Tag: Cyber Security

SaaS Adoption is Skyrocketing, Resilience Hasn’t Kept Pace

SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience.

It doesn’t.

These platforms weren’t built with full-scale data protection in mind. Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage.

Modern organizations are being stretched across:

• Hybrid and multi-cloud environments with decentralized data sprawl
• Complex integration layers between IaaS, SaaS, and legacy systems
• Expanding regulatory pressure with steeper penalties for noncompliance
• Escalating ransomware threats and insider risk
• Shrinking recovery windows and rising expectations for uptime

Built-in protections were never meant to handle this level of complexity, and they rarely do. By the time you realize the gap, the damage is already done.

Why Traditional Protection Falls Short

Too many businesses still rely on outdated, fragmented, or overly simplistic backup strategies. They assume that cloud equals safe; or worse, that native features like recycle bins or version history are “good enough.” But most built-in tools are shallow by design. They prioritize collaboration and performance, not resilience.

And while that’s great for getting work done, it’s not enough to keep your business running when the unexpected hits. Let’s break down the risks.

1. Human Error Is Ubiquitous

Start with a question: What’s the most common reason for data loss in SaaS environments? Simple mistakes. Data loss goes beyond cyberthreats and natural disasters. Files are deleted, syncs are misconfigured, records are overwritten in bulk by well-meaning users, rushed decisions, or miscommunication. These are everyday mistakes caused by trusted employees whose intentions are aligned with yours.

So, data risk is inherently part of owning data. But most SaaS platforms offer limited rollback options, and some don’t cover the specific types of data you actually lost. If you don’t catch the mistake in time, or if the data bypasses the recycle bin entirely, it’s gone; for many mistakes, recovery isn’t as simple as clicking “undo.”

As organizations lean more heavily on SaaS tools for business-critical operations, the cost of these errors rises. One wrong deletion shouldn’t derail a product launch, delay an audit, or disrupt customer service. But without a recovery plan that goes deeper than native tools, that’s exactly what can happen.

2. Legal, Compliance, and Regulatory Risks

Compliance is about proving you can find your data, restore it, and report on it quickly. In 2024, new regulations and smarter attackers raised the stakes even higher. Frameworks like GDPR, HIPAA, SOX, and NIS2 come with real teeth: heavy fines, operational disruption, and reputational damage.

Now, organizations can’t afford to rely on good intentions. They need tools built for full accountability. Unfortunately, most native SaaS platforms don’t give you that level of control or visibility, meaning they don’t meet most regulatory requirements. Retention policies are too short, recovery options too limited, and auditing capabilities too shallow.

Many industries require organizations to retain records for years, not weeks. Staying compliant (and staying in control) requires a real strategy and the right tools to back it up.

3. The True Cost of Data Loss

For some large enterprises, the importance of compliance is understood, but not necessarily prioritized. But, importantly, understand that fines you pay for data loss or noncompliance are just the minimum, mandatory cost. Even for the largest organizations with the heaviest checkbooks, downtime hits hard.

Data loss rarely stays in the IT department. Amid a crisis or serious incident, teams are pulled away from critical projects. Customers grow frustrated with lack of service. Revenue takes a hit as your business simply cannot continue operations. And beyond it all, trust with investors, partners, or the public begins to erode.

Too often, businesses treat data loss as hypothetical. But this landslide can start with a single missing file, record, or user. Ask any team that’s been through it, and you’ll hear, “once is enough.” Whether it was ransomware, accidental deletion, or a failed recovery, the damage is rarely isolated, and the true costs are never foreseen.

4. Internal Threats

Internal threats are some of the most underestimated risks out there, and some of the most damaging. Employees, contractors, and vendors with access to sensitive systems can expose data, whether by mistake or on purpose. With teams spread out and systems more open than ever, oversight is tougher, and internal threats can slip past traditional defenses. These aren’t headline-making attacks from the outside, but rather quiet breaches from within. By the time you catch them, critical data may already be gone.

Whether malicious or accidental, insider threats are one of the most underestimated risks in SaaS. With teams working across locations, systems, and devices, visibility is limited — and oversight is tougher than ever.

Access mismanagement, privilege creep, and poor Role-Based Access Control (RBAC) hygiene can expose sensitive data in ways external actors never could. Most SaaS platforms weren’t built to detect or respond to these kinds of quiet, internal failures.

5. Cyberthreats Are Evolving Faster Than Defense

Today’s attacks steal data, corrupt environments, and pressure businesses through multi-phase extortion. Groups like Akira have shown how easily attackers can pivot into SaaS environments, exploiting token misconfigurations and shared credentials, leading the charge on ransomware for 18 consecutive months. If something as quiet, indiscriminate, and devastating as Akira is ransomware’s most common form, it’s impossible to foresee the true danger of cyberthreats in coming years.

