What could an open-source toolkit, a cannabis product supplier, an AI startup from China and a UK telecom giant have in common? Not much except they have been all been on the hitlist of cyber criminals. Information of millions of customers has been compromised, operations have been disrupted, and worst of all - healthcare service delivery was yet again impacted at the start of the year.
Get the lowdown on the biggest cyber attacks, data breaches and ransomware attacks that made headlines in January 2025.
U.S. and Dutch law enforcement agencies have announced that they have dismantled 39 domains and their associated servers as part of efforts to disrupt a network of online marketplaces originating from Pakistan.
Using python3, What would be the steps to build a website with the ability to
… due basic reasoning
Building a website that can perform basic reasoning using Python involves
several key components. Here’s a step-by-step guide:
Welcome to the December 2024 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.
The Black Kite Research & Intelligence Team (BRITE) tracked 535 ransomware incidents in December 2024. While it didn’t surpass the record-breaking 595 victims in November, December still proved to be a significant month. Of these incidents, an overwhelming 244 were in the United States and 27 in Canada, highlighting North America’s ongoing struggle as a primary target for ransomware attacks.
Top Threat Actors in December 2024
1. FunkSec Emerges as a Major Player with 87 Victims
December marked a turning point in the ransomware landscape as FunkSec dethroned RansomHub to become the leading threat actor with 87 victims. What makes FunkSec’s rise particularly remarkable is that it is a relatively new group in the ecosystem. Their operations have not been limited to ransomware; the group has been actively selling admin access and super access for various companies, offering a troubling range of services to their buyers. FunkSec primarily targeted the information sector and public administration industries this month, demonstrating a calculated focus on critical and data-heavy sectors. Their rapid ascent highlights their aggressive strategies and growing influence in the ransomware ecosystem.
FunkSec Ransom Note
2. RansomHub Maintains Stability with 57 Victims
After dominating the leaderboard since July, RansomHub dropped to the second spot with 57 victims in December. Despite losing its leadership position, RansomHub maintained its reputation as a consistent player in the ransomware space, continuing to target high-value organizations globally.
Akira Surges with 46 Victims
The Akira group surged to the third position this month with 46 victims, showcasing one of its most active and aggressive months of the year. Akira’s operations this month highlighted their ability to capitalize on vulnerabilities and expand their victim pool, signaling their intent to climb higher in the ransomware hierarchy.
They Hate Being Forgotten: Clop (Cl0p) Is Back Again
The Clop group added a chaotic twist to the month. Exploiting the CLEO vulnerability in December, they initially promised to release victim data “within 48 hours.” Then they postponed to December 30, only to announce they were “taking a holiday break” and would publish data after their return.
Clop’s statement about CLEO victims
In total, Clop announced 66 victims, but BRITE believes the actual number is higher. Their erratic behavior has left many wondering if the group is losing its grip or simply playing for attention. Regardless, Clop’s actions remind us of the unpredictable nature of threat actors and the challenges of staying ahead of them.
One thing is clear: Clop, despite its chaotic actions, refuses to be forgotten and remains a noteworthy player in the ransomware ecosystem.
LockBit 4.0 Introduces RaaS Pricing Model for Just $777
LockBit, once the industry leader, seems to be struggling to reclaim its former prominence. December saw the launch of LockBit 4.0, a move that many interpreted as an attempt to stay relevant. Along with this update, the group introduced a Ransomware-as-a-Service (RaaS) pricing model for just $777, making their tools accessible to smaller players in the ecosystem.
Payment page for access to the LockBit panel
This shift has raised eyebrows across the cybersecurity world. Is it a sign of innovation or desperation? Many believe this move reflects LockBit’s declining influence after facing increased law enforcement pressure and internal challenges.
What stands out most is that LockBit’s struggles highlight a harsh reality: nothing in the ransomware world is unbreakable. Even the strongest groups can fall, showing how unpredictable and tough this space can be.
At the same time, their collapse shows how much it affects the whole ecosystem. It’s also a reminder of how hard it is to keep a group running steadily and stay on top in such a challenging environment.
RaaS Revolutionized Cybercrime in December 2024
The rise of Ransomware-as-a-Service (RaaS) has been one of the defining trends of December.
LockBit’s pricing model set off a ripple effect, inspiring other groups like FunkSec to adopt similar strategies.
Smaller threat actors are now able to access sophisticated ransomware tools at lower costs, democratizing cybercrime and complicating defense efforts.
Example RaaS sharing
RaaS not only increases the number of attacks but also lowers the barrier for entry, making it easier for less experienced actors to enter the game. This trend, if it continues, could make 2025 an even more challenging year for cybersecurity professionals.
2024: A Record-Breaking Year for Ransomware
2024 was a record-breaking year for ransomware. As groups continue to grow, tactics evolve, and victims are added to the lists, we can expect more records to be set in the coming months.
At Black Kite, the BRITE team remains committed to tracking threat actors in real time, analyzing their movements, and staying aware of emerging threats. As we enter 2025, staying one step ahead has never been more critical.For weekly updates on emerging cyber threats, please follow our Focus Friday blog series and LinkedIn account.
Learn more about the rising ransomware attacks in the full 2025 Healthcare Ransomware Report — accessible instantly, no download required.
Telemedicine software has become a game changer in the field of healthcare as it revolutionises the process of patient and provider interaction.
Due to the high demand of telehealth solutions, many companies are coming up with better, effective and secure software that suits the needs of the present medical field.
This article highlights the leading telemedicine software development firms in 2025, demonstrating their skills and offerings.
Today’s hyper-connected world demands robust cybersecurity measures. With data breaches and cyber attacks making headlines every day, organisations must stay vigilant against ever-evolving threats. Proactive protection is no longer optional; it’s essential for business continuity.
Email marketing is now a key element of business communication, providing an effective way to engage with audiences and support growth. However, as businesses increasingly depend on email marketing platforms, these tools have become prime targets for cyber attacks.
With threats like phishing and data breaches growing more advanced, strict cybersecurity measures are more important than ever today. To protect the integrity of email marketing campaigns, businesses must not only understand these risks but also implement strong security practices to stay ahead of potential threats.
The healthcare sector is under attack, and the numbers paint a stark picture of the growing ransomware crisis. Our latest infographic, drawn from the 2025 Healthcare Ransomware Report, uncovers the alarming rise in ransomware incidents targeting healthcare organizations and the reasons behind this surge.
Key insights from the infographic:
Healthcare is now the 3rd most targeted industry for ransomware.
Rising from 7th place in just one year, the sector now accounts for 8% of all ransomware attacks—up from 5% in 2023. Overall, ransomware incidents in healthcare surged by 32.16% in the last year.
High-stakes operations make healthcare a lucrative ransomware target.
Ransomware groups are drawn to healthcare’s sensitive patient data and the urgency to restore disrupted services. Ransom demands in the sector can reach as high as $20 million, with both large hospitals and small practices feeling the impact.
Ransomware groups have evolved to target healthcare.
Disruptions in the ransomware ecosystem, including the takedown of groups like LockBit and AlphV (BlackCat), and the growth in affiliates’ power, have led to the emergence of aggressive new players who don’t consider healthcare off-limits. For example, RansomHub offered affiliates a 90% payout with greater control over targets.
Patient safety is at risk from ransomware attacks.
These attacks are not just financial concerns—they jeopardize patient care and trust. Delayed surgeries, blocked medical records, and spillover effects on supply chains are just a few of the devastating consequences.
An early ransomware warning system is critical.
Black Kite’s Ransomware Susceptibility Index® (RSI™) offers healthcare organizations vital insights into ransomware risks, enabling them to prioritize and address vulnerabilities before attackers strike.
This infographic provides a detailed look at how ransomware attackers are zeroing in on the healthcare sector, from the tactics they use to the far-reaching impacts of their attacks. Whether you’re part of a major hospital system or a small clinic, the stakes are too high to ignore.
In today’s interconnected digital landscape, the rapid emergence of critical vulnerabilities demands an agile and informed approach to Third-Party Risk Management (TPRM). This week’s Focus Friday blog highlights high-profile incidents involving vulnerabilities in FortiGate firewalls, QNAP NAS systems, Mongoose, and the W3 Total Cache WordPress plugin. Each of these vulnerabilities poses unique challenges, from authentication bypasses enabling unauthorized access to database manipulation and SSRF attacks.
Leveraging Black Kite’s FocusTags™, we delve into the impact of these vulnerabilities from a TPRM perspective. This article offers detailed insights into the risks, remediation strategies, and questions TPRM professionals should be asking vendors to protect their ecosystems against potential breaches.
Filtered view of companies with FortiGate Leakage FocusTag™ on the Black Kite platform.
CVE-2022-40684 is a critical authentication bypass vulnerability affecting Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager products. This flaw allows unauthenticated attackers to perform administrative operations via specially crafted HTTP or HTTPS requests. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 97.26%, reflecting the significant likelihood of exploitation. First identified in October 2022, this vulnerability has been actively exploited in the wild, with reports of threat actors leveraging it to download device configurations and add unauthorized super_admin accounts. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-40684 to its Known Exploited Vulnerabilities catalog on October 11, 2022.
