A Perspective On National Insider Threat Awareness Month

Posted in Commentary on September 10, 2025 by itnerd

This is National Insider Threat Awareness Month. Here’s what this is about:

First held in 2019, NITAM is an annual, month-long campaign during September that brings together thousands of U.S. security professionals and policy makers from government and industry, located in 25 countries around the globe, to educate government and industry about the risks posed by insider threats and the role of insider threat programs.

Craig Birch, Principal Technologist for Cayosoft has this perspective:

As we observe National Insider Threat Awareness Month, it’s crucial to recognize that insider threats extend far beyond malicious actors within our organizations. A significant and often overlooked category of insider risk emerges from the very people tasked with protecting our systems: IT administrators whose everyday actions can unintentionally create serious security and operational vulnerabilities.

There’s a real issue related to privileged group membership changes. Every day, administrative actions can unintentionally create serious security and operational risks. For example, an IT admin might temporarily disable multi-factor authentication (MFA) for a user under pressure to complete a critical task.

 If that exclusion is forgotten, the account becomes a weak point, vulnerable to phishing and potentially granting attackers access to sensitive applications.While not malicious in intent, these everyday admin changes are a form of insider-driven risk, arising not from attackers, but from human error, pressure, or incomplete understanding of the impact of a configuration change.

Similarly, small configuration changes in tools like Intune can have wide-ranging effects. Accidentally disabling encryption, for instance, could leave every corporate laptop unprotected, exposing the business to data theft if devices are lost or stolen.

These scenarios highlight how tenant-level settings and quick band-aid fixes, even when well-intentioned, can either: Weaken the security posture by introducing vulnerabilities, or create operational risks by over-restricting access and disrupting business processes.

To address this issue, organizations should implement continuous monitoring and automated controls around privileged group membership and administrative configuration changes. To reduce this risk, enterprises should:

  • Enforce policy guardrails to ensure critical security requirements cannot be disabled without approval.
  • Enable continuous visibility through deployment of monitoring and alerting tools that detect and report privileged group membership changes in real time.
  • Automate recovery through automated rollback or policy enforcement to rapidly restore secure defaults when unauthorized or risky changes occur.
  • Educate administrators through ongoing training to help IT staff understand the broader security implications of everyday admin actions.

Now is a good time to look at your environment and make sure that you don’t get pwned by an insider.

Leave a comment »

Plex Warns Users To Reset Their Passwords ASAP

Posted in Commentary with tags on September 10, 2025 by itnerd

I posted a guest post yesterday that media streaming platform Plex is warning customers to reset passwords after suffering a data breach in which a hacker was able to steal customer authentication data from one of its databases. Related to this, Martin Jartelius, CTO at Outpost24, provided the following comment:

“In situations like this, the safest approach is to automatically invalidate all user passwords and force a reset. While this prioritizes security and privacy over usability and business convenience, it’s often the best way to minimize risk.

The biggest concern is for people who reuse the same password across multiple sites. Even if Plex passwords were securely hashed, weak or reused credentials may eventually be cracked and then exploited in password spraying attacks elsewhere. Users should not only reset their Plex password but also change it anywhere else it may have been used.”

Consider this a today a today problem. If you have a Plex account, you should take measure to protect yourself now.

Leave a comment »

Wayne Memorial Hospital Pwned… A Year Ago

Posted in Commentary with tags on September 10, 2025 by itnerd

Georgia-based Wayne Memorial Hospital says it suffered a May 2024 data breach and has notified 163,440 people whose SSNs, credit cards and medical records were compromised.

Here’s the filing: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/a180a42c-3998-4208-a65a-aa095d7166fb.html

Lidia López, Senior Threat Intelligence Analyst at cybersecurity company Outpost24, commented:

“The hospital has not confirmed the threat actor’s identity, but Monti claimed responsibility and threatened to leak data by July 8, 2024. Monti is a ransomware group that emerged in mid-2022 and operates a double-extortion model: encrypting files while exfiltrating data for publication on its Data Leak Site (DLS). 