What we do know is that, in 2024, the average ransom payment exceeded half a million dollars, and targeted organizations of every size, type, and industry. Even when data isn’t encrypted directly, business operations still grind to a halt. And in a multi-cloud world, one compromised app can cascade across others.

SaaS providers aren’t built to defend your business against these threats. They’ll keep the lights on. They won’t get your data back.

6. Recovery Speed Defines Success

Disruptions come in many forms — ransomware, outages, natural disasters — and when they hit, the clock starts ticking. Most teams aren’t set up to recover quickly enough. According to Gartner, ransomware recovery often drags on for weeks. Downtime cuts into revenue, frustrates customers, and drains internal resources. In sectors like healthcare, finance, and government, where every minute counts, the cost can escalate fast.

Customers expect availability. When systems go dark, patience wears thin, and brand trust takes a hit. But in many organizations, recovery is still manual, clunky, or all-or-nothing. You’re forced to choose between waiting hours to restore everything — or giving up on what’s lost.

The Lesson is Clear

The shift to SaaS has reshaped how organizations approach data management, revealing crucial lessons about efficiency, agility, and resource optimization. Modern businesses have the potential to thrive when they adopt a SaaS data solution, which remains the clear, strategic choice for future-ready IT operations. But as we’ve seen, the bar is set high.

What Modern SaaS Data Resilience Looks Like

SaaS applications are incredibly powerful — but they also introduce real risk to your data. Protecting that data isn’t easy, but it’s essential. Doing it right means having the ability to:

• Restore data quickly and precisely — even down to a single object or record
• Run automated, policy-driven backups without constant oversight
• Build in security from the start with features like immutability, encryption, and RBAC
• Align retention policies with your compliance obligations
• Manage everything — SaaS, IaaS, hybrid — from a single, unified interface

It’s a long list. And a complex one. But modern resilience isn’t just a checklist — it’s a mindset. And it demands a platform built to keep up. For everything you need to know, read this e-book:

6 Essential Traits of Modern SaaS Data Resilience

SaaS Data Resilience with Veeam Data Cloud

Protecting your data shouldn’t be complicated. With Veeam Data Cloud, you’re empowered by a unified cloud platform, integrating industry-leading innovation, modern cloud-native technologies, and powerful AI acceleration to secure, protect, and manage your data wherever it resides.

• Realize True Resilience: Ensure uninterrupted business operations through intelligent automation, policy-driven protection, and precise, rapid recoveries.
• Embed Security at Every Level: Safeguard your sensitive data proactively with integrated Zero Trust architecture, robust encryption, immutability, and intelligent threat detection.
• Drive Operational Excellence: Streamline operations, significantly reduce total cost of ownership (TCO), and boost efficiency with an intuitive, AI-accelerated interface.

Don’t wait for disruption to test your readiness. Choose Veeam Data Cloud and confidently embrace a future where your data resilience strategy actively drives efficiency, compliance, and business continuity.

Jun 26, 2025Ravie LakshmananCyber Espionage / Malware

An Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC) has been linked to a spear-phishing campaign targeting journalists, high-profile cyber security experts, and computer science professors in Israel.

“In some of those campaigns, Israeli technology and cyber security professionals were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages,” Check Point said in a report published Wednesday. “The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations.”

The cybersecurity company attributed the activity to a threat cluster it tracks as Educated Manticore, which overlaps with APT35 (and its sub-cluster APT42), CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.

The advanced persistent threat (APT) group has a long history of orchestrating social engineering attacks using elaborate lures, approaching targets on various platforms like Facebook and LinkedIn using fictitious personas to trick victims into deploying malware on their systems.

Check Point said it observed a new wave of attacks starting mid-June 2025 following the outbreak of the Iran-Israel war that targeted Israeli individuals using fake meeting decoys, either via emails or WhatsApp messages tailored to the targets. It’s believed that the messages are crafted using artificial intelligence (AI) tools.

One of the WhatsApp messages flagged by the company took advantage of the current geopolitical tensions between the two countries to coax the victim into joining a meeting, claiming they needed their immediate assistance on an AI-based threat detection system to counter a surge in cyber attacks targeting Israel since June 12.

The initial messages, like those observed in previous Charming Kitten campaigns, are devoid of any malicious artifacts and are primarily designed to gain the trust of their targets. Once the threat actors build rapport over the course of the conversation, the attack moves to the next phase by sharing links that direct the victims to fake landing pages capable of harvesting their Google account credentials.

