Exposure Management - RedSeal

Tag Archive for: Exposure Management

Close the Gap: How RedSeal Workflow Turns Exposure Insights into Action

/by

Visibility is the Starting Point, Not the Finish Line.

Security leaders know that finding exposures is only half the job. The real challenge is closing them.

Across complex hybrid environments, vulnerabilities continue to surface faster than teams can address them. Tickets move manually, fixes go unvalidated, and integrations break. Attackers are moving faster as well. The 2025 Verizon Data Breach Investigations Report (DBIR) emphasizes the ever-widening gap between attackers and defenders: threat actors can often weaponize new vulnerabilities in as little as 3 days, yet organizations frequently take over 100 days to fully remediate those same critical issues.

That is the gap where risk lies, and where RedSeal Workflow helps close it.

Where Exposure Management Stalls

Even mature exposure management programs face common challenges that slow progress and reduce effectiveness:

  • Manual effort: Organizations face significant delays in patching critical flaws due to inefficient, manual processes; the average mean time to remediate (MTTR) a high or critical severity network/device vulnerability is approximately 54.8 days—nearly two months. (Edgescan2025 Vulnerability Statistics Report)
  • Siloed accountability: Security, Networking, and compliance teams often pursue different priorities without shared visibility.
  • Costly integrations: Custom connectors to ServiceNow or Jira often require expensive consulting and ongoing maintenance.
  • Risky changes: Misconfigurations and security policy violations remain major exposure points, accounting for an estimated 35% of all general cyber incidents. (SentinelOne, What is Security Misconfiguration?, 2025)

These roadblocks leave teams stuck in a cycle of discovery without resolution; the very issue RedSeal Workflow was built to address. 

Turning Visibility into Validated Action

RedSeal Workflow is a low/no-code automation builder that embeds RedSeal’s exposure intelligence into the systems your teams already use including ServiceNow, Jira, Slack, Teams, and more.

It aligns people, data, and processes so remediation becomes consistent, measurable, and provable instead of manual and ad-hoc.

Four Business Use Cases Where Workflow Delivers

  1. Faster Risk Reduction (Exposure Closure)

Workflow automates every step of the remediation cycle, from discovery and ticket creation to validation after remediation.

Result: Teams close exposures up to 60% faster and reduce their attack surface more effectively.

  1. Continuous Compliance

Workflow continuously checks RedSeal data against frameworks like PCI, NIST, and HIPAA, identifying gaps and generating reports automatically.

Result: Audits become continuous and predictable, saving hundreds of staff hours each year.

  1. Operational Efficiency and Cost Avoidance

Automate ticket routing and eliminating custom connectors cuts manual work by 50-60 percent and integration costs by 40-60 percent.
Result: Most organizations see 3–6x ROI in the first year, often paying the price of one avoided project.

  1. Change Assurance

Workflow validates network and cloud configurations before and after each change to prevent new exposures.

Result: Approvals move faster, failed changes drop by roughly 30%, and operations stay secure.

Making Exposure Management Practical

Adding another tool is rarely the answer. The key is connecting people and processes around shared, validated data. RedSeal Workflow enables that connection by embedding automation and visibility directly into day-to-day operations so teams can continuously reduce exploitable risk.

Real-World Results

A Fortune 500 financial services company needed to integrate RedSeal with ServiceNow to streamline remediation. Rather than hire consultants to build a custom connector, the internal team used Workflow to create the integration themselves in a matter of hours.

They also connected prioritized alerts to Microsoft Teams and Slack, giving remediation teams faster visibility and accountability. The result was faster closure of exposures, measurable cost savings, and a process that fits the organization’s environment instead of the other way around.

Why It Matters Now

Attackers are exploiting faster, budgets are tighter, and exposure lists are longer.
The 2025 Edgescan Vulnerability Report found that more than 33% of infrastructure vulnerabilities remain high or critical severity, underscoring that manual, disconnected processes can no longer keep up.

According to the Gartner® report Exposure Management Vendors Must Get Preemptive or Perish (2025), exposure management providers “must lean into preemptive, proactive, and predictive technologies to thrive.” The report explains that preemptive exposure management goes beyond traditional discovery; focusing instead on continuous validation, prioritization, and automated action to reduce risk at scale. Gartner further cautions that vendors failing to adopt preemptive cybersecurity strategies “will begin losing clients in 2026.

RedSeal Workflow brings that vision to life by automating the handoffs, validations, and communication that turn visibility into verified closure.