As part of Black Kite Research & Intelligence Team (BRITE), we have proactively addressed the exposure of configuration files, IP addresses, and VPN credentials belonging to over 15,000 FortiGate devices identified and analyzed on the dark web.
Why Should TPRM Professionals Be Concerned About CVE-2022-40684?
Third-Party Risk Management (TPRM) professionals should be particularly vigilant regarding CVE-2022-40684 due to its potential impact on network security. The recent leak of configuration files and VPN credentials for over 15,000 FortiGate devices underscores the risk of unauthorized access to sensitive systems. If a vendor utilizes vulnerable FortiGate products, their compromised systems could serve as entry points for attackers, leading to data breaches and disruptions that may cascade to connected organizations. Given the critical role of firewalls in protecting network perimeters, any compromise can have far-reaching consequences.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2022-40684?
To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:
Have you updated all instances of FortiOS, FortiProxy, and FortiSwitchManager products to the latest firmware versions where CVE-2022-40684 has been patched?
Can you confirm if you have implemented IP restrictions, enhanced network activity monitoring, and deactivated the HTTP/HTTPS administrative interface as recommended in the advisory to mitigate the risk of CVE-2022-40684?
Have you reset all VPN and administrative credentials, especially those previously configured, and reviewed your firewall rules and configurations to ensure they align with current security best practices following the FortiGate firewall configuration leak?
Have you verified if your FortiGate devices are among the compromised by reviewing the leaked data and taken necessary actions to prevent unauthorized access to sensitive systems.
Remediation Recommendations for Vendors
Vendors using affected Fortinet products should:
Update Firmware: Upgrade to the latest firmware versions that address CVE-2022-40684.
Change Credentials: Reset all VPN and administrative credentials, especially those previously configured.
Review Configurations: Assess and modify firewall rules and configurations to align with current security best practices.
Disable Administrative Interface: Deactivate the HTTP/HTTPS administrative interface to reduce the attack surface.
Implement IP Restrictions: Limit access to the administrative interface by allowing only trusted IP addresses.
Monitor Network Activity: Enhance monitoring to detect any unauthorized access or anomalies.
How Can TPRM Professionals Leverage Black Kite for This Vulnerability?
Black Kite has proactively addressed this issue by publishing the “FortiGate Leakage” FocusTag™ on January 17, 2025. This tag enables TPRM professionals to identify vendors potentially affected by the FortiGate data leak. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.
Black Kite’s FortiGate Leakage FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2024-53691 and CVE-2023-39298 in QNAP QTS and QuTS Hero
What are CVE-2024-53691 and CVE-2023-39298?
CVE-2024-53691 is a link following a vulnerability in QNAP’s QTS and QuTS hero operating systems. It allows remote attackers with user access to traverse the file system to unintended locations, potentially leading to unauthorized access to sensitive files and system compromise. This vulnerability has a CVSS score of 8.7.
CVE-2023-39298 is a missing authorization vulnerability affecting several QNAP operating system versions. It permits local authenticated users to access data or perform actions they should not be allowed to via unspecified vectors. This vulnerability has a CVSS score of 7.8. As of January 23, 2025, neither vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog.
Why Should TPRM Professionals Be Concerned About These Vulnerabilities?
QNAP NAS devices are widely used for storing and managing critical business data. Exploitation of these vulnerabilities could lead to unauthorized access, data breaches, and potential system compromises. For Third-Party Risk Management (TPRM) professionals, it’s crucial to assess whether vendors utilize vulnerable QNAP systems, as a compromise could indirectly affect your organization’s data integrity and security.
What Questions Should TPRM Professionals Ask Vendors Regarding These Vulnerabilities?
To evaluate the risk associated with these vulnerabilities, TPRM professionals should inquire:
Can you confirm if you have upgraded all instances of QNAP QTS and QuTS hero to versions QTS 5.2.0.2802 build 20240620 and QuTS hero h5.2.0.2802 build 20240620 or later to mitigate the risk of CVE-2024-53691 and CVE-2023-39298?
Have you implemented the recommended actions such as monitoring system logs, applying security patches promptly, implementing MFA, and restricting network access to mitigate the risk of unauthorized access due to the link following vulnerability in QNAP QTS and QuTS hero operating systems?
Can you confirm if you have taken measures to prevent unauthorized access to sensitive files and potential system compromise due to the link following vulnerability (CVE-2024-53691) in QNAP QTS and QuTS hero operating systems?
Have you taken any additional steps to protect your QNAP devices from data theft, ransomware attacks, or malware deployment that could result from exploiting the vulnerabilities CVE-2024-53691 and CVE-2023-39298?
Remediation Recommendations for Vendors
Vendors utilizing affected QNAP systems should:
Update Firmware: Upgrade to QTS 5.2.0.2802 build 20240620 or QuTS hero h5.2.0.2802 build 20240620 or later.
Restrict Network Access: Configure firewalls and network settings to allow only trusted IP addresses access to NAS devices.
Monitor System Logs: Regularly review logs for unusual activity indicating attempted exploitation.
Apply Security Patches Promptly: Ensure all security patches are applied as soon as they become available.
How Can TPRM Professionals Leverage Black Kite for These Vulnerabilities?
Black Kite released the “QNAP QTS – Jan2025” FocusTag™ on January 23, 2025, to help organizations identify vendors potentially affected by these vulnerabilities. This tag provides detailed information, including the specific assets (IP addresses and subdomains) associated with vulnerable QNAP systems within a vendor’s infrastructure. By utilizing this intelligence, TPRM professionals can prioritize assessments and remediation efforts, ensuring that vendors have addressed these critical vulnerabilities.
Black Kite’s QNAP QTS – Jan2025 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-23061 in Mongoose
Mongoose is specifically an Object Data Modeling (ODM) library designed for Node.js, enabling easy interaction with MongoDB databases. It simplifies the management, validation, and modeling of data in MongoDB, providing developers with a more structured and secure working environment.
What is CVE-2025-23061?
CVE-2025-23061 is a critical code injection vulnerability affecting Mongoose, a MongoDB object modeling tool widely used for Node.js and Deno applications. It has a CVSS score of 9.0, emphasizing its severity, while the EPSS score is 0.05%, suggesting a lower probability of exploitation at present. This vulnerability arises from improper handling of nested $where filters used with the populate() function’s match option, enabling attackers to manipulate search queries and access sensitive data.
This flaw is linked to an incomplete fix for CVE-2024-53900, another critical issue involving the $where operator’s improper handling. The vulnerability impacts Mongoose versions prior to 8.9.5. Although PoC exploit code is unavailable and it has not been added to CISA’s Known Exploited Vulnerabilities catalog, its potential impact is significant due to Mongoose’s wide adoption, with over 2.7 million weekly downloads.
Why Should TPRM Professionals Be Concerned About CVE-2025-23061?
TPRM professionals should consider this vulnerability a high-priority concern due to Mongoose’s extensive use in applications that store sensitive data. If a vendor utilizes an unpatched version of Mongoose, their database integrity could be compromised, resulting in data manipulation, unauthorized access, or even larger breaches affecting downstream partners and customers. The prevalence of Mongoose as a dependency in critical systems underscores the potential ripple effect of an exploit.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-23061?
To evaluate vendor risk associated with this vulnerability, consider asking:
Have you upgraded Mongoose to version 8.9.5 or later to mitigate the risk of CVE-2025-23061 and the previously related CVE-2024-53900?
Can you confirm if you have reviewed your application’s use of the populate() function and $where filters to ensure no unintended exposure exists, as recommended in the advisory?
Have you implemented robust input validation and sanitization measures to prevent potential search injection attacks related to the Mongoose vulnerability?
Are you regularly auditing and updating all dependencies to incorporate the latest security patches, specifically those related to Mongoose and MongoDB object modeling tools?
Remediation Recommendations for Vendors
Vendors using Mongoose should:
Update Mongoose: Upgrade to version 8.9.5 or later to address the vulnerability.
Audit Codebase: Review the usage of $where filters and the populate() function to identify and mitigate potential exposure.
Implement Input Validation: Enforce robust validation and sanitization mechanisms for all database queries.
Monitor Dependencies: Regularly review and update dependencies to ensure all security patches are applied promptly.
How Can TPRM Professionals Leverage Black Kite for This Vulnerability?
Black Kite published the “Mongoose” FocusTag™ on January 22, 2025, to help organizations identify vendors potentially affected by this vulnerability. This tag provides high-confidence identification of systems using vulnerable Mongoose versions, offering actionable insights into affected assets, including IP addresses and subdomains. TPRM professionals can leverage this intelligence to prioritize their vendor risk assessments and ensure remediation efforts are effectively targeted.
Black Kite’s Mongoose FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2024-12365 in W3 Total Cache Plugin
W3 Total Cache (W3TC) is a well-known and powerful caching and performance optimization plugin designed for WordPress websites. This plugin enhances website speed, reduces loading times, and improves the overall user experience. It is particularly effective in delivering significant performance improvements for high-traffic websites.
What is CVE-2024-12365?
CVE-2024-12365 is a high-severity missing authorization vulnerability in the W3 Total Cache plugin for WordPress, affecting versions up to and including 2.8.1. With a CVSS score of 8.5 and an EPSS score of 0.09%, this vulnerability allows authenticated users with Subscriber-level access to exploit the is_w3tc_admin_page function to retrieve the plugin’s nonce value. Attackers can leverage this to perform unauthorized actions, potentially leading to information disclosure and server-side request forgery (SSRF).
