across organizations. Often, the CISO reports to the chief information officer (CIO). In this structure, security is seen as a subset of IT, focusing on the technical aspects of protecting data and systems.

However, as cybersecurity risks become more business-critical, CISOs are increasingly reporting to the chief financial officer (CFO) or the chief risk officer (CRO). Reporting to the CFO emphasizes the financial impact of security breaches and the need for risk-based security investments. But if you’re reporting to the CRO, you’ll need to highlight the enterprise-wide risk management perspective, ensuring security is integrated into broader organizational risk strategies.

The reporting line significantly influences the CISO’s priorities and scope of authority, reflecting a company’s overall security maturity and approach to risk. It’s a good idea to consider your own company’s structure and how it aligns with your career goals and potential advancement.

What changes at the top: Roles & expectations

Transitioning from a technical lead to an executive role like CISO entails a complete shift in expectations.

As a technical lead, the focus is primarily on hands-on implementation, troubleshooting, and technical problem-solving. At the executive level, the emphasis shifts to strategy, leadership, and business alignment.

CISOs are expected to develop and execute a comprehensive security strategy that protects the organization’s assets while enabling business operations. This is where decision-making becomes more strategic, requiring CISOs to balance risk mitigation with business objectives.

They must also effectively communicate technical risks to senior management in terms of their business impact. This covers everything from budgeting and policy development to regulatory compliance and security team management.

Key roles & responsibilities above technical lead

Advancement from technical lead to CISO involves several intermediate roles; each one has distinct responsibilities and demands a higher level of leadership, strategic thinking, and business savvy.

A SOC manager oversees the daily operations of the security operations center. That means making sure incident detection and response are efficient and effective. Responsibilities here include managing staff, developing processes, and reporting on metrics.

A director of security typically has a broader scope, handling multiple security functions like network security, application security, and vulnerability management. Directors develop security programs, manage budgets, and ensure compliance with regulations.

The CISO is the top security executive, responsible for the overall security strategy and posture of the organization. They align security with business goals, manage risk, and communicate with executive leadership.

Becoming a CISO is a progressive journey of developing skills and taking on broader responsibilities.

Summary and key takeaways

The journey from a SOC analyst or manager to CISO is a significant undertaking. You’re not just becoming a better expert but evolving into a leader who can align security with business objectives.

Embracing a leadership mindset involves more than just managing tasks. You need to inspire teams, influence stakeholders, and drive strategic decisions. All of this takes communication skills, strategic thinking, and business acumen to manage risks effectively and communicate complex technical information in simple terms.

Be proactive in seeking visibility and influence within your organization and avoid common pitfalls like making assumptions and prioritizing speed over consensus.

Finally, understand the reporting structure and evolving expectations of a CISO. By setting long-term goals and embracing a leadership mindset, you can successfully navigate the transition to a CISO and thrive in what is both a challenging and rewarding role.

Adaptive AI for the SOC

Interested in learning how you can build a modern SOC that focuses your analysts on real threats, eliminating false positives and alert fatigue? Radiant Security’s adaptive AI SOC platform can autonomously triage ALL alert types (without any pre-training required), dynamically generating a tailored response for every threat that can be reviewed by human analysts and implemented in 1 click or automatically.

To see Radiant in action, book a demo here.

Jul 18, 2025Ravie LakshmananMalware / Vulnerability

Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances.

According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory.

CVE-2025-0282 is a critical security flaw in ICS that could permit unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457, patched in February 2025, concerns a stack-based buffer overflow that could be exploited to execute arbitrary code.

While both vulnerabilities have been weaponized in the wild as zero-days, previous findings from JPCERT/CC in April have revealed that the first of the two issues had been abused to deliver malware families like SPAWNCHIMERA and DslogdRAT.

The latest analysis of the attacks involving ICS vulnerabilities has unearthed the use of DLL side-loading techniques to launch MDifyLoader that includes an encoded Cobalt Strike beacon payload. The beacon has been identified as version 4.5, which was released in December 2021.

“MDifyLoader is a loader created based on the open-source project libPeConv,” JPCERT/CC researcher Yuma Masubuchi said. “MDifyLoader then loads an encrypted data file, decodes Cobalt Strike Beacon, and runs it on memory.”