Closing the Gap

Exposures are exploited in days, not months. Closing that gap requires coordination across teams, not just more alerts or dashboards.

RedSeal Workflow helps organizations make that coordination practical. It adapts to existing environments and processes so exposure management finally fits the business.

See how Workflow helps your teams see more, act faster, and prove measurable impact.

Contact us to schedule a personalized demo.

Managing Legacy Systems and Reducing Exposure

/by

Legacy systems are the unsung workhorses of many organizations, quietly powering essential operations in sectors like manufacturing, healthcare, and finance. These systems, often built decades ago, continue to function reliably. However, their age and design can introduce significant cybersecurity vulnerabilities that modern attackers are all too eager to exploit.  

Why legacy systems pose unique cybersecurity risks

Legacy systems often lack modern security features, making them especially vulnerable to today’s cyber threats. They may run outdated software, lack vendor support, and be incompatible with current security tools. This combination creates an environment where vulnerabilities can persist unaddressed, increasing the risk of exploitation.  

A notable example is the 2020 Accellion File Transfer Appliance (FTA) breach, where attackers exploited vulnerabilities in a legacy system, leading to data breaches across multiple organizations. This incident underscores the potential consequences of maintaining outdated systems without adequate security measures.   

Practical strategies for mitigating risks 

1. Conduct a comprehensive asset inventory

  • First and foremost, organizations must understand what legacy systems they have. A detailed inventory enables teams to:
  • Identify outdated software and configurations
  • Prioritize systems based on their risk profile
  • Inform future modernization efforts

Without visibility, risk mitigation becomes guesswork.

2. Use network segmentation to isolate risk

Next, consider isolating legacy systems from the rest of your IT environment. By using network segmentation, you can:

  • Limit the spread of malware
  • Restrict access to high-risk systems
  • Create a buffer between old and modern infrastructure

This approach is especially useful when systems can’t be immediately replaced.

3. Implement a robust exposure management program

Exposure management involves continuously identifying, validating, and addressing vulnerabilities across your environment. For legacy systems, this might include:

  • Risk-based vulnerability assessments
  • Custom security controls or compensating measures
  • Ongoing validation of mitigation strategies

Proactively managing exposure helps stay ahead of evolving threats.

4. Monitor and patch wherever possible

Although some legacy systems cannot be patched easily, regular monitoring remains critical. Organizations should:

  • Apply available updates as often as possible
  • Use security tools to detect suspicious behavior
  • Establish incident response protocols for legacy environments

Even basic visibility can significantly reduce dwell time in the event of a breach.

5. Building a culture that supports legacy system security

Addressing legacy system risk isn’t just a technical problem—it’s a cultural one, too. Success requires cross-functional alignment and buy-in from leadership. Consider:

  • Investing in security awareness training focused on legacy systems
  • Empowering IT and security teams to advocate for modernization
  • Allocating budget to prioritize exposure management and risk reduction

When security becomes a shared responsibility, organizations are better equipped to safeguard aging infrastructure.

Security without sacrificing stability

Legacy systems, while essential to many organizations, come with cybersecurity trade-offs that can’t be ignored. But with the right strategy—including visibility, isolation, continuous assessment, and cultural support—organizations can reduce risk without sacrificing stability.

By taking these steps, your organization can honor the past—without leaving the door open to future threats.

RedSeal helps you identify hidden risks in legacy and modern environments and proactively manage exposure—without active scanning. Contact us today to learn how RedSeal can help you reduce your legacy system risk.

Exposure management

Building Resilience with Exposure Management Tools

/by

Picture this: A financial institution’s network is suddenly compromised, with cybercriminals exploiting an overlooked vulnerability in their system. Sensitive information is at risk, and operations grind to a halt. Now, imagine this scenario is avoided entirely—because the organization had a proactive, comprehensive exposure management strategy in place. By continuously identifying, assessing, and mitigating vulnerabilities, they ensured their defenses were strong, and business continuity was preserved. 

Understanding Exposure Management 

Exposure management is the strategic process of identifying and addressing security risks associated with an organization’s digital assets. This includes known vulnerabilities and misconfigurations, shadow IT, and other security gaps that adversaries might exploit. By taking a holistic, risk-based perspective, exposure management focuses on reducing exposure to threats before they materialize into incidents.   