Exploitation of this flaw could allow attackers to query internal services, including metadata on cloud-based applications, and consume service plan limits. While no PoC exploit code is currently available, more than a million WordPress sites using this plugin are at risk. As of January 22, 2025, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Why Should TPRM Professionals Be Concerned About CVE-2024-12365?
Third-Party Risk Management (TPRM) professionals should be highly attentive to this vulnerability due to its potential to expose sensitive internal data and compromise WordPress-based websites. Many businesses rely on WordPress as their primary web platform, and vulnerabilities in widely-used plugins like W3 Total Cache can create significant risks.
If a vendor’s website is compromised through this flaw, it may lead to:
Data breaches involving sensitive business or customer information.
Unintended exposure of internal application data through SSRF attacks.
Loss of trust and credibility due to website exploitation.
Given the widespread use of WordPress and this specific plugin, the impact of unpatched systems can extend across interconnected organizations and their customers.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-12365?
To evaluate vendor risk, TPRM professionals can ask the following targeted questions:
Can you confirm if you have updated the W3 Total Cache plugin for WordPress to version 2.8.2 or later, which addresses the CVE-2024-12365 vulnerability?
Have you implemented any additional security measures to monitor for unauthorized access or unusual behavior on your WordPress sites that could indicate exploitation attempts related to the CVE-2024-12365 vulnerability?
Have you conducted an audit of user roles and permissions to ensure that only necessary privileges are granted, minimizing potential exploitation by lower-level users as recommended in the advisory for the CVE-2024-12365 vulnerability?
Can you confirm if you have taken any steps to mitigate the risk of server-side request forgery, such as implementing security best practices or updating the W3 Total Cache plugin, in response to the CVE-2024-12365 vulnerability?
Remediation Recommendations for Vendors
Vendors using the W3 Total Cache plugin should take the following steps:
Update the Plugin: Upgrade to version 2.8.2 or newer, where the vulnerability has been fixed.
Audit User Permissions: Review and minimize privileges for users, ensuring Subscriber-level accounts have limited access.
Monitor Activity: Regularly review website activity logs for unusual or unauthorized behavior.
Enforce Security Best Practices: Maintain strong security protocols for WordPress installations, including strong passwords, regular plugin updates, and security plugins for intrusion detection.
How Can TPRM Professionals Leverage Black Kite for This Vulnerability?
Black Kite released the “W3 Total Cache” FocusTag™ on January 22, 2025, to help organizations identify vendors potentially impacted by this vulnerability. By providing very high-confidence information, such as asset-level details (e.g., IP addresses and subdomains), Black Kite enables TPRM professionals to quickly assess and mitigate risks. This FocusTag™ is instrumental in narrowing down affected vendors and ensuring targeted remediation efforts.
Black Kite’s W3 Total Cache FocusTagTM details critical insights on the event for TPRM professionals.
Enhancing TPRM Strategies with Black Kite’s FocusTags™
Black Kite’s FocusTags™ are transformative tools designed to empower Third-Party Risk Management (TPRM) professionals with actionable insights in the face of an ever-evolving threat landscape. With this week’s vulnerabilities spanning multiple platforms and industries, the value of these FocusTags™ becomes especially apparent:
Real-Time Threat Awareness: Instantly pinpoint vendors impacted by vulnerabilities like those in FortiGate firewalls, QNAP NAS systems, Mongoose, and the W3 Total Cache plugin, enabling rapid and targeted action.
Prioritized Risk Management: Evaluate risks based on the criticality of the vulnerabilities and the vendor’s importance, allowing for efficient allocation of resources to mitigate threats.
Tailored Vendor Engagement: Facilitate meaningful conversations with vendors, focusing on their exposure to vulnerabilities and the specific actions they’ve taken to address them.
Enhanced Cybersecurity Posture: Gain a comprehensive view of the threat landscape, supporting the development of robust strategies to defend against future risks.
By translating complex cybersecurity data into practical intelligence, Black Kite’s FocusTags™ help TPRM professionals navigate the complexities of vendor risk management with precision and confidence. These tools are essential for maintaining resilience in today’s fast-paced digital environment, where proactive risk mitigation can mean the difference between security and compromise.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.
QNAP QTS – Jan2025: CVE-2024-53691, CVE-2023-39298, Remote Code Execution Vulnerability, Link Following Vulnerability, Missing Authorization Vulnerability in QNAP QTS.
Mongoose: CVE-2025-23061, Search Injection Vulnerability in Mongoose.
W3 Total Cache: CVE-2024-12365, Missing Authorization Vulnerability in WordPress’ W3 Total Cache Plugin.
Juniper Junos: CVE-2025-21598, Out-of-bounds Read Vulnerability in Juniper’s Junos.
Cybercriminals are becoming increasingly bold — and no industry is safe, even those once considered untouchable. Last year, ransomware attacks in the healthcare industry skyrocketed, propelling it from the 7th most targeted industry to 3rd in just one year with attacks increasing by over 32%. The sector now accounts for 8% of ransomware attacks — up from just 5% a year ago — ranking behind only manufacturing and professional services.
What’s driving this surge? Cybercriminals are exploiting vulnerabilities unique to healthcare — making it one of the most lucrative targets. From sensitive patient data to operational disruptions that could jeopardize lives, the stakes couldn’t be higher. With 303 attacks in a single year on major hospitals to small clinics, no corner of healthcare is immune.
Our latest report, Healthcare Under Ransomware Attack, breaks down what’s behind this alarming trend — and what healthcare organizations can do to shore up their defenses.
Healthcare’s ransomware epidemic: The surge explained
Healthcare’s rise as a prime ransomware target marks a turning point in the tactics of cybercriminals. Once considered “off-limits” under an informal (yet twisted) code of conduct, healthcare now finds itself firmly in the crosshairs. Today’s ransomware groups prioritize ease of access and high ransom potential, and the unique pressures within healthcare — where patient safety and operational continuity are at stake — make the sector especially attractive.
This shift can be traced to two main catalysts: the high-profile attack on Change Healthcare and the dismantling of prominent ransomware groups like LockBit and AlphV (BlackCat).
The February 2024 ransomware attack on Change Healthcare disrupted vital services for healthcare facilities across the U.S. Although the company acted quickly to minimize the impact, the incident exposed vulnerabilities in healthcare operations. It also revealed growing tensions within the ransomware ecosystem. During the attack, a failed payment to an affiliate (an independent attacker partnering with a ransomware operator) sparked disputes, leading to an uprising by affiliates seeking to shift the power away from large ransomware groups.
The exit of AlphV (BlackCat) in December 2023 and the disruption of LockBit in February 2024 further impacted the ransomware landscape. While these events temporarily reduced attack volumes, the lull was quickly followed by an influx of new groups, many of which now lead attacks and work off an affiliate-led model. Emerging groups like RansomHub attracted many affiliates disillusioned with how ransomware groups were previously structured, offering affiliates greater control and payouts as high as 90%.
The shift in how ransomware groups operate also means affiliates are in high demand. Now, they transition freely between groups, spreading their knowledge further and making attacks by new, more aggressive players more likely. They’re also taking a carefully planned approach to which companies they target next.
Why ransomware groups are targeting healthcare
Healthcare’s ethical responsibility to ensure continuity of care for patients sets it apart from other industries and makes it uniquely vulnerable to attacks. When systems are compromised, the consequences can be a matter of life and death — delayed surgeries, inaccessible medical records, and compromised patient safety. This means that when attacked, healthcare companies are often pressured to pay ransoms to avoid disruptions to life-saving care.
Smaller healthcare providers, with less robust cybersecurity defenses, are especially vulnerable. But no organization — large or small — is immune. Attackers aren’t picking targets at random — they are following a deliberate, calculated strategy based on:
Technical vulnerability: Unpatched systems and outdated software are low-hanging fruit.
Industry: Sectors with sensitive, valuable data, like healthcare.
Likelihood to pay: Organizations with a history of paying ransoms are more likely to pay again.
Geographic area: The U.S. remains the top target for ransomware groups.
Revenue profile: Large enterprises (revenues over $100M and small to mid-sized businesses (revenues below $20 million) are commonly targeted.
While legacy ransomware groups tended to favor negotiation, modern groups are more likely to demand fast payments of a one-time ransom, with no room for negotiation. And sensitive patient data combined with high-stakes operations makes it more likely that affected companies will pay. In healthcare, ransom demands have climbed as high as $20M, driven by the urgent need to restore operations and protect patient outcomes.
The impact of these attacks goes far beyond finances. Attacks ripple through the healthcare ecosystem, exacting a human toll on providers, patients, and their families. The effects can also spill over to vendors and suppliers, putting your entire third-party ecosystem at risk. With no subindustry of healthcare safe — and ransomware groups targeting practices both large and small — maintaining the status quo is no longer an option.
Taking control: How to get ahead of the curve
With the chances of an attack becoming increasingly likely, it’s time to take a proactive approach to protect healthcare organizations and third-party ecosystems from attacks. Here’s how to start building a robust line of defense:
Continuously monitor risk factors
Healthcare organizations need to focus on monitoring risk factors that could increase the chance of an attack. Consider what your ecosystem looks like to attackers. Unpatched systems, outdated defenses, and weak links in your third-party ecosystem are common entry points.