Also put to use is a Go-based remote access tool named VShell and another open-source network scanning utility written in Go called Fscan. It’s worth noting that both programs have been adopted by various Chinese hacking groups in recent months.

The execution flow of Fscan

Fscan has been found to be executed by means of a loader, which, in turn, is launched using DLL side-loading. The rogue DLL loader is based on the open-source tool FilelessRemotePE.

“The used VShell has a function to check whether the system language is set to Chinese,” JPCERT/CC said. “The attackers repeatedly failed to execute VShell, and it was confirmed that each time they had installed a new version and attempted execution again. This behavior suggests that the language-checking function, likely intended for internal testing, was left enabled during deployment.”

Upon gaining a foothold into the internal network, the attackers are said to have carried out brute-force attacks against FTP, MS-SQL, and SSH servers and leveraged the EternalBlue SMB exploit (MS17-010) in an attempt to extract credentials and laterally move across the network.

“The attackers created new domain accounts and added them to existing groups, allowing them to retain access even if previously acquired credentials were revoked,” Masubuchi said.

“These accounts blend in with normal operations, enabling long-term access to the internal network. Additionally, the attackers registered their malware as a service or a task scheduler to maintain persistence, ensuring it would run at system startup or upon specific event triggers.”

Update

Following the publication of the story, an Ivanti spokesperson shared the below statement with The Hacker News –

These vulnerabilities were previously identified and patched by Ivanti. Customers that are on the latest version of Ivanti Connect Secure are not vulnerable.

CVE-2025-22457 was patched by Ivanti in February 2025. It is an N-Day that only affected unpatched or older versions of Ivanti products, including a Pulse Connect Secure version that is no longer supported.

CVE-2025-0282 was patched in January. Customers who patched and followed Ivanti’s instructions at the time have addressed this vulnerability.

The security and protection of our customers remain our top priority, and Ivanti strongly encourages customers to remain on the latest version of a solution so they can benefit from important security and product enhancements.

(The story was updated after publication to include a response from Ivanti. The article was updated to correct that patches for CVE-2025-22457 were first available in February 2025, and not April as previously stated. It’s worth noting that the flaw was only publicly disclosed in April.)

The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research.

The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe.

Check Point also said the exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances (CVE-2025-4427 and CVE-2025-4428).

“We’re witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk,” Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, told The Hacker News.

“Our team has confirmed dozens of compromise attempts across government, telecom, and tech sectors since July 7. We strongly urge enterprises to update their security systems immediately – this campaign is both sophisticated and fast-moving.”

The attack chains have been observed leveraging CVE-2025-53770, a newly patched remote code execution flaw in SharePoint Server, and chaining it with CVE-2025-49706, a spoofing vulnerability that was patched by Microsoft as part of its July 2025 Patch Tuesday update, to gain initial access and escalate privileges.

It’s worth mentioning at this stage that there are two sets of vulnerabilities in SharePoint that have come to light this month –

• CVE-2025-49704 (CVSS score: 8.8) – Microsoft SharePoint Remote Code Execution Vulnerability (Fixed on July 8, 2025)
• CVE-2025-49706 (CVSS score: 7.1) – Microsoft SharePoint Server Spoofing Vulnerability (Fixed on July 8, 2025)

• CVE-2025-53770 (CVSS score: 9.8) – Microsoft SharePoint Server Remote Code Execution Vulnerability
• CVE-2025-53771 (CVSS score: 7.1) – Microsoft SharePoint Server Spoofing Vulnerability

CVE-2025-49704 and CVE-2025-49706, collectively referred to as ToolShell, is an exploitation chain that can lead to remote code execution on SharePoint Server instances. They were originally disclosed by Viettel Cyber Security during the Pwn2Own 2025 hacking competition earlier this May.

CVE-2025-53770 and CVE-2025-53771, which came to light over the weekend, have been described as variants of CVE-2025-49704 and CVE-2025-49706, respectively, indicating that they are bypasses for the original fixes put in place by Microsoft earlier this month.

This is evidenced by the fact that Microsoft acknowledged active attacks exploiting “vulnerabilities partially addressed by the July Security Update.” The company also noted in its advisories that the updates for CVE-2025-53770 and CVE-2025-53771 include “more robust protections” than the updates for CVE-2025-49704 and CVE-2025-49706. However, it bears noting that CVE-2025-53771 has not been flagged by Redmond as actively exploited in the wild.