The Role of Continuous Threat Exposure Management (CTEM) 

Continuous Threat Exposure Management (CTEM) is a proactive cybersecurity strategy that continuously identifies and reduces risk across an organization’s attack surface. CTEM involves a five-phase approach: scoping, discovery, prioritization, validation, and mobilization. This iterative process enables organizations to anticipate, identify, and mitigate vulnerabilities across their digital footprint, enhancing their overall security posture.   

Best Practices for Effective Exposure Management 

To build resilience through exposure management, organizations should consider the following best practices: 

  1. Automate Processes: Automating exposure management tasks can significantly reduce the time and effort required to identify and remediate vulnerabilities. Automation helps scale efforts and minimize human error.   
  1. Prioritize Based on Risk: Not all vulnerabilities pose the same level of threat. Prioritizing remediation efforts based on the potential impact and exploitability ensures that resources are focused where they are needed most.   
  1. Conduct Regular Security Audits: Regular assessments help identify new vulnerabilities and ensure that existing security measures are effective. Audits provide a comprehensive view of the organization’s security posture.   
  1. Integrate Threat Intelligence: Incorporating external threat intelligence feeds into the exposure management framework allows organizations to stay informed about emerging threats and adapt their defenses accordingly.   

Leveraging RedSeal for Enhanced Exposure Management 

RedSeal’s platform offers comprehensive network modeling and risk scoring capabilities that can significantly enhance an organization’s exposure management process. By providing detailed insights into network architecture and highlighting critical assets, RedSeal enables security teams to: 

  • Visualize Network Exposure: Understand how vulnerabilities could be exploited within the network context, identifying potential attack paths to high-value assets.  
  • Assess Impact and Reachability: Determine the potential impact of vulnerabilities by analyzing their reachability to critical systems, allowing for informed prioritization decisions. 
  • Integrate with Existing Tools: Seamlessly incorporate data from various security tools to provide a unified view of vulnerabilities, enhancing the accuracy of risk assessments. 

By integrating RedSeal’s capabilities into their exposure management strategy, organizations can move beyond traditional approaches, focusing remediation efforts where they are needed most and strengthening their overall security posture. 

Conclusion 

Building resilience through exposure management is essential in the face of evolving cyber threats. By adopting a proactive approach, leveraging advanced tools, and adhering to best practices, organizations can effectively identify and mitigate vulnerabilities, ensuring robust protection for their digital assets. Check out how RedSeal can support your Exposure Management journey and eliminate the need for multiple tools and manual integrations.

CTEM

The Future of Exposure Management: From Vulnerability Counts to Business Context

/by

In cybersecurity, volume has become the enemy of clarity. Enterprises today face thousands—sometimes millions—of potential vulnerabilities across hybrid infrastructures. And while scanning and patching remain foundational practices, it’s clear that traditional vulnerability management doesn’t scale to today’s threat landscape. 

That’s where exposure management comes in. It’s not about checking off CVEs from a list. It’s about understanding which exposures, whether unpatched systems, misconfigured access, or forgotten assets, actually matter, based on context, reachability, and business impact. 

Why Exposure Management Needs to Evolve 

The modern attack surface is sprawling and dynamic. Cloud environments, third-party services, legacy infrastructure, and unmanaged assets introduce exposures that are difficult to track with legacy tools and periodic assessments. What’s needed is a shift from reactive scanning to continuous, risk-informed exposure reduction. 

A recent blog by the SANS Institute describes this shift as a necessary evolution: “Organizations must stop treating vulnerabilities as one-dimensional. The real risk lies in how threats can exploit those weaknesses through accessible paths to high-value assets.” (SANS) 

From Vulnerability Lists to Risk-Based Prioritization 

The next generation of exposure management tools must look beyond severity scores. A CVSS 9.8 vulnerability on an isolated, non-critical system is not as urgent as a CVSS 6.5 on a device directly reachable from the internet with lateral movement paths into sensitive areas. 

This is why reachability modeling, asset classification, and network context matter. As Carnegie Mellon’s CERT Division has noted, “Risk is not just about the presence of a flaw, it’s about the ability to exploit it within the operational environment.” (SEI CERT) 

The Role of Continuous Monitoring and Simulation 

One major trend in the future of exposure management is the move toward continuous visibility and simulation. Rather than waiting for quarterly scans or annual audits, organizations are embracing persistent exposure assessment as a daily discipline. 