By continuously monitoring for changes in risk factors — both within your organization and across your third-party network — it’s easier to take action before vulnerabilities are exploited.
Use an early warning system
An early warning system is one of the best ways to assess your company’s vulnerability to attack. Proactive tools like Black Kite’s Ransomware Susceptibility Index® (RSI™) provide insights into your organization’s risk of a ransomware attack. RSI™ uses machine learning and data analysis to assess vulnerability on a scale from 0 (low risk) to 1 (high risk). Scores above 0.50 indicate a heightened likelihood of attack, allowing organizations to prioritize and remediate vulnerabilities before they become problematic.
What makes RSI™ particularly powerful is that it mirrors the factors ransomware attackers themselves evaluate when choosing targets. By identifying and addressing any vulnerabilities before they’re picked up on by attackers, you can stay off their radar and keep sensitive patient data safe.
Prevention is the best medicine
Healthcare providers preach the power of preventative care — and the same goes for cybersecurity. Taking a proactive approach to ransomware defense, you can assess the risks to your organization and its third-party ecosystem, protecting against the growing risk of attacks before it’s too late.
With attacks on the healthcare industry becoming more frequent and aggressive, the cost of inaction is too great — not just in financial losses but in disruptions to patient care. Protecting your organization from these threats isn’t just a cybersecurity priority — it’s a critical investment in the safety and well-being of the patients and communities you serve.
Learn more about the rising ransomware attacks in the full 2025 Healthcare Ransomware Report — accessible instantly, no download required.
Cyber attack drills have become an essential component of any robust incident response strategy. These cyber attack simulation exercises recreate real-world attack scenarios to test and improve the readiness of an organisation’s cybersecurity team.
However, one of the most debated aspects of tabletop exercises is whether they should be announced in advance or conducted as a surprise.
Each approach has its pros and cons, and the decision largely depends on an organisation’s goals and maturity level.
Are you overwhelmed by the endless stream of data your organisation generates? Do you find yourself struggling to manage and analyse large datasets effectively? Big data tools can help transform how you handle and interpret vast amounts of data, enabling you to make more informed decisions.
In this article, we'll explore some of the top big data tools that are essential for data experts. These tools are designed to simplify data storage, processing, and analysis, making your job easier and more efficient.
In today’s digital world, ecommerce businesses are thriving exponentially. Taking your business digital is an excellent way to expand and reach new customers. However, digitalising your business comes with unique challenges. One of the foremost digital challenges you’ll deal with is cybersecurity. You must secure your processes and protect your business from all digital threats.
This article recommends five effective cybersecurity strategies to protect your ecommerce business.
Almost every month in 2024 came with its own shattering cybersecurity headline. We round up 10 of the biggest cyber attacks, data breaches and ransomware attacks from the year gone by. You'll also find at the end of this blog a table of 25 other noteworthy attacks that you should know about.
Welcome to this week’s Focus Friday, where we dive into key vulnerabilities impacting widely used technologies. This installment highlights three significant incidents that pose unique challenges to third-party risk management (TPRM) teams. From Juniper Junos OS to Rsync and SimpleHelp, we explore how these vulnerabilities affect the security posture of vendors and their downstream supply chains. By examining these issues, we aim to provide actionable insights and strategies to help organizations mitigate risks and maintain robust third-party relationships.
Filtered view of companies with Juniper Junos FocusTag™ on the Black Kite platform.
Juniper Junos CVE-2025-21598
What is the Juniper Junos BGP Vulnerability (CVE-2025-21598)?
CVE-2025-21598 is an out-of-bounds read vulnerability in the routing protocol daemon (rpd) of Junos OS and Junos OS Evolved. When a device is configured with BGP packet receive trace options, an unauthenticated attacker can send malformed BGP packets that cause the rpd process to crash. This vulnerability has a CVSS score of 8.2, making it a high-severity issue. It was first disclosed on January 14, 2025, and there are currently no reports of active exploitation. CISA’s KEV catalog does not yet list this vulnerability. Proof-of-concept (POC) is not available.
CVE-2025-21599 is a critical vulnerability affecting specific versions of Junos OS Evolved. It requires IPv6 to be enabled and involves attackers sending malformed IPv6 packets persistently to exhaust memory. Exploitation does not require authentication but needs network access to the device. The affected versions are:
From 22.4-EVO: before 22.4R3-S5-EVO
From 23.2-EVO: before 23.2R2-S2-EVO
From 23.4-EVO: before 23.4R2-S2-EVO
From 24.2-EVO: before 24.2R1-S2-EVO, and 24.2R2-EVO.
Versions prior to 22.4R1-EVO are unaffected. This vulnerability was excluded from the FocusTag™ scope due to its limitation to EVO versions and no detection by external clients specific to EVO.
Affected Products for CVE-2025-21598
Why should TPRM professionals care about CVE-2025-21598?
This vulnerability impacts network infrastructure devices, which are critical to business operations. If left unpatched, it could result in significant service interruptions, loss of connectivity, and reduced reliability of the affected network environment. Organizations that rely on these devices could face disruptions in their supply chain communications and business operations, making it essential for TPRM professionals to assess the risk and ensure proper mitigation measures are in place.
What questions should TPRM professionals ask vendors about CVE-2025-21598?
Have you updated all instances of Junos OS and Junos OS Evolved to the fixed versions mentioned in the advisory to mitigate the risk of CVE-2025-21598?
Can you confirm if you have disabled BGP packet receive trace options on your Junos OS and Junos OS Evolved devices to prevent potential exploitation of CVE-2025-21598?
Are you regularly inspecting your system logs for any indications of malformed BGP update messages, which may suggest attempted exploitation of CVE-2025-21598?
For Junos OS Evolved, have you ensured that all versions from 22.4-EVO before 22.4R3-S5-EVO, from 23.2-EVO before 23.2R2-S2-EVO, from 23.4-EVO before 23.4R2-S2-EVO, from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO have been updated to mitigate the risk of CVE-2025-21599?
Remediation recommendations for vendors subject to this risk
Upgrade all affected Junos OS and Junos OS Evolved devices to the patched versions.
Disable BGP packets receive trace options if updating is not immediately possible.
Implement continuous network monitoring to identify any indications of exploitation attempts.
Maintain up-to-date logging configurations and review logs for signs of malformed BGP packets.
How can TPRM professionals leverage Black Kite for CVE-2025-21598?
Black Kite published this FocusTag™ to help organizations pinpoint the vendors affected by CVE-2025-21598. By providing detailed asset information—including relevant subdomains and vulnerable IPs—Black Kite enables TPRM professionals to rapidly identify which vendors need immediate attention. This targeted approach reduces time spent on outreach and allows more efficient mitigation efforts.
Black Kite’s Juniper Junos FocusTagTM details critical insights on the event for TPRM professionals.
Rsync, a widely-used file synchronization tool, has six significant vulnerabilities in versions 3.3.0 and earlier. These flaws pose risks such as arbitrary code execution, information leakage, and unauthorized system access, particularly for organizations relying on Rsync for backups.
Six vulnerabilities have been identified in Rsync, posing significant security risks. These include a heap-buffer overflow (CVE-2024-12084) in the Rsync daemon that allows attackers to execute code by controlling checksum lengths (s2length) and gaining server access. An information leak vulnerability (CVE-2024-12085) exposes uninitialized memory during file checksum comparisons. Additionally, malicious servers can exploit crafted checksums to extract arbitrary files from clients (CVE-2024-12086). Path traversal is possible due to improper symlink checks with the default –inc-recursive option (CVE-2024-12087), while a –safe-links bypass flaw (CVE-2024-12088) allows arbitrary file writes and further path traversal. Finally, a symbolic-link race condition (CVE-2024-12747) could lead to privilege escalation or data leakage by exploiting timing issues during file transfers. Exploitation of these vulnerabilities requires specific conditions, such as server access or manipulated configurations.
Currently, no publicly available POC exists, and these vulnerabilities are not listed in CISA’s Known Exploited Vulnerabilities catalog. Affected versions include Rsync ≥3.2.7 and <3.4.0 for CVE-2024-12084, while other CVEs impact Rsync 3.3.0 and earlier. Organizations relying on Rsync for synchronization or backups should apply patches or mitigations promptly to mitigate risks of unauthorized access and data breaches.
Why should TPRM professionals care about Rsync vulnerabilities?
Many organizations rely on Rsync for critical backup operations. Unaddressed vulnerabilities could lead to severe disruptions, including unauthorized data exposure, system compromise, and operational downtime. These risks demand immediate attention from TPRM professionals to ensure that vendors and their supply chain partners have implemented the necessary remediations.
What questions should TPRM professionals ask vendors about the Rsync vulnerabilities?
Have you upgraded all instances of Rsync to version 3.4.0 or later to mitigate the risk of CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747?
Can you confirm if you have implemented the recommended mitigation measures such as restricting Rsync daemon access to trusted networks and authenticated users, and regularly reviewing and applying security best practices for system and network configurations?
Have you reviewed and updated any backup programs utilizing Rsync, such as Rclone, DeltaCopy, and ChronoSync, in response to these vulnerabilities?