“CVE-2025-53770 exploits a weakness in how Microsoft SharePoint Server handles the deserialization of untrusted data,” Martin Zugec, technical solutions director at Bitdefender, said. “Attackers are leveraging this flaw to gain unauthenticated remote code execution.”

This, in turn, is achieved by deploying malicious ASP.NET web shells that programmatically extract sensitive cryptographic keys. These stolen keys are subsequently leveraged to craft and sign malicious __VIEWSTATE payloads, thereby establishing persistent access and enabling the execution of arbitrary commands on SharePoint Server.

According to Bitdefender telemetry, in-the-wild exploitation has been detected in the United States, Canada, Austria, Jordan, Mexico, Germany, South Africa, Switzerland, and the Netherlands, suggesting widespread abuse of the flaw.

Palo Alto Networks Unit 42, in its own analysis of the campaign, said it observed commands being run to execute a Base64-encoded PowerShell command, which creates a file at the location “C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTSspinstall0.aspx” and then parses its content.

“The spinstall0.aspx file is a web shell that can execute various functions to retrieve ValidationKeys, DecryptionKeys, and the CompatabilityMode of the server, which are needed to forge ViewState Encryption keys,” Unit 42 said in a threat brief.

Content of spinstall0.aspx

In an advisory issued Monday, SentinelOne said it first detected exploitation on July 17, with the cybersecurity company identifying three “distinct attack clusters,” including state-aligned threat actors, engaging in reconnaissance and early-stage exploitation activities.

Targets of the campaigns include technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations.

“The early targets suggest that the activity was initially carefully selective, aimed at organizations with strategic value or elevated access,” researchers Simon Kenin, Jim Walter, and Tom Hegel said.

Analysis of the attack activity has revealed the use of a password-protected ASPX web shell (“xxx.aspx”) on July 18, 2025, at 9:58 a.m. GMT. The web shell supports three functions: Authentication via an embedded form, command execution via cmd.exe, and file upload.

Subsequent exploitation efforts have been found to employ the “spinstall0.aspx” web shell to extract and expose sensitive cryptographic material from the host.

Spinstall0.aspx is “not a traditional command webshell but rather a reconnaissance and persistence utility,” the researchers explained. “This code extracts and prints the host’s MachineKey values, including the ValidationKey, DecryptionKey, and cryptographic mode settings — information critical for attackers seeking to maintain persistent access across load-balanced SharePoint environments or to forge authentication tokens.”

Unlike other web shells that are typically dropped on internet-exposed servers to facilitate remote access, spinstall0.aspx appears to be designed with the sole intention of gathering cryptographic secrets that could then be used to forge authentication or session tokens across SharePoint instances.

These attacks, per CrowdStrike, commence with a specially crafted HTTP POST request to an accessible SharePoint server that attempts to write spinstall0.aspx via PowerShell, per CrowdStrike. The company said it blocked hundreds of exploitation attempts across more than 160 customer environments.

SentinelOne also discovered a cluster dubbed “no shell” that took a “more advanced and stealthy approach” to other threat actors by opting for in-memory .NET module execution without dropping any payloads on disk. The activity originated from the IP address 96.9.125[.]147.

“This approach significantly complicates detection and forensic recovery, underscoring the threat posed by fileless post-exploitation techniques,” the company said, positing that it’s either a “skilled red team emulation exercise or the work of a capable threat actor with a focus on evasive access and credential harvesting.”

It’s currently not known who is behind the attack activity, although Google-owned Mandiant has attributed the early-exploitation to a China-aligned hacking group.

Data from Censys shows that there are 9,762 on-premises SharePoint servers online, although it’s currently not known if all of them are susceptible to the flaws. Given that SharePoint servers are a lucrative target for threat actors due to the nature of sensitive organizational data stored in them, it’s essential that users move quickly to apply the fixes, rotate the keys, and restart the instances.

“We assess that at least one of the actors responsible for the early exploitation is a China-nexus threat actor,” Charles Carmakal, CTO, Mandiant Consulting at Google Cloud, said in a post on LinkedIn. “We’re aware of victims in several sectors and global geographies. The activity primarily involved the theft of machine key material which could be used to access victim environments after the patch has been applied.”