Continuous Threat Exposure Management (CTEM), a model described by Gartner and supported by NIST guidelines, emphasizes a five-phase approach: scoping, discovery, prioritization, validation, and mobilization. CTEM is not a product. It’s a programmatic shift that aligns cyber risk visibility with business priorities. (NIST SP 800-137) 

Reducing Exposure Without Disrupting Operations 

Let’s be realistic: not everything can be patched. Legacy systems often run critical workloads and can’t tolerate downtime. Exposure management helps security teams navigate that reality by identifying alternative controls, like segmentation, policy updates, or virtual patching, based on which assets are actually exposed. 

As the Center for Internet Security (CIS) explains in their Controls v8, organizations must “continuously manage asset exposures and reduce attack paths, not just catalog vulnerabilities.” (CIS Controls v8) 

Final Thoughts 

The future of exposure management is about clarity over chaos. It’s about knowing what matters, what’s reachable, and what could impact the business, not chasing every alert with equal urgency. By combining continuous monitoring, contextual visibility, and strategic prioritization, exposure management becomes not just a security process but a business enabler. With the right strategy and RedSeal’s ability to support a continuous threat exposurement management (CTEM) process at every step, organizations make smarter, data-driven security decisions before attackers strike. Contact us today to learn more.

Cyber News Roundup for June 13, 2025

/by

Hacking the Hackers: When Bad Guys Let Their Guard Down

A string of operational security failures by threat actors has unexpectedly empowered defenders in what’s being dubbed “Hacking the Hackers.” According to Dark Reading’s analysis, live leaks of memory footprints and internal communications—often resulting from poor cleanup or disgruntled insiders—have provided defenders with direct visibility into the playbooks of malware and ransomware groups like DanaBot, Black Basta, and Conti . These lapses let researchers reconstruct attack sequences, tooling choices, and command-and-control (C2) infrastructures with clarity rarely afforded. Notably, this trend emphasizes that sometimes cyber defenders gain an upper hand not through flawless attacks, but thanks to threat actors’ own mistakes. This shift enables more proactive defense measures, including early detection signatures and threat hunting routines built on adversary-specific artifacts. The analysis highlights how vigilant defenders are increasingly “hacking the hackers” by exploiting adversaries’ carelessness to enhance organizational resilience.

(Dark Reading)

GitLab patches multiple vulnerabilities in its DevSecOps platform

GitLab has issued urgent security updates to patch multiple vulnerabilities in its DevSecOps platform. The flaws include account takeover risks and the ability for attackers to inject malicious jobs into CI/CD pipelines. The fixes are included in GitLab versions 18.0.2, 17.11.4, and 17.10.8. Critical issues addressed include HTML injection (CVE-2025-4278), missing authorization (CVE-2025-5121), cross-site scripting (CVE-2025-2254), and a denial-of-service flaw (CVE-2025-0673). GitLab.com is already patched, and users of self-managed instances are urged to upgrade immediately.

(Bleeping Computer)

Researchers unveil a covert method for exfiltrating data using smartwatches

Researchers in Israel have unveiled “SmartAttack,” a covert method for exfiltrating data from air-gapped systems using smartwatches. The attack involves malware on a secure, isolated computer emitting ultrasonic signals via built-in speakers. These inaudible tones, modulated to carry data, are picked up by a smartwatch microphone worn nearby. The watch then transmits the data via Wi-Fi, Bluetooth, or cellular networks. Though challenging and theoretical, the attack shows how insider threats can bypass physical isolation. Experts recommend banning smartwatches and disabling speakers in sensitive areas to mitigate risk.

(TechCrunch)

Erie Insurance has confirmed a cyberattack as the root cause of recent operational disruptions, raising concerns about potential data exposure

The Pennsylvania-based insurer acknowledged that a June 2024 cybersecurity incident was responsible for delays and interruptions to its customer services. Although the company has not disclosed the exact nature of the attack, it confirmed the involvement of an unauthorized third party and is actively working with forensic experts to investigate the scope of the breach. Erie has also involved law enforcement and taken steps to restore normal operations. At this time, it’s unclear whether customer or employee data was compromised, but the company promises to notify affected individuals should any data exposure be confirmed. This incident highlights the growing risk that cyberattacks pose to financial services organizations, which are often prime targets for threat actors seeking sensitive personal information.

(BleepingComputer)

Google Cloud and Cloudflare outages reported

Google Cloud and Cloudflare suffered outages yesterday, affecting services such as Google Home/Nest, SnapChat, Discord, Shopify and Spotify, as well as creating access authentication failures and Cloudflare Zero Trust WARP connectivity issues. Downdetector received tens of thousands of reports, with impacted users experiencing Cloudflare and Google Cloud server connection, website, and hosting problems. The issue started around 1:15 p.m. ET and was being resolved through the afternoon.