Are you monitoring for any unusual activities that may indicate exploitation attempts related to these Rsync vulnerabilities, specifically those related to heap-buffer overflow, information leak, file leak, path traversal, safe-links bypass, and symbolic-link race condition?
Remediation recommendations for vendors subject to this risk
Upgrade Rsync to version 3.4.0 or higher to eliminate known vulnerabilities.
Disable unused options such as –inc-recursive and –safe-links to minimize exposure.
Implement strict access controls, allowing only authenticated and trusted connections.
Conduct regular security audits of your Rsync configuration and logs.
How can TPRM professionals leverage Black Kite for these vulnerabilities?
Black Kite’s FocusTag™ for Rsync, published in January 2025, helps TPRM professionals identify vendors at risk from these vulnerabilities. By providing detailed information on affected versions, associated IPs, and potentially vulnerable assets, Black Kite enables organizations to narrow their outreach to only those vendors requiring immediate action. This targeted approach not only streamlines risk management processes but also helps protect sensitive data and critical systems from emerging threats.
Black Kite’s Rsync FocusTagTM details critical insights on the event for TPRM professionals.
Recent security assessments have uncovered critical vulnerabilities in SimpleHelp, a widely used remote support software.
CVE-2024-57726: A privilege escalation flaw that allows users with technician-level access to elevate their privileges to administrator due to missing backend authorization checks. This vulnerability has a CVSS score of 8.2, making it a high-severity issue. This vulnerability has a CVSS score of 8.8, making it a high-severity issue.
CVE-2024-57727: A path traversal vulnerability allowing unauthenticated attackers to download arbitrary files, including sensitive configuration files. This vulnerability has a CVSS score of 7.5, making it a high-severity issue.
CVE-2024-57728: An arbitrary file upload vulnerability enabling attackers with administrative privileges to upload malicious files anywhere on the server, potentially leading to remote code execution. This vulnerability has a CVSS score of 8.8, making it a high-severity issue.
These vulnerabilities can be chained to compromise the entire server, leading to sensitive information disclosure and potential remote code execution. They affect SimpleHelp versions 5.5.7 and earlier. Currently, there are no reports of these vulnerabilities being exploited in the wild, no available PoC, and no listing in CISA’s Known Exploited Vulnerabilities catalog.
Why should TPRM professionals care about SimpleHelp vulnerabilities?
SimpleHelp is widely used for remote support, making these vulnerabilities particularly concerning. A compromised SimpleHelp server could expose sensitive client information, provide attackers with persistent remote access, and lead to unauthorized actions such as executing malicious scripts. TPRM professionals must ensure that vendors relying on SimpleHelp have patched their systems and implemented necessary security controls to avoid supply chain disruptions and data breaches.
What questions should TPRM professionals ask vendors about SimpleHelp vulnerabilities?
Have you updated all instances of SimpleHelp to versions 5.5.8, 5.4.10, or 5.3.9 to mitigate the risk of CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726?
Can you confirm if you have implemented IP access restrictions on your SimpleHelp server to accept technician and administrator logins only from trusted IP addresses, as recommended in the advisory?
Have you changed the administrator and technician account passwords after updating SimpleHelp to ensure any previously compromised credentials are invalidated?
Are you regularly reviewing your server logs for any unusual or unauthorized activities that may indicate attempted exploitation of these vulnerabilities in SimpleHelp?
Remediation recommendations for vendors subject to this risk
Update SimpleHelp to the latest secure versions (5.5.8, 5.4.10, or 5.3.9) to address these vulnerabilities.
Change Administrator Passwords. After updating, change the administrator password of the SimpleHelp server to ensure any previously compromised credentials are invalidated.
Update Technician Account Passwords. Reset passwords for all technician accounts, especially those not utilizing third-party authentication services.
Restrict IP Access. Configure the SimpleHelp server to accept technician and administrator logins only from trusted IP addresses to reduce unauthorized access risks.
Monitor System Logs. Regularly review server logs for any unusual or unauthorized activities that may indicate attempted exploitation.
How can TPRM professionals leverage Black Kite for these vulnerabilities?
Black Kite provides a detailed FocusTag™ highlighting these vulnerabilities, including a list of affected versions and mitigation steps. By using Black Kite’s asset information—such as associated IP addresses and potentially vulnerable subdomains—TPRM professionals can quickly identify which vendors require immediate attention, streamlining the risk mitigation process.
Black Kite’s SimpleHelp FocusTagTM details critical insights on the event for TPRM professionals.
Enhancing TPRM Strategies with Black Kite’s FocusTags™
As the cyber threat landscape continues to evolve, maintaining a resilient Third-Party Risk Management (TPRM) framework is more crucial than ever. Black Kite’s FocusTags™ provide a unique advantage, allowing organizations to identify and respond to high-profile vulnerabilities quickly and effectively. By incorporating FocusTags into their TPRM processes, organizations gain:
Timely Vendor Risk Identification: Quickly determine which vendors are impacted by emerging threats, enabling prompt and strategic action. Prioritized Risk Management: Focus on the most critical vulnerabilities and vendors, ensuring that resources are allocated where they’re needed most. Enhanced Vendor Collaboration: Conduct more informed and productive discussions with vendors, addressing their specific exposure and improving overall security measures. Broader Security Insight: Gain a comprehensive view of the current threat landscape, helping TPRM teams anticipate future risks and strengthen their cybersecurity defenses.
With Black Kite’s FocusTags™, TPRM professionals have the tools they need to transform complex threat data into actionable intelligence. This capability not only improves risk management efficiency but also helps ensure that organizations can confidently manage their third-party ecosystem in an increasingly unpredictable digital environment.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
Juniper Junos: CVE-2025-21598, Out-of-bounds Read vulnerability in Juniper’s Junos.
Traditional cybersecurity systems, while effective in the past, are increasingly struggling to keep pace with the sophistication of modern threats. Attackers are leveraging advanced tactics that exploit vulnerabilities faster than many organisations can respond. This has left businesses, governments, and individuals seeking innovative ways to fortify their digital defences.
US defense contractors are some of the largest and most profitable companies in America’s supply chain. They provide essential resources to support government efforts that allow for ramping up or scaling down on some key defense operations as required.
However, to register and conduct business as a defense contractor, you must always obtain the Cybersecurity Maturity Model Certification (CMMC) Assessment & subsequently get certified.
With the continuous evolution in the digital space, the need for security and reliability is further developed in storage facilities. For a long period, the storage units have traditionally been related to the storage of personal and business items.
In this article, the evolution of self-storage facilities is argued in regards to digital data security. The increase of cloud computing and the increase in demand for secure data storage options both encouraged the evolution of digital storage.
In 2025, cybersecurity challenges continue to evolve. Remote-ready alarm businesses are not immune. With operations spanning homes and businesses alike, security breaches could be costly.
Strong protection isn’t optional, no! Rather, it’s vital for maintaining trust. From encrypting data to using secure networks, taking precautions can prevent major issues.
We live in a world where cyber threats are evolving at an incredible rate. Traditional security models no longer cope with the challenges posed by complex and multi-component infrastructures. That is why the issue of information security has become a priority, especially for business enterprises.
The digital era has transformed education by making knowledge more accessible and communication easier. However, this convenience poses serious concerns, particularly to personal data. Cyber criminals exploit awareness and security weaknesses in students, who are frequently tech-savvy. In social networking and online banking, personal data is valuable. Unfortunately, many students disregard its relevance and share critical information.
Cyber security threats and the technology to combat them is evolving at an unprecedented pace. While cyber threats are growing more sophisticated everyday, tools for defending against them are also matching pace. In 2025, organisations and individuals must remain vigilant to protect sensitive data and critical systems.
Here are some of the trends to watch out for in 2025.
As organisations increasingly rely on data-driven decision-making, the methods for collecting, analysing, and protecting data have become critical. Data scraping, often associated with web scraping, plays a dual role in this ecosystem—both as a tool for innovation and a potential cybersecurity risk. Understanding these dynamics can help organisations harness the benefits of data scraping while mitigating its risks.
You wake up one morning to a news alert: A new Zero-Day vulnerability is emerging, and it’s already being exploited in the wild. You race into the office and sit down at your computer to…write and send generic emails to each of your 1,000 vendors. “Have you been breached? If so, to what extent? Is our data exposed? What’s your plan to respond to it?”
Radio silence. At best, you get a trickle of responses, but most of your emails go unanswered because your vendors are busy figuring out what happened and how to mitigate fallout.
Organizations must immediately kick into high gear to mitigate damages or business disruptions when a Zero-Day event or other time-sensitive third-party threat occurs. A key step in this process is contacting vendors to communicate risk intelligence and ensure they take remedial action.
However, this process is easier said than done — especially when vendors are getting inundated by hundreds of frantic and panicked customers.
Most organizations make the mistake of sending vague “hunches” that a vendor is impacted by an incident, followed by a generic security questionnaire. In other words, they’re sharing no new information. In fact, it can come off as hostile policing. This is, obviously, not very motivating for a vendor and typically results in low, delayed, or nonexistent responses. This means risk is not being reduced, either for you or the vendor.