The ransomware group has primarily targeted government, transportation, technology, and healthcare sectors, with prior healthcare victims including Spine West and Excelsior Orthopaedics. Historically, Monti has abused edge vulnerabilities and VMware ESXi servers, reusing portions of Conti’s tooling before shifting to a newer Linux encryptor. The DLS is currently offline, with the last victim listed on May 8, 2025. Given the Wayne Memorial breach exposed Social Security numbers, payment cards, and medical records, patients now face long-term risks of identity theft, medical fraud, and targeted scams.”

This is another hack that won’t end well for their victims. There will be secondary attacks that will go after these victims, and it will cost those victims. This is not a good situation. What even worse is that this happened over a year ago. Which means that the bad guys have had a head start.

Leave a comment »

Retailers Face Rising Threat of AI-Powered Email Scams, New Report From Valimail Warns

Posted in Commentary with tags on September 10, 2025 by itnerd

As phishing scams become more sophisticated and harder to detect, a new analysis from Valimail, the leading provider of email authentication and anti-impersonation solutions, reveals that retail brands are among the top targets. They are increasingly attacked not only for fraud, but for brand impersonation campaigns that erode consumer trust and open the door to disinformation.

In the past year alone, Valimail blocked over 123 million suspicious emails, highlighting the scale of attempted brand abuse aimed at customers’ inboxes. These are no longer the clunky, obvious attacks of the past. They’re clean and well-crafted, designed to replicate the tone, design and cadence of trusted retail brands. The goal is often to get customers to click, share credentials or even unknowingly spread misinformation.

While many retailers have taken steps to implement email authentication protocols the report shows that significant gaps remain:

  • Even though 95% of retail domains have a DMARC record in place, many aren’t enforcing it. Nearly 30% still use a policy that effectively does nothing.
  • 6% don’t receive any reporting at all, leaving them blind to how their domains are being used or misused.
  • If new sender authentication requirements from Gmail, Yahoo! and Outlook were fully enforced today, 3 million retail emails would be blocked for failing compliance.
  • Despite these gaps, the report notes a 40% year over year increase in BMI adoption in the retail sector – a sign that more brands are looking to protect both security and visual trust in the inbox.

Valimail’s findings underscore a key shift: email security is no longer just about fraud prevention – it’s brand protection. In an era when AI can mimic tone, logos and layouts with alarming accuracy, authentication tools like DMARC and BMI are among the few tools that give brands control over who can send on their behalf.

Valimail offers free resources for organizations to check the protection status of their email domains through the Valimail Domain Checker, allows companies to explore and provides DMARC reporting visibility through its Monitor solution.

The full “2025 Winning (and Keeping) Shopper Trust – The Retail Email Threat You Can’t See” report can be accessed here.

Leave a comment »

Guest Post: When Europe’s GPS Goes Dark: The Urgent Cybersecurity Crisis Inside EU Institutions

Posted in Commentary with tags on September 10, 2025 by itnerd

The EU’s top official, European Commission’s president Ursula von der Leyen, was on her way to Bulgaria when a suspected Russian attack forced her plane to land without essential navigation tools. 

This harrowing episode was no accident but what officials suspect to be a deliberate act of Russian interference – an electronic attack targeting critical infrastructure in the heart of the European Union.

This incident exposes not only the elevated state of geopolitical hostility but also the cybersecurity weaknesses within EU institutions themselves.

According to the research by the Business Digital Index, or BDI, the EU’s cybersecurity defenses resemble an office where nearly half the doors are unlocked, passwords are scrawled on sticky notes, and the alarm system is known to be broken but left unfixed.  The BDI findings reveal the reality that EU institutions may not be robustly prepared to withstand or respond effectively to high-impact cyber-physical attacks like GPS jamming.

The researchers looked at 75 EU institutions and found that none got an A or B for cybersecurity efforts. 35% got the lowest grade, an F. The problems are especially clear with basic security: in the F-rated institutions, 85% of employees reused passwords that had already been breached. In C-rated ones, only 8% did this. SSL/TLS configuration issues were identified in 100% of F-rated institutions. 