“Before sending the phishing link, threat actors ask the victim for their email address,” Check Point said. “This address is then pre-filled on the credential phishing page to increase credibility and mimic the appearance of a legitimate Google authentication flow.”

“The custom phishing kit […] closely imitates familiar login pages, like those from Google, using modern web technologies such as React-based Single Page Applications (SPA) and dynamic page routing. It also uses real-time WebSocket connections to send stolen data, and the design allows it to hide its code from additional scrutiny.”

The fake page is part of a custom phishing kit that can not only capture their credentials, but also two-factor authentication (2FA) codes, effectively facilitating 2FA relay attacks. The kit also incorporates a passive keylogger to record all keystrokes entered by the victim and exfiltrate them in the event the user abandons the process midway.

Some of the social engineering efforts have also involved the use of Google Sites domains to host bogus Google Meet pages with an image that mimics the legitimate meeting page. Clicking anywhere on the image directs the victim to phishing pages that trigger the authentication process.

“Educated Manticore continues to pose a persistent and high-impact threat, particularly to individuals in Israel during the escalation phase of the Iran-Israel conflict,” Check Point said.

“The group continues to operate steadily, characterized by aggressive spear-phishing, rapid setup of domains, subdomains, and infrastructure, and fast-paced takedowns when identified. This agility allows them to remain effective under heightened scrutiny.”

Jun 26, 2025Ravie LakshmananThreat Intelligence / Ransomware

Cybersecurity researchers are calling attention to a series of cyber attacks targeting financial organizations across Africa since at least July 2023 using a mix of open-source and publicly available tools to maintain access.

Palo Alto Networks Unit 42 is tracking the activity under the moniker CL-CRI-1014, where “CL” refers to “cluster” and “CRI” stands for “criminal motivation.”

It’s suspected that the end goal of the attacks is to obtain initial access and then sell it to other criminal actors on underground forums, making the threat actor an initial access broker (IAB).

“The threat actor copies signatures from legitimate applications to forge file signatures, to disguise their toolset and mask their malicious activities,” researchers Tom Fakterman and Guy Levi said. “Threat actors often spoof legitimate products for malicious purposes.”

The attacks are characterized by the deployment of tools like PoshC2 for command-and-control (C2), Chisel for tunneling malicious network traffic, and Classroom Spy for remote administration.

The exact method the threat actors use to breach target networks is not clear. Once a foothold is obtained, the attack chains have been found to deploy MeshCentral Agent and later Classroom Spy to commandeer the machines, and then drop Chisel to bypass firewalls and spread PoshC2 to other Windows hosts on the compromised network.

To sidestep detection efforts, the payloads are passed off as legitimate software, using the icons of Microsoft Teams, Palo Alto Networks Cortex, and Broadcom VMware Tools. PoshC2 is persisted on the systems using three different methods –

• Setting up a service
• Saving a Windows shortcut (LNK) file to the tool in the Startup folder
• Using a scheduled task under the name “Palo Alto Cortex Services”

In some incidents observed by the cybersecurity company, the threat actors are said to have stolen user credentials and used them to set up a proxy using PoshC2.

“PoshC2 can use a proxy to communicate with a command-and-control (C2) server, and it appears that the threat actor tailored some of the PoshC2 implants specifically for the targeted environment,” the researchers noted.

This is not the first time PoshC2 has been used in attacks aimed at financial services in Africa. In September 2022, Check Point detailed a spear-phishing campaign dubbed DangerousSavanna that targeted financial and insurance companies located in Coast, Morocco, Cameroon, Senegal, and Togo to deliver Metasploit, PoshC2, DWservice, and AsyncRAT.

The disclosure comes as Trustwave SpiderLabs shed light on a new ransomware group called Dire Wolf that has already claimed 16 victims across the U.S., Thailand, Taiwan, Australia, Bahrain, Canada, India, Italy, Peru, and Singapore since its emergence last month. The top targeted sectors are technology, manufacturing, and financial services.

Analysis of the Dire Wolf locker has revealed that it’s written in Golang, and comes with capabilities to disable system logging, terminate a hard-coded list of 75 services and 59 applications, and inhibit recovery efforts by deleting shadow copies.

“Although no initial access, reconnaissance or lateral movement techniques used by Dire Wolf are known at this point, organizations shall follow good security practices as well as enable monitoring for the techniques revealed in this analysis,” the company said.