We built the Black Kite Bridge™ with exactly these challenges in mind. It offers the first end-to-end vulnerability response tool for:
risk identification and scoping
intelligence sharing
vendor communications
real-time reporting
Third-party risk management (TPRM) teams can now share trusted, vetted Black Kite intelligence directly with their vendors. This information is far more specific and actionable, leading to proven vendor engagement.
4 Ways Black Kite Revolutionizes Vendor Collaboration
Since its inception, Black Kite has been focused on providing the most accurate, transparent, and timely risk intelligence on the market, empowering customers to take control of their third-party risk.
As a result, customers organically started sharing that intelligence and asking for more ways to give their vendorstm access to it to improve their own cyber risk postures. We heard their feedback, so we built the Black Kite Bridge™ to enable TPRM professionals to:
1. Confidently Narrow the Scope of the Outreach
One of the most significant challenges in responding to an emerging Zero-Day event is knowing which vendors are impacted and what type of data to share with them.
Instead of casting the net wide and contacting vendors that may or may not pose a risk to your company, customers can leverage Black Kite to:
Identify those vendors that have a material impact on your business.
Narrow the scope of outreach into a manageable list based on known exposures or susceptibility to attacks.
We arm you with insights, such as:
Tags highlighting known impacted vendors in your cyber ecosystem through FocusTags™, to give you confidence in your actual exposures.
Real-time risk quantification for all vendors, enabling you to make decisions based on potential financial impact if a threat were to impact a particular vendor.
Actionable, asset-level evidence and recommended remediation steps rooted in a common language, like MITRE and NIST. Rather than asking generic questions, we provide you with targeted evidence to share, so a vendor can take immediate and appropriate action.
When you can share this information directly with a vendor through the Black Kite Bridge™, it gives you both a clear way forward. Instead of saying, “We think you were affected by X event — tell us if you were and what you’re doing to remediate it,” you can approach the vendor with clear evidence of what happened and hard recommendations to fix it.
2. Communicate and Remediate in a Central Location
Vendor communications about risk and the risk intelligence itself should live in the same location.
Why? Organizations already struggle with the sheer volume of vendors they rely on. If they need to communicate with all of them through one-off channels like email and without embedded context, this can easily become too complex and error-prone to scale.
Today, the relevant intelligence often lives in a separate tool from vendor communications (e.g., a GRC or VRM tool). Or worse yet, it lives in long email threads and offline spreadsheets. When TPRM is handled manually like this, progress becomes impossible to track, details slip through the cracks, and, ultimately, risk is not reduced.
A better way:
Black Kite Bridge™ centralizes intelligence sharing and vendor communications in one location.
Now vendors can access and view the same findings our customers see through a self-serve portal.
As the vendor remediates issues, their risk ratings change in real time (versus the weeks it typically takes for traditional SRS solutions to update).
This gives the vendor confidence they are doing the right things.
The process becomes far smoother, and the vendor relationship becomes far more frictionless.
3. Report in Real Time
Since communications and intelligence live in one tool, reporting becomes a breeze. Your CISO wants a status update on that Zero-Day event? No problem.
With out-of-the-box reporting, you can immediately measure an incident’s initial exposure, vendor response rates, remediation progress, mean time to remediate (MTTR), and more across all vendors. Say goodbye to time-consuming, manual tracking in spreadsheets.
4. Achieve Higher Vendor Engagement & Partnership
The Black Kite Bridge™ lets customers share unprecedented, ungated access to the intelligence they trust and rely on with their third-party vendors. Our customers have seen huge improvements in response rates and better relationships as a result of the benefits their vendors receive:
Timely access to incident details, prioritized list of findings, and remediation steps.
Real-time updates to ratings for closing out risks.
Visibility into responses, which means less private messages, questionnaires, or emails to track, and more time back in your day (and your vendors’).
To learn more practical strategies for building stronger vendor partnerships, check out our ebook: Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events.
Welcome to this week’s Focus Friday blog, where we analyze high-profile vulnerabilities and incidents from a Third-Party Risk Management (TPRM) perspective. As organizations grapple with the growing complexities of cybersecurity threats, identifying and addressing vendor-related risks becomes paramount. This week, we had a busy week focusing on vulnerabilities. In this week’s article, we examined critical vulnerabilities in widely used products, including SonicWall SonicOS, Ivanti Connect Secure, Progress WhatsUp Gold, and GoCD. These vulnerabilities underscore the importance of swift action and strategic prioritization in TPRM processes. Read on to explore actionable insights and strategies to mitigate these risks.
Filtered view of companies with SonicWall SonicOS FocusTag™ on the Black Kite platform.
Critical Vulnerabilities in SonicWall SonicOS
What are the vulnerabilities affecting SonicWall SonicOS?
The SonicWall SonicOS platform has been found vulnerable to multiple issues that could severely impact network security. Below are the key vulnerabilities:
CVE-2024-40762: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in the SSLVPN authentication token generator. This flaw allows attackers to predict authentication tokens, potentially leading to authentication bypass. (CVSS Score: 7.1)
CVE-2024-53704: Authentication Bypass vulnerability in the SSLVPN mechanism that could enable remote attackers to gain unauthorized system access. (CVSS Score: 8.2)
CVE-2024-53706: Local Privilege Escalation vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions). This allows attackers to escalate privileges to root, potentially leading to arbitrary code execution. (CVSS Score: 7.8)
CVE-2024-53705: Server-Side Request Forgery (SSRF) vulnerability in the SSH management interface. Attackers could establish TCP connections to arbitrary IP addresses and ports, enabling further attacks. (CVSS Score: 6.5, EPSS Score: 0.04%)
These vulnerabilities were disclosed in SonicWall’s security advisory on January 7, 2025. While no active exploitation has been reported yet, similar vulnerabilities have been targeted by Chinese threat actors in the past, raising the likelihood of exploitation in future attack campaigns. As of now, these vulnerabilities are not listed in CISA’s KEV catalog.
Why should TPRM professionals care about these vulnerabilities?
The vulnerabilities in SonicWall SonicOS present significant risks for organizations that rely on these devices for network security:
Authentication Bypass (CVE-2024-53704): Attackers gaining unauthorized access could compromise sensitive data, introduce malware, or disrupt critical services.
Local Privilege Escalation (CVE-2024-53706): A successful attack could allow threat actors to execute arbitrary code, potentially leading to full control of the affected systems.
SSRF (CVE-2024-53705): This could facilitate lateral movement or act as a pivot point for launching further attacks.
PRNG Vulnerability (CVE-2024-40762): Weak token generation undermines the reliability of authentication mechanisms, posing a significant threat to systems reliant on SSLVPN.
These vulnerabilities directly affect SonicWall Gen6/6.5, Gen7, and TZ80 devices, often used by organizations as a critical part of their perimeter defense. Exploitation could result in compromised networks, data breaches, or service interruptions, which would affect operational and business continuity.
What questions should TPRM professionals ask vendors about these vulnerabilities?
Have you updated all affected Gen6/6.5, Gen7, and TZ80 series devices to the recommended SonicOS versions (6.5.5.1-6n, 7.1.3-7015, 7.0.1-5165, and 8.0.0-8037 respectively) to mitigate the risk of CVE-2024-40762, CVE-2024-53704, CVE-2024-53705, and CVE-2024-53706?
Can you confirm if you have implemented measures to limit SSLVPN and SSH management access to trusted sources or disabled access from the internet entirely to reduce exposure to the vulnerabilities CVE-2024-40762 and CVE-2024-53704?
Have you enabled Multi-Factor Authentication (MFA) for all remote access to enhance security against the improper authentication issue in the SSLVPN mechanism (CVE-2024-53704)?
How are you monitoring your system logs and network traffic to detect any unusual activity that may indicate attempted exploitation of the server-side request forgery (SSRF) flaw in the SSH management interface (CVE-2024-53705) and the privilege escalation issue in the Gen7 SonicOS Cloud platform NSv (CVE-2024-53706)?
Remediation Recommendations for Vendors
To mitigate the risks associated with these vulnerabilities, vendors should:
Update Firmware: Ensure all impacted devices are updated to the fixed versions:
Gen6 Firewalls: SonicOS 6.5.5.1-6n or higher
Gen7 Firewalls: SonicOS 7.1.3-7015 or higher
Gen7 NSv: SonicOS 7.0.1-5165 or higher
TZ80 Series: SonicOS 8.0.0-8037 or higher
Restrict Access: Limit SSLVPN and SSH management access to trusted sources or disable access from the internet entirely.
Enable Multi-Factor Authentication (MFA): Strengthen authentication for all remote access to reduce attack surface.
Monitor and Log: Continuously review system logs and monitor network traffic for anomalies that may indicate exploitation attempts.
How can TPRM professionals leverage Black Kite for these vulnerabilities?
Black Kite published the FocusTag™ SonicWall SonicOS – Jan2025 on January 8, 2025 to help TPRM professionals quickly identify vendors at risk. The tag provides:
A list of vendors using affected SonicWall devices and their associated assets, such as IP addresses or subdomains.
Insight into which vulnerabilities may impact vendors’ systems.
An updated status on exploitation activity or new advisories.
Using this tag, professionals can narrow the scope of their risk assessments, focus efforts on high-priority vendors, and expedite their response to these vulnerabilities.