These findings point to very real – and these days accelerated by AI – risks for phishing, malware, and stolen data. Attackers can now do such things as mimicking colleagues using deepfake technology, and deploying malware that adapts in real time to avoid detection. Needless to say that these potential threats can result in financial loss, reputational damage, and regulatory penalties for EU organizations. 

The EU’s main response to growing cyber threats has been to add more rules in order to improve cybersecurity. But the data shows that just having rules isn’t enough. Despite these new rules, nearly half (46%) of the EU’s lowest-rated organizations have already suffered data breaches.

I believe that the real problem is that leaders aren’t acting urgently or taking responsibility. For example, almost all D-rated and F-rated institutions had insecure hosting environments. Domains vulnerable to email spoofing were found in every C-rated organization and in 96% of D-rated and F-rated ones.

The EU needs to do more than merely add more rules and formally follow them. It needs to make sure leaders are held responsible for breaches. That means executives should have part of their pay tied to cybersecurity results. It also means having real, independent security checks with actual consequences for failure. The Transport sector is doing a little better than others, and the EU should learn from that.

Some might argue that more rules will solve the problem, or that it’s just too big to fix in a short amount of time. But the numbers tell a different story: the institutions with the worst track records are the same ones that don’t pay attention to basic security practices such as using strong and uncompromised passwords. At the end of the day, this comes down to leadership.

Given that cyber threats keep on evolving and the geopolitical situation isn’t exactly what we want it to be, the risks are really high. Every day the EU waits, it puts sensitive data, economic stability, and public trust at risk. If the EU wants to be a leader in digital governance, it needs to make cybersecurity a top priority for executives, invest in training, and hold leaders to account.

If nothing changes, the next headline won’t be about bad grades or landing with paper maps. It might be about a real crisis that rules can’t fix. The question now is whether the EU will act in time.

ABOUT THE AUTHOR

Jurgita Lapienytė is the Editor-in-Chief at Cybernews, where she leads a team of journalists and security experts that uncover cyber threats through research, testing, and data-driven reporting. With a career spanning over 15 years, she has reported on major global events, including the 2008 financial crisis and the 2015 Paris terror attacks, and has driven transparency through investigative journalism. A passionate advocate for cybersecurity awareness and women in tech, Jurgita has interviewed leading cybersecurity figures and amplifies underrepresented voices in the industry. She’s recognized as the Cybersecurity Journalist of the Year and featured in Top Cyber News Magazine’s 40 Under 40 in Cybersecurity. Jurgita has been quoted internationally – by the BBC, Metro UK,  The Epoch Times, Extra Bladet, Computer Bild, and more. 

Leave a comment »

Guardsquare Highlights Research Showing Organizations Shifting from Mobile Security Overconfidence to Proactive Protection

Posted in Commentary with tags on September 9, 2025 by itnerd

 Guardsquare, the leading provider of mobile application security products, is highlighting new findings from a study conducted by Enterprise Strategy Group, which reveal how widespread overconfidence in mobile app security is driving a fundamental shift in organizational priorities. While 93% of organizations believe their current protections are sufficient, the reality that 62% suffered mobile app breaches in the past year—averaging nine incidents each—is driving a move toward more proactive, comprehensive security strategies that balance development speed with robust protection.

The pressure to accelerate release cycles compounds this blind spot, with 71% of organizations admitting speed has compromised mobile app security.     

The report’s key findings expose the critical vulnerabilities organizations leave unaddressed:

  • Low adoption of proactive defenses: Almost 70% of organizations don’t use obfuscation to protect their mobile apps, and 60% lack Runtime Application Self-Protection (RASP), leaving their apps vulnerable to both static and dynamic analysis.
  • iOS apps are not immune: Challenging a long-held industry myth, more than 70% of organizations believe that iOS apps pose a moderate or higher level security risk.
  • Consequences extend beyond the balance sheet: The impacts of security incidents extend beyond the average reported cost. More than half of respondents (54%) reported application downtime, 48% experienced data leakage, and 41% suffered a loss of consumer trust.
     