Jun 26, 2025Ravie LakshmananVulnerability / Firmware Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added three security flaws, each impacting AMI MegaRAC, D-Link DIR-859 router, and Fortinet FortiOS, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The list of vulnerabilities is as follows –

• CVE-2024-54085 (CVSS score: 10.0) – An authentication bypass by spoofing vulnerability in the Redfish Host Interface of AMI MegaRAC SPx that could allow a remote attacker to take control
• CVE-2024-0769 (CVSS score: 5.3) – A path traversal vulnerability in D-Link DIR-859 routers that allows for privilege escalation and unauthorized control (Unpatched)
• CVE-2019-6693 (CVSS score: 4.2) – A hard-coded cryptographic key vulnerability in FortiOS, FortiManager and FortiAnalyzer that’s used to encrypt password data in CLI configuration, potentially allowing an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data

Firmware security company Eclypsium, which disclosed CVE-2024-54085 earlier this year, said the flaw could be exploited to carry out a wide-range of malicious actions, including deploying malware and tampering with device firmware.

There are currently no details on how the shortcoming is being weaponized in the wild, who may be exploiting it, and the scale of the attacks. The Hacker News has reached out to Eclypsium for comment, and we will update the story if we get a response.

The exploitation of CVE-2024-0769 was revealed by threat intelligence firm GreyNoise exactly a year ago as part of a campaign designed to dump account names, passwords, groups, and descriptions for all users of the device.

It’s worth noting that D-Link DIR-859 routers have reached end-of-life (EoL) as of December 2020, meaning the vulnerability will remain unpatched on these devices. Users are advised to retire and replace the product.

As for the abuse of CVE-2019-6693, multiple security vendors have reported that threat actors linked to the Akira ransomware scheme have leveraged the vulnerability to obtain initial access to target networks.

In light of the active exploitation of these flaws, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by July 16, 2025, to secure their networks.

Jun 26, 2025Ravie LakshmananArtificial Intelligence / Data Protection

Popular messaging platform WhatsApp has added a new artificial intelligence (AI)-powered feature that leverages its in-house solution Meta AI to summarize unread messages in chats.

The feature, called Message Summaries, is currently rolling out in the English language to users in the United States, with plans to bring it to other regions and languages later this year.

It “uses Meta AI to privately and quickly summarize unread messages in a chat, so you can get an idea of what is happening, before reading the details in your unread messages,” WhatsApp said in a post.

Message Summaries is optional and is disabled by default. The Meta-owned service said users can also enable “Advanced Chat Privacy” to choose which chats can be shared for providing AI-related features.

Most importantly, it’s made possible by Private Processing, which WhatsApp launched back in April as a way to enable AI capabilities in a privacy-preserving manner.

Private Processing is designed to process AI requests within a secure environment called the confidential virtual machine (CVM) on the cloud by establishing a secure application session between a user’s device and the Trusted Execution Environment (TEE) over an Oblivious HTTP (OHTTP) connection.

The company reiterated that the technology prevents any third-party, including Meta and WhatsApp, from having to see the actual message contents to generate the summaries.

“No one else in the chat can see that you summarized unread messages either,” it said. “This means your privacy is protected at all times.”

The development comes as the U.S. House of Representatives added WhatsApp to a list of apps banned from government-issued devices, citing security concerns.

Jun 25, 2025Ravie LakshmananSaaS Security / Vulnerability

New research has uncovered continued risk from a known security weakness in Microsoft’s Entra ID, potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications.

Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse.

First disclosed by Descope in June 2023, nOAuth refers to a weakness in how SaaS applications implement OpenID Connect (OIDC), which refers to an authentication layer built atop OAuth to verify a user’s identity.

The authentication implementation flaw essentially allows a bad actor to change the mail attribute in the Entra ID account to that of a victim’s and take advantage of the app’s “Log in with Microsoft” feature to hijack that account.

The attack is trivial, but it also works because Entra ID permits users to have an unverified email address, opening the door to user impersonation across tenant boundaries.

It also exploits the fact that an app using multiple identity providers (e.g., Google, Facebook, or Microsoft) could inadvertently allow an attacker to sign in to a target user’s account simply because the email address is used as the sole criteria to uniquely identify users and merge accounts.

Semperis’ threat model focuses on a variant of nOAuth, specifically finding applications that allow for Entra ID cross-tenant access. In other words, both the attacker and the victim are on two different Entra ID tenants.

“nOAuth abuse is a serious threat that many organizations may be exposed to,” Eric Woodruff, chief identity architect at Semperis, said. “It’s low effort, leaves almost no trace and bypasses end‑user protections.”

“An attacker that successfully abuses nOAuth would be able not only to gain access to the SaaS application data, but also potentially to pivot into Microsoft 365 resources.”