(The Verge)

 

Journalists are confirmed targets of Paragon’s Graphite spyware

A forensic investigation by Citizen Lab has confirmed that Paragon’s Graphite spyware was used in zero-click attacks targeting iPhones of at least two journalists in Europe. The attacks exploited a then-unknown vulnerability with a CVE number (CVE-2025-43200) in iOS 18.2.1, which allowed malicious photos or videos shared via iCloud Links to compromise devices. Apple notified the victims on April 29, identifying the spyware as “advanced.” The Graphite platform is believed to be part of Paragon’s mercenary spyware operations. The flaw has since been patched by Apple.

(BleepingComputer)

Librarian Ghouls’ Cyberattackers Strike at Night

A stealthy threat group known as “Librarian Ghouls” has been quietly targeting Russian organizations in a prolonged cyberespionage campaign.
According to Kaspersky researchers, the group has operated since at least December 2024 and focuses on stealing sensitive data while minimizing its digital footprint. Librarian Ghouls employs “living-off-the-land” techniques, using legitimate administrative tools like 4t Tray Minimizer and Mipko employee monitoring software to blend into normal system activity and avoid detection. They launch their attacks during off-hours—primarily at night and on weekends—reducing the likelihood of triggering alarms. The attackers also leverage PowerShell scripts and custom info-stealers to extract data, particularly targeting email communications. This campaign exemplifies the increasing sophistication of threat actors who avoid traditional malware in favor of covert, tool-based persistence.

(Darkreading)

AI-powered “ghost students” enrolling in online college courses to steal government funds

Financial aid fraud is on the rise, fueled by identity theft and AI-powered “ghost students” enrolling in online college courses to steal government funds. Criminals use stolen personal data to apply for grants and loans, often enrolling in community colleges where low tuition means more aid goes directly to students. In 2024 alone, California colleges reported 1.2 million fake applications, leading to over 223,000 suspected fraudulent enrollments and at least $11.1 million in unrecoverable aid. Victims often learn about the fraud only after seeing credit score drops or loan notifications. Clearing their names can take years. To combat the trend, the U.S. Education Department now requires ID verification for new aid applicants. However, federal staffing cuts may undermine efforts to detect and prevent these increasingly sophisticated scams.

(SecurityWeek)

Mozilla  patches two critical FireFox security flaws

Mozilla has released Firefox 139.0.4 to patch two critical security flaws that could crash the browser or allow hackers to run malicious code. The first, CVE-2025-49709, involves memory corruption in Firefox’s canvas rendering system. If triggered by specially crafted web content, it could let attackers exploit memory issues and compromise browser stability. The second flaw, CVE-2025-49710, is an integer overflow in Firefox’s JavaScript engine, specifically in the OrderedHashTable structure. This could lead to heap buffer overflows and similar risks when handling JavaScript-heavy websites. Both vulnerabilities are rated high severity with CVSS scores over 8. Mozilla urges users and enterprise admins to update to version 139.0.4 immediately via the built-in updater or Mozilla’s website to protect against potential exploitation.

(Cyber Security News)

Zero-click data leak flaw in Copilot

Researchers at Aim Labs documented a flaw in Microsoft 365 Copilot dubbed EchoLeak, part of an emerging class of “LLM Scope Violation” vulnerabilities. By sending an email with a hidden prompt injection in an otherwise banal business email, the researchers could get around Microsoft’s cross-prompt injection attack classifier protections. When a user later asks about the email, the Retrieval-Augmented Generation, or RAG engine, pulls in the malicious injection, inserting internal data into a crafted markdown image and sending it to a third-party server. Aim Labs reported the issue to Microsoft back in January, which subsequently issued a server-side fix in May.

(FortuneBleeping Computer)

Friendly skies…or friendly spies? 

It turns out the major U.S. airlines—yes, the ones that can’t find your luggage—have been quietly selling your domestic flight data to Customs and Border Protection (CBP). An investigative report from 404 Media reveals that through a data broker the airlines own called ARC, airlines shared names, itineraries, and payment info, all while telling CBP not to mention them by name. This cloak-and-dagger data deal, documented through FOIA requests, supports tracking “persons of interest” without pesky things like warrants. The program, known as the Travel Intelligence Program, updates daily and holds over a billion records. Civil liberties advocates are, unsurprisingly, unimpressed. One called it a digital-age revival of the “collect it all” mentality. Meanwhile, Congress is starting to ask airlines why their loyalty programs apparently come with complimentary government surveillance.