Black Kite’s SonicWall SonicOS FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure
What are the vulnerabilities affecting Ivanti Connect Secure?
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateway products are affected by two critical vulnerabilities:
CVE-2025-0282: A Critical Stack-Based Buffer Overflow Vulnerability that permits unauthenticated remote code execution. This vulnerability affects Ivanti Connect Secure versions 22.7R2 through 22.7R2.4, Policy Secure versions 22.7R1 through 22.7R1.2, and Neurons for ZTA Gateways versions 22.7R2 through 22.7R2.3. It has a CVSS score of 9.0, reflecting its high severity, and an EPSS score of 0.83%, indicating a notable likelihood of exploitation.
CVE-2025-0283: A High-Severity Stack-Based Buffer Overflow Vulnerability that enables local authenticated attackers to escalate their privileges. This issue impacts the same product versions as CVE-2025-0282. It has a CVSS score of 7.0 and an EPSS score of 0.04%, suggesting a moderate risk of exploitation.
Both vulnerabilities were disclosed on January 8, 2025. CVE-2025-0282 has been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025, and is being exploited in limited incidents, particularly targeting Connect Secure appliances. Mandiant has attributed these exploitations to UNC5337, a suspected subgroup of the China-based espionage group UNC5221. No exploitation of CVE-2025-0283 has been reported.
Why should TPRM professionals care about these vulnerabilities?
These vulnerabilities present significant risks to organizations using Ivanti products:
CVE-2025-0282: The ability to achieve unauthenticated remote code execution could enable attackers to gain full control of affected systems, compromising network integrity and exposing sensitive data.
CVE-2025-0283: Privilege escalation could allow an attacker with local access to execute actions reserved for administrators, further increasing the risk of insider threats or unauthorized system changes.
The active exploitation of CVE-2025-0282 highlights the urgency of addressing these vulnerabilities, particularly for organizations relying on these products for secure remote access and network security.
What questions should TPRM professionals ask vendors about these vulnerabilities?
Have you identified any systems within your organization running vulnerable versions of Ivanti Connect Secure, Policy Secure, or Neurons for ZTA Gateways?
Have you applied the necessary patches for these vulnerabilities, and if so, when was the patching completed?
Are you actively monitoring systems for signs of exploitation, particularly regarding CVE-2025-0282?
Have you implemented Ivanti’s Integrity Checker Tool (ICT) to detect compromises, and what were the results?
Remediation Recommendations for Vendors
To mitigate the risks associated with these vulnerabilities, vendors should:
Apply Patches Immediately: Upgrade to the latest patched versions:
Ivanti Connect Secure: Version 22.7R2.5 or higher.
Policy Secure: Patched versions available by January 21, 2025.
Neurons for ZTA Gateways: Patched versions available by January 21, 2025.
Perform Integrity Checks: Use Ivanti’s Integrity Checker Tool (ICT) to detect any signs of compromise in both internal and external systems.
Restrict Internet Exposure: Ensure that Policy Secure appliances are not exposed to the internet, reducing the likelihood of exploitation.
Factory Reset Compromised Systems: If signs of compromise are detected, perform a factory reset before redeployment.
Monitor Activity: Continuously review system logs and network traffic for anomalies that may indicate exploitation attempts.
How can TPRM professionals leverage Black Kite for these vulnerabilities?
Black Kite’s FocusTag™ Ivanti Connect Secure – Jan2025 enables TPRM professionals to identify vendors at risk of exposure to these vulnerabilities. This tag provides:
Insight into which vendors utilize affected Ivanti products and their associated assets, such as IP addresses and subdomains.
Actionable intelligence to prioritize assessments and remediation efforts.
Updates on exploitation activity and vendor patching status to guide decision-making.
The tag was published on January 9, 2025. Leveraging this tag can streamline risk management efforts and enhance the security posture of third-party ecosystems.
Black Kite’s Ivanti Connect Secure – Jan2025 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2024-12108, CVE-2024-12105, and CVE-2024-12106 Vulnerabilities in Progress WhatsUp Gold
What are the vulnerabilities affecting Progress WhatsUp Gold?
The Progress WhatsUp Gold network monitoring software has been identified as vulnerable to the following critical and medium-severity security issues:
The vulnerabilities affecting Progress WhatsUp Gold include the following:
CVE-2024-12108: An Authentication Bypass by Spoofing Vulnerability that allows attackers to gain complete control of the WhatsUp Gold server via the public API. This vulnerability has a CVSS score of 9.6 and an EPSS score of 0.07%, making it critical in severity.
CVE-2024-12106: A Missing Authentication for Critical Function Vulnerability that enables unauthenticated attackers to configure LDAP settings, potentially leading to unauthorized access and data breaches. While this vulnerability is rated Critical with a CVSS score of 9.4 by the CNA, the NIST CVSS score is 7.5. Its EPSS score is 0.05%.
CVE-2024-12105: A Path Traversal Vulnerability that allows authenticated users to extract sensitive information through specially crafted HTTP requests. This vulnerability is rated Medium with a CVSS score of 6.5 and an EPSS score of 0.05%.
These vulnerabilities affect WhatsUp Gold versions prior to 24.0.2. Progress issued a security bulletin on December 12, 2024, urging users to upgrade. While no evidence of active exploitation exists, similar vulnerabilities have historically attracted threat actors targeting network monitoring systems.
Why should TPRM professionals care about these vulnerabilities?
The WhatsUp Gold vulnerabilities present critical risks to network security due to the product’s integral role in monitoring and managing network devices. Exploitation of these vulnerabilities could result in:
Full System Compromise: CVE-2024-12108 could allow attackers to control the WhatsUp Gold server, compromising all monitored devices and exposing sensitive configurations.
Data Breaches: CVE-2024-12106 could enable attackers to tamper with LDAP settings, leading to unauthorized access to sensitive data or services.
Sensitive Information Exposure: CVE-2024-12105 could facilitate information disclosure, which could be leveraged for subsequent attacks.
These risks make these vulnerabilities particularly concerning for third-party risk management (TPRM) professionals monitoring vendor ecosystems. The critical CVSS scores of CVE-2024-12108 and CVE-2024-12106 highlight the need for immediate action.
What questions should TPRM professionals ask vendors about these vulnerabilities?
Have you identified any systems within your organization running vulnerable versions of WhatsUp Gold prior to 24.0.2?
Has your organization implemented the recommended update to version 24.0.2, and when was it completed?
Are access controls in place to restrict unauthorized changes to LDAP configurations and prevent exploitation?
How do you monitor and address unusual activity that could indicate exploitation attempts related to these vulnerabilities?
Remediation Recommendations for Vendors
To address these vulnerabilities, vendors should:
Upgrade Software: Immediately update to WhatsUp Gold version 24.0.2 to patch all identified vulnerabilities.
Restrict Access: Limit server access to authorized personnel only and ensure secure configuration of LDAP settings.
Monitor Logs: Regularly review server and network logs for anomalies indicative of exploitation attempts.
Enhance Security Measures: Implement firewalls, intrusion detection systems, and strong authentication mechanisms to mitigate potential risks.
How can TPRM professionals leverage Black Kite for these vulnerabilities?
Black Kite provides the FocusTag™ Progress WhatsUp Gold, published on January 2, 2025, to help TPRM professionals identify and address potential risks in their vendor ecosystems. This tag allows users to:
Determine which vendors utilize affected versions of WhatsUp Gold and the associated assets.
Access details on vulnerable IP addresses and subdomains to prioritize risk assessments.
Leverage actionable insights to communicate effectively with vendors and ensure timely remediation.
Black Kite’s Progress WhatsUp Gold FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2024-56320 in GoCD
What is the GoCD Admin Privilege Escalation Vulnerability?
CVE-2024-56320 is a Critical Improper Authorization Vulnerability affecting GoCD versions prior to 24.5.0. This flaw enables authenticated users to persistently escalate their privileges to admin level, compromising the system’s integrity and security. The vulnerability arises from insufficient access controls in the admin “Configuration XML” UI feature and its associated API. The vulnerability has a CVSS score of 9.4 and an EPSS score of 0.05%, and it was published in January 2025.
This vulnerability cannot be exploited without prior authentication, requiring an attacker to have a valid GoCD user account. It poses a significant insider threat but does not currently have publicly available exploit code. As of now, it is not listed in CISA’s Known Exploited Vulnerabilities catalog.
Why should TPRM professionals care about this vulnerability?
The critical nature of CVE-2024-56320 makes it a significant concern for TPRM professionals. As GoCD is a continuous delivery server, its exploitation could:
Compromise CI/CD Pipelines: Escalated admin privileges could allow attackers to alter build configurations, inject malicious code, or disrupt deployments.
Sensitive Information Disclosure: Unauthorized access to admin-only data could expose credentials, API keys, and system configurations.
Operational Risks: Persistent admin-level access increases the risk of prolonged exploitation and unauthorized system changes.
This vulnerability highlights the importance of securing insider accounts and CI/CD environments, both critical for maintaining operational and data security.
What questions should TPRM professionals ask vendors about this vulnerability?
Have you upgraded all instances of GoCD to version 24.5.0 or later to mitigate the risk of CVE-2024-56320?
Have you implemented the recommended workarounds such as using a reverse proxy or web application firewall (WAF) to block external access to paths with the /go/rails/ prefix, and limiting GoCD user base to trusted individuals?