Semperis said it reported the findings to Microsoft in December 2024, prompting the Windows maker to reiterate recommendations it gave back in 2023, coinciding with the public disclosure of nOAuth. It also noted that vendors that do not comply with the guidelines risk getting their apps removed from the Entra App Gallery.

Microsoft has also emphasized that the use of claims other than subject identifier (referred to as the “sub” claim) to uniquely identify an end user in OpenID Connect is non-compliant.

“If an OpenID Connect relying party uses any other claims in a token besides a combination of the sub (subject) claim and the iss (issuer) claim as a primary account identifier in OpenID Connect, they’re breaking the contract of expectations between federated identity provider and relying party,” the company noted at that time.

Mitigating nOAuth ultimately rests in the hands of developers, who must properly implement authentication to prevent account takeovers by creating a unique, immutable user identifier.

“nOAuth abuse exploits cross-tenant vulnerabilities and can lead to SaaS application data exfiltration, persistence, and lateral movement,” the company said. “The abuse is difficult for customers of vulnerable applications to detect and impossible for customers of vulnerable applications to defend against.”

The disclosure comes as Trend Micro revealed that misconfigured or overly privileged containers in Kubernetes environments can be used to facilitate access to sensitive Amazon Web Services (AWS) credentials, enabling attackers to conduct follow-on activities.

The cybersecurity company said attackers can exploit excessive privileges granted to containers using methods like packet sniffing of unencrypted HTTP traffic to access plaintext credentials and API spoofing, which uses manipulated Network Interface Card (NIC) settings to intercept Authorization tokens and gain elevated privileges.

“The findings […] highlight critical security considerations when using Amazon EKS Pod Identity for simplifying AWS resource access in Kubernetes environments,” security researcher Jiri Gogela said.

“These vulnerabilities underscore the importance of adhering to the principle of least privilege, ensuring container configurations are scoped appropriately, and minimizing opportunities for exploitation by malicious actors.”

Jun 25, 2025Ravie LakshmananVulnerability / Network Security

Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild.

The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0.

It has been described as a case of memory overflow that could result in unintended control flow and denial-of-service. However, successful exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

The shortcoming impacts the below versions –

• NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
• NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
• NetScaler ADC and NetScaler Gateway 12.1 and 13.0 (vulnerable and end-of-life)
• NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP

“Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities,” Citrix said.

“Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities.”

The company did not reveal how the flaw is being exploited in real-world attacks, but said “exploits of CVE-2025-6543 on unmitigated appliances have been observed.”

The disclosure comes shortly after Citrix patched another critical-rated security flaw in NetScaler ADC (CVE-2025-5777, CVSS score: 9.3) that could be exploited by threat actors to gain access to susceptible appliances.

Jun 25, 2025Ravie LakshmananData Privacy / Vulnerability

Cybersecurity researchers have detailed two now-patched security flaws in SAP Graphical User Interface (GUI) for Windows and Java that, if successfully exploited, could have enabled attackers to access sensitive information under certain conditions.

The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), were patched by SAP as part of its monthly updates for January 2025.

“The research discovered that SAP GUI input history is stored insecurely, both in the Java and Windows versions,” Pathlock researcher Jonathan Stross said in a report shared with The Hacker News.

SAP GUI user history allows users to access previously entered values in input fields with the goal of saving time and reducing errors. This historical information is stored locally on devices. This can include usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names.

The vulnerabilities identified by Pathlock are rooted in this input history feature, allowing an attacker with administrative privileges or access to the victim’s user directory on the operating system to access the data within a predefined directory based on the SAP GUI variant.

• SAP GUI for Windows – %APPDATA%LocalLowSAPGUICacheHistorySAPHistory<WINUSER>.db
• SAP GUI for Java – %APPDATA%LocalLowSAPGUICacheHistory or $HOME/.SAPGUI/Cache/History (Windows or Linux) and $HOME/Library/Preferences/SAP/Cache/History (macOS)

The issue is that the inputs are saved in the database file using a weak XOR-based encryption scheme in the case of SAP GUI for Windows, which makes them trivial to decode with minimal effort. In contrast, SAP GUI for Java stores these historical entries in an unencrypted fashion as Java serialized objects.

As a result, depending on the user input provided in the past, the disclosed information could include anything between non-critical data to highly sensitive data, thereby impacting the confidentiality of the application.

“Anyone with access to the computer can potentially access the history file and all sensitive information it stores,” Stross said. “Because the data is stored locally and weakly (or not at all) encrypted, exfiltration through HID injection attacks (like USB Rubber Ducky) or phishing becomes a real threat.”

To mitigate any potential risks associated with information disclosure, it’s advised to disable the input history functionality and delete existing database or serialized object files from the aforementioned directories.