Turn out, when it comes to data collection…the sky’s the limit.

(404 Media)

Five zero-day vulnerabilities in Salesforce Industry Cloud are uncovered

Security researchers at AppOmni uncovered five zero-day vulnerabilities and 15 serious misconfigurations in Salesforce Industry Cloud, potentially impacting tens of thousands of organizations. Salesforce Industry Cloud offers low-code tools tailored for sectors like healthcare, finance, and government, but its ease of use can lead to risky default settings. Three of the five flaws were fixed by Salesforce directly, while two require customer action. The remaining issues stem from common misconfiguration traps, often caused by non-technical users unknowingly applying insecure access settings. These missteps could lead to major data breaches, including exposure of sensitive health or financial data. AppOmni’s scans show these risks are widespread among Industry Cloud users, raising serious concerns about security in low-code enterprise platforms designed for speed and simplicity.

(SecurityWeek)

PoC Code escalates Roundcube Vuln threat

A critical Roundcube webmail flaw with a CVSS score of 9.9 is now a major threat after proof-of-concept code was publicly released. The 10-year-old bug lets authenticated attackers execute remote code via a malicious URL exploiting PHP’s object handling. Over 85,000 unpatched servers are exposed globally. Login credentials are required to exploit it, but attackers can pair it with older credential-theft bugs for full compromise. A patch is available , but researchers warn organizations to update immediately and monitor for malicious activity.

(Dark Reading)

SentinelOne rebuffed a China-linked “PurpleHaze” APT targeting its internal infrastructure

SentinelOne revealed that it was the target of a thwarted cyberattack in October 2024 by a group linked to Chinese nation-state actors, specifically associated with APT15 (also known as Ke3chang or Vixen Panda). The threat actor, referred to as “UNC5174” or “PurpleHaze,” was also found to have compromised over 70 global organizations spanning the defense, telecommunications, and IT sectors. The attackers used legitimate software tools and the ShadowPad malware framework to quietly infiltrate systems and conduct espionage. SentinelOne worked with international security partners to identify and warn affected victims, stressing the importance of proactive threat hunting and detection capabilities. The attack underscores the growing boldness of state-sponsored groups and the strategic value they place on targeting cybersecurity firms themselves.

(Cybersecurity Dive) 

Chinese hackers target U.S. smartphones 

A recent cyberattack targeting smartphones of U.S. officials and professionals in politics, tech, and journalism has raised alarms among cybersecurity experts. Investigators at iVerify linked the unusual crashes to a zero-click hack, likely by Chinese hackers, that allowed access to phones without user interaction. Victims had ties to fields of interest to China’s government.

Experts say smartphones, often less protected than other systems, are becoming key targets for espionage. Devices belonging to Donald Trump’s campaign and top aides were also reportedly targeted. Lawmakers fear Chinese state-owned firms could exploit their tech presence in global networks. The U.S. is responding with new initiatives like a “cyber trust mark” for secure connected devices. Still, officials warn that even the most secure device is vulnerable if users ignore basic precautions. Cyber lapses, like misconfigured apps or unsecured connections, remain a serious national security risk.

(Associated Press) 

United Natural Foods hit by cyberattack

The company confirmed it discovered a cyberattack on June 5, 2025, according to an 8-K filing with the US SEC. United Natural Foods is North America’s largest publicly traded wholesale food distributor, with 53 distribution centers. The company proactively took some systems offline due to the attack, disrupting customer orders. At the same time, anecdotal posts on social media mention some worker shifts cancelled as well. No ransomware group took credit for the attack, and the company has not released further details about any data loss or what systems the attacker accessed.

(Bleeping Computer)

Russian companies hit with LockBit

You don’t tug on Superman’s cape, you don’t spit into the wind, you don’t pull the mask off of old Lone Ranger, and you don’t have your ransomware affiliates attack Russia. Those used to be the rules. However, the Russian cybersecurity firm Positive Technologies identified a financially motivated group called DarkGaboon that was doing just that: deploying LockBit 3.0 ransomware. Unlike typical LockBit affiliates, DarkGaboon seems to operate entirely independently, using Russian-language phishing emails with malicious attachments claiming to have legitimate financial documents. Researchers say the group has appeared to operate since at least 2023, but its use of open-source tools in other parts of its attack chain made attribution difficult.