The full report, “From Overconfident to Proactive: Why Mobile App Security is Primed for a Cultural Shift,” is available for download at:
https://www.guardsquare.com/report/overconfidence-exposes-mobile-app-security-gaps

Leave a comment »

KnowBe4 Defines a Holistic Approach to Human Risk Management

Posted in Commentary with tags on September 9, 2025 by itnerd

KnowBe4 today released its whitepaper “A Strategic Framework for Human Risk Management”. The paper outlines the core principles of a modern human risk management (HRM) approach and how organizations can apply the framework to strengthen security culture and drive measurable change in employee behavior. 

Separate from a HRM platform, the HRM framework is defined as a strategic, people-centric approach to cybersecurity that measures, manages and reduces the security risks created by human behavior. The new framework comes as a direct response to the escalating cyber landscape where human behavior continues to be a primary attack vector. Moving beyond traditional security awareness programs, the paper calls for a fundamental shift in how organizations perceive and manage the human element of security.

KnowBe4 identifies several core principles that build an effective HRM approach: 

  • Measure and Benchmark: Understand current human risk levels within an organization using a baseline assessment.
  • Engage and Empower: Create a culture where security is a shared responsibility, not just an IT concern.
  • Adapt and Personalize: Deliver tailored training and coaching based on individual risk profiles.
  • Artificial Intelligence (AI) and Automation: Use intelligent AI-driven technology to provide real-time feedback, personalized insights and automated interventions.
  • Demonstrate Value: Show the measurable impact of the program on the organization’s overall security culture.

Download a copy of the whitepaper, “A Strategic Framework for Human Risk Management”here

Leave a comment »

1.6M Audio Recordings Exposed On Gym Communications Platform Breach

Posted in Commentary with tags on September 9, 2025 by itnerd

Recently, cybersecurity researcher Jeremiah Fowler discovered and reported to Website Planet a non-password-protected database containing over 1.6 million audio files linked to Hello Gym, a gym communications platform who partners with some of the biggest gym franchises in the US.

What happened:
The database contained 1,605,345 audio files of phone recordings and voicemails accessible without any password protection. A limited review of the files revealed internal phone calls and messages that included gym members’ names, phone numbers, and reasons for the calls which raises concerns about the sensitivity of the exposed information.

Why it matters:
Audio recordings that contain personal details can be used for spear-phishing or social engineering attacks, impersonation, identity theft and more.

You can read the full report here: https://www.websiteplanet.com/news/hello-gym-breach-report/

Leave a comment »

September Patch Tuesday Commentary From Fortra

Posted in Commentary with tags on September 9, 2025 by itnerd

Tyler Reguly, Associate Director, Security R&D, Fortra

Today, we have to start with the CVE that made me do a double take. A CVE that I feel should be rejected by MITRE – CVE-2025-55234. We know that relay attacks are possible against SMB and we know that there are hardening mechanisms available to assist with this. So, why is Microsoft releasing a CVE where they state, “Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks.” (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-55234

As far as I’m concerned, Microsoft told us they have assigned a CVE not because of a vulnerability but to raise awareness to new auditing capabilities that they’ve added to assist with protective measures. If that is the case, that is a misuse of the CVE system. If that is not the case, then Microsoft needs to provide clarification very quickly.

This month there is a single CVE with a CVSS score in the critical range, CVE-2025-55232 (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-55232), a vulnerability in the Microsoft High Performance Compute (HPC) Pack that could allow unauthorized attackers to execute code over the network. That makes this a CVSS 9.8 vulnerability and one that people need to pay attention to. Microsoft has provided mitigation steps for those that cannot update immediately. This is important as the update for HPC Pack 2016 is to migrate to HPC Pack 2019 as there is no fix for HPC Pack 2016. Thankfully, Microsoft has labeled this as exploitation less likely with a severity of important, but it is still something that you’ll want to pay attention to if you have the High Performance Compute Pack deployed in your environment.