Citrix Patches CVE-2025-5777

The disclosure comes as Citrix patched a critical-rated security flaw in NetScaler (CVE-2025-5777, CVSS score: 9.3) that could be exploited by threat actors to gain access to susceptible appliances.

The shortcoming stems from insufficient input validation that may enable unauthorized attackers to grab valid session tokens from memory via malformed requests, effectively bypassing authentication protections. However, this only works when Netscaler is configured as a Gateway or AAA virtual server.

The vulnerability has been codenamed Citrix Bleed 2 by security researcher Kevin Beaumont, owing to its similarities to CVE-2023-4966 (CVSS score: 9.4), which came under active exploitation in the wild two years ago.

It has been addressed in the following versions –

• NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
• NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS

Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Citrix is recommending that users run the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances have been upgraded –

kill icaconnection -all
kill pcoipConnection -all

The company is also urging customers of NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 to move to a support version as they are now End Of Life (EOL) and no longer supported.

While there is no evidence that the flaw has been weaponized, watchTowr CEO Benjamin Harris said it “checks all the boxes” for attacker interest and that exploitation could be around the corner.

“CVE-2025-5777 is shaping up to be every bit as serious as CitrixBleed, a vulnerability that caused havoc for end-users of Citrix Netscaler appliances in 2023 and beyond as the initial breach vector for numerous high-profile incidents,” Benjamin Harris, CEO at watchTowr, told The Hacker News.

“The details surrounding CVE-2025-5777 have quietly shifted since its initial disclosure, with fairly important pre-requisites or limitations being removed from the NVD CVE description — specifically, the comment that this vulnerability was in the lesser-exposed Management Interface has now been removed — leading us to believe that this vulnerability is significantly more painful than perhaps first signaled.”

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.

A gap in access control in Microsoft Entra’s subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.

All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access.

Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource tenant. It can allow a threat actor to achieve unauthorized reconnaissance and persistence in the defender’s Entra ID, and advance privilege escalation in certain scenarios.

Typical threat models and best practices don’t account for an unprivileged guest creating their own subscription within your tenant, so this risk may not only exist outside your organization’s controls; it may be off your security team’s radar as well.

How to Compromise Your Entra ID Tenant with a Guest User Account

Guest-made subscription footholds exploit the fact that Microsoft’s billing permissions (Enterprise Agreement or Microsoft Customer Agreement) are scoped at the billing account, not the Entra directory. Most security teams think about Azure permissions as either Entra Directory Roles (such as Global Administrator) or Azure RBAC Roles (such as Owner). But there is another set of permissions that get overlooked: Billing Roles.

While Entra Directory and Azure RBAC Roles focus on managing permissions around identities and access to resources, Billing roles operate at the billing account level, which exists outside the well-understood Azure tenant authentication and authorization boundaries. A user with the right billing role can spin up or transfer subscriptions from their home tenant to gain control inside a target tenant, and a security team that is strictly auditing Entra Directory roles won’t gain visibility of these subscriptions in a standard Entra permission review.

When a B2B guest user is invited to a resource tenant, they access the tenant via federation from their home tenant. This is a cost-saving measure, the trade-off being that your tenant cannot enforce auth controls like MFA. As such, defenders usually try to limit the privileges and access of guests as they are inherently less securable. However, if the guest has a valid billing role in their home tenant, they can use it to become a subscription owner inside Azure.

This is also true for guest users who exist in pay-as-you-go Azure tenants that an attacker could spin up in just a few minutes. And, by default, any user, including guests, can invite external users into the directory. This means an attacker could leverage a compromised account to invite in a user with the correct billing permissions into your environment.