(The Record)

FBI keeps Leatherman in its back pocket

FBI Director Kash Patel named agency veteran Brett Leatherman as assistant director and head of the Cyber Division. During his 22-year career, Leatherman served as section chief for cyber investigations and deputy assistant director for the last three years and has been the FBI’s public face for communications on major cyber incidents going back to the Colonial Pipeline attack. He takes over for Bryan Vorndran, who left the FBI to work as Microsoft’s deputy CISO. Given the number of personnel shakeups across government cybersecurity posts since January, this is a notable bit of continuity.

(Cyberscoop)

Cloudflare creates OAuth library with Claude

Last week, Cloudflare published the open-sourced OAuth 2.1 library, which was written almost entirely by Anthropic’s Claude LLM. Notably, the company also published comprehensive documentation of the process, including a full prompt history. Due to the sensitive nature of the library, this wasn’t an exercise in vibe coding, with human review in all parts of the process. Software developer Max Mitchell reviewed the process, finding the LLM excelled when given a substantial code block to work off of, with clear context and explanation of what needed to be changed. In all instances, the LLM excelled at generating documentation. However, the code needed human intervention for styling and other housekeeping tasks. Mitchell suggested looking at this the same as collaborating with a human developer, expect a back and forth rather than one-off prompting success. Cloudflare tech lead Kenton Varda, who oversaw the project, came into it with a healthy dose of skepticism, but ended up saying, “I was trying to validate my skepticism. I ended up proving myself wrong.”

(Maxe MitchellNeil MaddenGitHub)

SecOps teams must combat AI “hallucinations” to improve threat detection accuracy  Dark Reading warns that while generative AI accelerates incident detection and response, model hallucinations can generate false positives, mislead analysts, or gap investigations. Organizations are advised to implement robust model evaluation, training for AI oversight, and processes to cross-check alerts and avoid operational inefficiencies.

(Dark Reading)

ESET uncovers Iranian hackers targeting Kurdish and Iraqi government officials

Iran-linked hackers, identified as BladedFeline, have been conducting a years-long cyberespionage campaign targeting Kurdish and Iraqi government officials, according to ESET. Believed to be a subgroup of Iran’s OilRig (APT34), BladedFeline has operated since at least 2017, initially breaching the Kurdistan Regional Government (KRG) and later expanding to Iraq’s central government and even a telecom provider in Uzbekistan. The group uses custom malware like Shahmaran, Whisper, and PrimeCache to spy on systems, exfiltrate data, and maintain remote access. Entry points likely include exploited server vulnerabilities and webshells. Researchers say the campaign likely supports Iran’s geopolitical goals by monitoring the KRG’s Western ties and countering U.S. influence in Iraq. OilRig has a history of targeting critical sectors and using compromised networks for supply chain attacks.

(The Record)

Hitachi Energy, Acronis and Cisco patch critical vulnerabilities

Hitachi Energy has patched two critical vulnerabilities (CVE-2020-35198 and CVE-2020-28895) in its Relion 670, 650 series, and SAM600-IO devices, which are widely used in power grid protection and control. The flaws could allow remote attackers to trigger memory corruption, risking grid stability. Hitachi Energy has released targeted updates and recommends users upgrade to secure revisions. No public exploitation has been reported, but mitigation steps are advised for older systems.

Acronis Cyber Protect users are urged to update immediately due to multiple critical vulnerabilities, including three with the highest CVSS score of 10.0. These flaws allow attackers to bypass authentication, access sensitive data, and escalate privileges. Updates have been available for a month. If updating isn’t possible right away, restrict network access and monitor systems for suspicious activity.

Cisco has patched 12 vulnerabilities across its products, including a critical flaw (CVE-2025-20286, CVSS 9.9) in cloud deployments of Identity Services Engine (ISE). This bug affects AWS, Azure, and Oracle Cloud ISE instances where shared credentials are improperly generated, allowing attackers to access sensitive data or modify configurations. No workarounds exist, and proof-of-concept (PoC) code is public. Cisco also addressed two high-severity SSH flaws in its IMC and Nexus Dashboard Fabric Controller (CVE-2025-20261 and CVE-2025-20163), which could allow unauthorized access or man-in-the-middle attacks. Additionally, nine medium-severity bugs were patched across various Cisco communication and management tools. Two have public PoC code, though no active exploitation is reported. Cisco strongly urges users to apply updates immediately.