While Microsoft has identified 11 vulnerabilities as critical this month, only one of those is identified as exploitation more likely. A vulnerability in NTLM that could allow an authorized attacker to gain SYSTEM level privileges via a network-based attack. This is what you’ll want to pay attention to until you have patches deployed. Since this is a privilege escalation for an authenticated user, this is one of those, “the call is coming from inside the house” type situations and a great way for attackers to potentially move laterally in your network.

For CSOs paying attention this month, I would have a couple of questions that I’d ask my team to take back to my Microsoft reps.

First, are they confident that there was no exploitation or disclosure related to CVE-2025-55241(https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-55241), a vulnerability in Azure Entra that allowed for privilege elevation without the need for privileges… something I would typically think of as code execution rather than privilege escalation. This is a no customer action required vulnerability and has already been resolved by Microsoft, but knowing more about the scenario and having a guarantee that there was no past exploitation would be important to me.

Second, I would want to know more about CVE-2025-55234 and whether there truly is a vulnerability associated with it. If this is a vendor using a CVE simply to add a feature, that is something that CSOs everywhere need to push back against. There are enough legitimate CVEs being issued, that we shouldn’t have to worry about CVEs without new vulnerabilities. This just adds complexity to an already complex situation.

Leave a comment »

Guest Post: Media streaming platform Plex suffers a data breach

Posted in Commentary with tags on September 9, 2025 by itnerd

Be careful – customer emails and passwords have been stolen 

Plex, a popular media streaming platform, has issued a warning to its customers regarding a recent data breach. During the incident, a hacker stole customer authentication data. As a result, users are being advised to reset their passwords.

According to Plex, the stolen data includes email addresses, usernames, securely hashed passwords, and authentication data.

In its data breach notification, Plex stated: “We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure. An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.” The company added that no payment card information was stolen.

Karolis Arbaciauskas, head of product at NordPass comments:

“Plex stresses that account passwords were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. But we still recommend resetting passwords. You can do this here. I would also advise enabling the ‘Sign out connected devices after password change’ option and turning on two-factor authentication for added protection.

“For those using SSO to log in, it would be best to log out of all active sessions. That can be done here, by clicking the button ‘Sign out of all devices.’ For step-by-step instructions on how to reset your password, visit this link

“Remember to also inform your family and friends about this change. After a password reset, users will need to log in again on all their devices using the new credentials. A password manager can be helpful for securely generating and sharing these new credentials.

“Although the company insists the data leak was limited and the passwords were hashed, users should still be extra careful, especially if they reuse passwords. And people do reuse passwords. As many as 62% of Americans, 60% of Brits, and 50% of Germans admit doing so across multiple online accounts, our survey shows

“For those who reuse passwords, there’s a risk that some credentials may have already been or will be exposed on the dark web. It’s highly probable that malicious actors will attempt to connect the dots and use these previously leaked passwords to gain unauthorized access to Plex accounts.

“Remember that after major data leaks, social engineering attacks tend to intensify. So users should be a bit more suspicious for some time. Be wary of unsolicited emails and messages, even if they seemingly are from Plex or even the police. If you receive such messages, be extremely careful because links can lead to pages that are designed to steal even more of your data. If you are not sure about the email or a message, it is better not to click on the link. In its breach notification, Plex also emphasizes that it never reaches out over email to ask for a password or credit card number for payments.” 

ABOUT NORDPASS

NordPass is a password manager for both business and consumer clients. It’s powered by the latest technology for the utmost security. Developed with affordability, simplicity, and ease of use in mind, NordPass allows users to securely access their passwords on desktop, mobile, and browsers. All passwords are encrypted on the device, so only the user can access them. NordPass was created by the experts behind NordVPN – the advanced security and privacy app trusted by more than 14 million customers worldwide. For more information: nordpass.com.

1 Comment »

« Older Entries
Newer Entries »