• Listing Root Management Group Administrators – In many tenant configurations, guest users have zero permissions to list other users within a tenant; however, following a guest subscription attack, that visibility becomes possible. The guest Owner can view the “Access Control” role assignments on the subscription they’ve created. Any administrators assigned at the root management group level of the tenant will be inherited and will appear in the role assignments view of the subscription, exposing a list of high-value privileged accounts that are ideal targets for follow-on attacks and social engineering.
• Weakening the Default Azure Policy Tied to the Subscription – By default, all subscriptions (and their resources) are governed by Azure policies designed to enforce security standards and trigger alerts when violations occur. However, when a guest becomes a subscription Owner, they have full write permissions to all policies that apply to their subscription and can modify or disable them, effectively muting security alerts that would otherwise notify defenders of suspicious or non-compliant activity. This further reduces visibility from security monitoring tools, allowing the attacker to perform malicious activities or target external systems under the radar.
• Creating a User-Managed Identity in the Entra ID Directory – A guest user with subscription Owner permissions can create a User-Managed Identity, a special Azure identity that lives in the Entra directory, but is linked to cloud workloads, within their subscription. This identity can:
  • Persist independently of the original guest account
  • Be granted roles or permissions beyond the subscription
  • Blend in with legitimate service identities, making detection harder
  • Launch a targeted API permission phishing attack to trick legitimate admins into granting this managed identity elevated privileges.
• Registering Microsoft Entra-Joined Devices and abusing Conditional Access Policies – Azure allows trusted devices to be registered and joined to Entra ID. An attacker can register devices under their hijacked subscription and have them appear as compliant corporate devices. Many organizations use dynamic device groups to auto-assign roles or access based on device status (e.g., “all users on compliant laptops get access to X”). By spoofing or registering a device, an attacker could abuse Conditional Access Policies and gain unauthorized access to trusted assets. This represents a device-based variant of a known dynamic group exploit^[1] previously seen in user object targeting. BeyondTrust’s Identity Security Insights product has helped customers uncover many similar misconfigured dynamic groups that unintentionally expose hidden Paths to Privilege™.

Why Guest Subscription Creation Is a Growing Concern for Entra Security

While more work is required to understand the true implications of this updated threat model, what we already know is concerning: any guest account federated into your tenant may represent a path to privilege. The risk is not hypothetical. Researchers at BeyondTrust have observed attackers actively abusing guest-based subscription creation in the wild. The threat is present, active, and the real danger here lies in the fact that it’s largely under the radar.

These actions fall outside what most Azure administrators expect a guest user to be capable of. Most security teams don’t account for guest users being able to create and control subscriptions. As a result, this attack vector often falls outside of typical Entra threat models, making this path to privilege under-recognized, unexpected, and dangerously accessible.

This attack vector is extremely common in B2B scenarios, where home and resource tenants are often controlled by different organizations. We suspect many organizations leveraging Entra ID B2B Guest features are unaware of the possible paths to privilege that this feature inadvertently enables.

Mitigations: How to Prevent Guest Subscription Accounts from Gaining a Foothold

To mitigate this behaviour, Microsoft allows organizations to configure Subscription Policies to block guests from transferring subscriptions into their tenant. This setting restricts subscription creation to explicitly permitted users only, and Microsoft has published supporting documentation^[2] for this control.

In addition to enabling this policy, we recommend the following actions:

1. Audit all guest accounts in your environment and remove those that are no longer required
2. Harden guest controls as much as possible: for instance, disable guest-to-guest invitations
3. Monitor all subscriptions in your tenant regularly to detect unexpected guest-created subscriptions and resources
4. Monitor all Security Center alerts in the Azure Portal; some may appear even if the visibility is inconsistent
5. Audit device access, especially if these utilize dynamic group rules.

To assist defenders, BeyondTrust Identity Security Insights provides built-in detections to flag subscriptions created by guest accounts, offering automated visibility into these unusual behaviors.

BeyondTrust Identity Security Insights customers can gain a holistic view of all Identities across their entire identity fabric. This includes gaining a consolidated understanding of Entra Guest accounts and their True Privilege™.

The Bigger Picture: Identity Misconfigurations Are the New Exploits

Guest-made subscription compromise isn’t an anomaly; it’s a stark example of the many overlooked identity security weaknesses that can undermine the modern enterprise environment, if not adequately addressed. Misconfigurations and weak default settings are prime access points for threat actors who are looking for the hidden paths into your environment.

It isn’t just your admin accounts that need to be included in your security policies anymore. B2B trust models, inherited billing rights, and dynamic roles mean that every account is a potential launch point for privilege escalation. Re-examine your guest access policies, visibility tools, and subscription governance models now, before these Restless Guests take advantage.

To gain a snapshot of potential identity-based risks in your environment, including those introduced through guest access, BeyondTrust offers a no-cost Identity Security Risk Assessment.

Note: This article is expertly written and contributed by Simon Maxwell-Stewart, Senior Security Researcher at BeyondTrust. Simon Maxwell-Stewart is a University of Oxford physics graduate with over a decade of experience in the big data environment. Before joining BeyondTrust, he worked as a Lead Data Scientist in healthcare, and successfully brought multiple machine learning projects into production. Now working as a “resident graph nerd” on BeyondTrust’s security research team, Simon applies his expertise in graph analysis to help drive identity security innovation.

Thousands of personal records allegedly linked to athletes and visitors of the Saudi Games have been published online by a pro-Iranian hacktivist group called Cyber Fattah.