(Beyond Machine, [1]  SecurityWeek)

Presidential cyber executive order signed

The President signed a new executive order aimed at refocusing U.S. cybersecurity policy by emphasizing secure software development, updated encryption, and internet routing security. The order revokes parts of Biden- and Obama-era directives, including digital identity initiatives, which it claims could increase fraud risks. It criticizes the previous administration for politicizing cybersecurity and shifts AI policy from potential censorship to identifying vulnerabilities. The order rolls back compliance mandates for software vendors, instead encouraging collaboration with industry partners. It also targets post-quantum cryptography and consumer device security.

(Cyberscoop)

OpenAI takes down ChatGPT accounts linked to state-backed hacking, disinformation  The owner of ChatGPT says threat actors from countries such as China, Russia, North Korea, Iran, and the Philippines are using the LLM product for three key areas of activity: social media comment generation; malware refinement and cyberattack assistance; and foreign employment scams. One example: using ChatGPT to publish comments on topics such as U.S. politics, on TikTok, X, Reddit, Facebook, and other social media platforms and then shifting to other accounts that would reply to the same comments. They have also been using it to assist with writing scripts for brute-forcing passwords, as well in conducting employment scams, including arranging for delivery of company laptops.

(The Record)

RedSeal Named Finalist for 2025 SC Awards: Best Continuous Threat Exposure Management (CTEM) Solution

/by

RedSeal, a leader in proactive threat exposure management, today announced its recognition as a finalist in the prestigious 2025 SC Awards for Best Continuous Threat Exposure Management (CTEM) Solution. This nomination underscores RedSeal’s commitment to delivering innovative solutions that empower organizations to navigate the complexities of modern cybersecurity and proactively manage their evolving attack surface.

The SC Awards, now in their 28th year, honor outstanding achievements by cybersecurity professionals, leaders, and organizations dedicated to safeguarding digital assets. The 2025 SC Awards entries were evaluated across 33 specialty categories by a distinguished panel of judges, comprised of cybersecurity professionals, industry leaders, and members of the CyberRisk Alliance CISO community, representing sectors such as healthcare, financial services, education, and technology.

The SC Award committee noted, “In a world where attack surfaces are expanding, RedSeal empowers organizations to understand and manage their security risks with unmatched precision. By delivering comprehensive network modeling, continuous exposure assessments, and attack path analysis, RedSeal helps businesses stay ahead of cyber threats in real time.”

RedSeal’s selection as a finalist further highlights its pioneering approach to CTEM, specifically its patented validation-before-prioritization methodology. This unique capability enables organizations to accurately identify and rapidly mitigate genuine, exploitable threats, including those posed by sophisticated APT groups and critical vulnerabilities, often within hours of deployment.

“Being recognized as a finalist in the SC Awards for Best CTEM Solution is a powerful validation of our vision and the hard work of our team,” said Greg Enriquez, CEO of RedSeal. “In today’s dynamic threat landscape, continuous and accurate exposure management is paramount. This nomination reaffirms our commitment to providing solutions that go beyond simple vulnerability identification, offering actionable intelligence that significantly reduces risk and optimizes security operations for our customers.”

The SC Award committee also highlights that “A trusted solution among government agencies, financial institutions, and Fortune 500 enterprises, RedSeal continues to enhance its capabilities with AI-driven risk scoring, cloud security posture management, and proactive attack surface reduction. Its strong customer satisfaction ratings affirm that organizations rely on RedSeal to navigate today’s complex cybersecurity landscape with confidence.”

RedSeal’s comprehensive CTEM platform supports organizations by providing:

  • Unparalleled Network Visibility: A holistic view across complex, interconnected IT, OT, IoT, and cloud environments, eliminating blind spots.
  • Proactive Threat Intelligence: Defense aligned with CISA advisories, identifying and addressing real-time threats from advanced adversaries.
  • Intelligent Validation and Prioritization: A patented approach that accurately determines exploitability, focusing resources on critical risks and saving significant time.
  • Continuous and Automated Exposure Discovery: Ongoing identification of vulnerabilities, misconfigurations, and segmentation violations, enabling proactive risk mitigation.
  • Risk-Driven Remediation Orchestration: Prioritization based on business impact and exploitability, providing actionable insights and integrating with existing security workflows for efficient remediation.

RedSeal is at the forefront of addressing the critical need for continuous, context-aware security in today’s high-risk, highly regulated industries. Learn more about how RedSeal supports comprehensive CTEM strategies and contact RedSeal today for a demo.

Learn more at www.cyberriskalliance.com.

Get the latest news, invites to events, and threat alerts

CONTACT US
RedSeal Japan
Distinguished Vendor badge 2025

Footer
Connect on LinkedIn