Cybersecurity company Resecurity said the breach was announced on Telegram on June 22, 2025, in the form of SQL database dumps, characterizing it as an information operation “carried out by Iran and its proxies.”

“The actors gained unauthorized access to phpMyAdmin (backend) and exfiltrated stored records,” Resecurity said. “This is an example of Iran using data breaches as part of a larger anti-U.S., anti-Israel, and anti-Saudi propaganda activity in cyberspace, targeting major sports and social events.”

It’s believed that the data is likely pulled from the Saudi Games 2024 official website and then shared on DarkForums, a cybercrime forum that has gained attention in the wake of BreachForums’ repeated takedowns. The information was published by a forum user named ZeroDayX, a burner profile that was likely created to promote this breach.

The leaked data includes IT staff credentials; government official email addresses; athletes’ and visitors’ information; passports and ID cards; bank statements; medical forms; and scanned copies of sensitive documents.

“The activities of Cyber Fattah align with a broader trend of hacktivism in the Middle East, where groups frequently engage in cyber warfare as a form of activism,” Resecurity said.

The leak unfolds against the backdrop of simmering tensions between Iran and Israel, with as many as 119 hacktivist groups claiming to have conducted cyber attacks or have made declarations to align with or act against the two nations, per Cyberknow.

Cyber Fattah, which calls itself an “Iranian cyber team,” has a history of targeting Israeli and Western web resources and government agencies.

It’s also known to collaborate with other threat actors active in the region, such as 313 Team, which claimed responsibility for a distributed denial-of-service (DDoS) attack against social media platform Truth Social in retaliation for U.S. airstrikes on Iran’s nuclear facilities.

“This incident by Cyber Fattah may indicate an interesting shift from Israel-centric malicious activity toward a broader focus on anti-U.S. and anti-Saudi messaging,” Resecurity said.

Last week, a pro-Israel group known as Predatory Sparrow (aka Adalat Ali, Gonjeshke Darande, Indra, or MeteorExpress) claimed to have leaked data obtained from the Iranian Ministry of Communications. Notably, it also hacked Iran’s largest cryptocurrency exchange, Nobitex, and burned over $90 million in cryptocurrency by sending digital assets to invalid wallets.

Cybersecurity company Outpost24 said the attackers possibly had “access to internal documentation that detailed the inner workings of the exchange and possibly even authentication credentials” to pull off the heist, or that it was a case of a rogue insider who worked with the group.

“This was not a financially motivated heist but a strategic, ideological, and psychological operation,” security researcher Lidia López Sanz said. “By destroying rather than exfiltrating funds, the threat actor emphasized its goals: dismantling public trust in regime-linked institutions and signaling its technical superiority.”

Subsequently, on June 18, Iran’s state broadcaster IRIB’s (short for Islamic Republic of Iran Broadcasting) television stream was hijacked to display pro-Israeli and anti-Iranian government imagery. IRIB claimed Israel was behind the incident.

Image Source: Cyberknow

Israel, for its part, has also become a target of pro-Palestine hacking groups like the Handala team, which has listed several Israeli organizations on its data leak site starting June 14, 2025. These included Delek Group, Y.G. New Idan, and AeroDreams.

Another trend observed in the cyber warfare between Iran and Israel is the coming together of smaller hacktivist groups to form umbrella entities like the Cyber Islamic Resistance or United Cyber Front for Palestine and Iran.

“These loosely affiliated ‘cyber unions’ share resources and synchronize campaigns, amplifying their impact despite limited technical sophistication,” Trustwave SpiderLabs said in a report published last week.

The company also singled out another pro-Iranian group named DieNet that, despite its pro-Iranian and pro-Hamas stance, is believed to include Russian-speaking members and connections to other cyber communities in Eastern Europe.

“What distinguishes DieNet from many other pro-Iranian actors is its hybrid identity,” it noted. “Linguistic analysis of DieNet’s messages, as well as timestamps, metadata, and interaction pattern, suggests that at least part of the group communicates internally in Russian or uses Slavic-language resources.”

“This points to the broader phenomenon of cross-regional cyber collaboration, where ideological alignment overrides geographic or national boundaries.”

Group-IB, in an analysis of Telegram-based hacktivist activity following June 13, said DieNet was the most referenced channel, quoted 79 times during the time period. In all, more than 5,800 messages have been recorded across various hacktivist channels between June 13 and 20.

The deployment of cyber capabilities in the context of the Iran-Israel war, as well as other recent geopolitical events surrounding Hamas–Israel and Russia-Ukraine conflicts, demonstrates how digital operations are increasingly being integrated to supplement kinetic actions, influence public perception, and disrupt critical infrastructure, Trustwave added.