Can you confirm if you have taken steps to review network logs regularly for any unusual or unauthorized activities that could indicate exploitation attempts related to CVE-2024-56320?
Have you considered temporarily disabling plugins like the guest-login-plugin that allow limited anonymous access to further secure your GoCD instances from potential exploitation of CVE-2024-56320?
Remediation Recommendations for Vendors
To mitigate the risks of CVE-2024-56320, vendors should:
Upgrade to GoCD Version 24.5.0: This version addresses the improper authorization flaw and prevents privilege escalation.
Restrict Access: Implement a reverse proxy or web application firewall (WAF) to block access to vulnerable paths with the /go/rails/ prefix. This can mitigate the risk without affecting functionality.
Limit User Base: Reduce GoCD access to a smaller group of trusted users. Temporarily disable plugins like the “guest-login-plugin” to prevent anonymous or unauthorized access.
Monitor Logs: Regularly review system and application logs for signs of privilege escalation or unauthorized access.
How can TPRM professionals leverage Black Kite for this vulnerability?
Black Kite’s FocusTag™ GoCD provides actionable intelligence to help TPRM professionals identify vendors potentially impacted by CVE-2024-56320. The tag enables users to:
Pinpoint vendors utilize vulnerable GoCD versions and associated assets such as IP addresses or subdomains.
Access insights into vendors’ patch management and security practices related to CI/CD environments.
Expedite risk assessments by narrowing the scope to the most at-risk vendors.
This FocusTag™ was published on January 8, 2025. Black Kite users can operationalize this tag to prioritize remediation efforts and minimize exposure to insider threats.
Black Kite’s GoCD FocusTagTM details critical insights on the event for TPRM professionals.
Maximizing TPRM Effectiveness with Black Kite’s FocusTags™
Black Kite’s FocusTags™ are indispensable tools for refining TPRM strategies in today’s dynamic cybersecurity landscape. This week’s vulnerabilities in SonicWall SonicOS, Ivanti Connect Secure, Progress WhatsUp Gold, and GoCD highlight the critical role of FocusTags™ in proactive risk management. Here’s how these tags empower TPRM professionals:
Real-Time Risk Identification: FocusTags™ enable immediate identification of vendors exposed to critical vulnerabilities, such as the authentication bypass issues in SonicWall or the privilege escalation risks in GoCD. This rapid insight ensures a timely response to emerging threats.
Strategic Risk Prioritization: By assessing both the severity of vulnerabilities and the importance of affected vendors, FocusTags™ helps allocate resources efficiently, addressing the most pressing risks first.
Enhanced Vendor Engagement: Armed with precise information, TPRM teams can initiate targeted discussions with vendors, emphasizing their exposure to vulnerabilities like the stack-based buffer overflow in Ivanti products or the API flaws in WhatsUp Gold.
Strengthened Cybersecurity Posture: With a comprehensive overview of the evolving threat landscape, FocusTags™ aid in fortifying an organization’s overall security defenses against vulnerabilities impacting critical vendor systems.
Black Kite’s FocusTags™ simplify the complexity of cybersecurity threats by translating intricate technical data into actionable intelligence. This capability is critical for managing third-party risks effectively and proactively, ensuring that organizations remain one step ahead in mitigating potential threats.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and Path Traversal Vulnerability in Progress WhatsUp Gold.
GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
In the present scenario, where data drives every business, Amazon AWS has become the cornerstone for scalable, reliable, and secure cloud solutions. However, as organisations generate and handle huge amounts of data, efficient data integration becomes highly crucial. This is where ETL comes into play, offering a structured approach to managing and migrating data within the AWS ecosystem.
Have you taken a look at our monthly compilations of cyber attacks, data breaches and ransomware attacks from 2024? If you so much as glance through them, you’ll know exactly how daunting the evolution of the cyber threat landscape has been in the past year. Cyber security should be a top priority for businesses of all sizes in 2025. And Cyber Drills are a critical tool in building robust cyber defences.
The hospitality sector has fully recovered after the past few years when the global health crisis disrupted the international travel industry. However, that doesn’t mean hotels and booking agencies are spared from danger. In terms of cybersecurity, companies will always need to be prepared for anything that could compromise their clients’ most sensitive data. With technology becoming even more sophisticated, hackers are developing new tools and strategies to exploit the hospitality sector’s weaknesses.
The traditional third-party risk management process often treats vendors with suspicion, mistrust, and skepticism, focusing on control rather than collaboration. This one-way “policing” mindset undermines what should be a productive and mutually beneficial partnership, creating an environment of contention and inefficiency.
Instead of working together to manage risks, organizations often overwhelm vendors with scattershot questions about vulnerability management, patching strategies, SOC 2 compliance, and more — usually without providing clear context or guidance. Vendors are left feeling frustrated and disconnected, expected to comply without fully understanding the purpose or value of their efforts. This approach feels more like an interrogation, turning what should be a partnership into more of a power struggle.
To strengthen defenses and improve the overall risk posture of their ecosystems, organizations need to move beyond this outdated approach of managing third-party risk. After all, cyberattackers don’t work in isolation — they share intelligence, coordinate strategies, and collaborate to exploit weaknesses. To combat this, organizations must adopt a similar mindset, shifting from control to collaboration. Lone wolves simply cannot prevail against well-coordinated efforts.
Embracing partnership over policing, organizations can build trust and create a culture of shared responsibility — transforming third-party risk management into a proactive, collaborative strategy that benefits everyone involved. To understand why the current approach falls short, let’s examine the consequences of this policing mindset.
The Problem With Policing Vendors
Policing vendors has long been a common approach in third-party risk management, but it usually creates more problems than it solves. Instead of building a collaborative, trust-based relationship, it positions vendors as adversaries under constant scrutiny. Vendors may feel like they are being targeted — not by cybercriminals, but by the very organizations they’re supposed to support.
This sense of distrust will lead to counterproductive outcomes. Rather than being transparent about potential risks or vulnerabilities, vendors may withhold critical information to avoid blame or punitive consequences, leaving organizations blind to potential risks.
The resulting lack of transparency can lead to delayed responses – or none at all – and missed opportunities for risk mitigation. After all, you can’t address risks you don’t know about. Distrust and resentment are partners in crime, and vendors may feel resentful that their time is being wasted by time-consuming questionnaires. As a result, vendors deprioritize or ignore these tasks and organizations waste valuable time chasing incomplete responses.
Beyond the operational inefficiencies, policing represents a major misstep in risk management. It doesn’t just sour relationships — it’s fundamentally shortsighted. Since it focuses narrowly on identifying and resolving immediate vulnerabilities, it misses the broader opportunity to build a shared, proactive, and long-term defense strategy.
Why Partnering Creates a Better Third-Party Risk Management Process
Cyberattackers don’t work in a vacuum — they operate in networks, share intel and strategies, and collaborate on attack timings. In contrast, many organizations and their vendors remain stuck in reactive, adversarial relationships — pointing fingers, struggling with miscommunication, and ultimately, leaving critical risks untreated.
A partnership-driven approach flips this dynamic, creating an environment where organizations and vendors collaborate, learn from each other, and pool their resources and expertise. Open communication also eliminates data silos and barriers, meaning it’s easier to act quickly during critical moments. When everyone in your supply chain sees the same accurate, actionable data, responses are faster and more effective.
Vendors treated as integral allies rather than external risks are more likely to engage openly, prioritize security initiatives, and align with your goals. This approach strengthens relationships, closes security gaps more efficiently, and creates a continuous improvement cycle that benefits both parties.
How To Build Strong Vendor Partnerships
Modernizing your third-party risk management process starts with rethinking how you work with vendors. These tips will help you shift from a policing mindset to a more collaborative approach, building mutually beneficial partnerships that strengthen security:
1. Build a strong foundation from the outset
Partnerships start with transparency. During vendor onboarding, clearly communicate how you assess security posture and why it matters. This sets expectations and reinforces the mutual benefits of an open, collaborative approach.
For existing vendors, revisit your goals and outline plans to strengthen collaboration. Engage your vendors in these discussions — ask for their input on improving collaboration and listen actively to their feedback.
Using tools like Black Kite’s Ransomware Susceptibility Index® can provide insights into which companies in your ecosystem are most likely to be hit by a ransomware attack, so that you can work with your vendors proactively to reduce that risk.
2. Prioritize communication and engagement
Regular communication is essential for maintaining trust and efficiency. Establish direct, security-to-security communication channels to expedite responses during critical moments. Sharing trustworthy, actionable data also reduces the burden on vendors who may be working with hundreds or even thousands of customers — who are all expecting their attention.
Tools like Black Kite Bridge™ streamline this process by centralizing communication, automating outreach, and sharing real-time intelligence. With a tool that shares asset-level vulnerability intelligence and real-time ratings updates, vendors know exactly what they need to do to address your concerns. Vendors also appreciate such solutions as they help them scale efficiently — remediations to one client’s concerns are immediately visible to other clients, saving time.
3. Develop proactive incident detection and resolution processes
Security incidents are inevitable, making it essential to develop a proactive process for identifying and addressing them. Effective incident response depends on access to precise, actionable information shared transparently with vendors.
The traditional approach of inundating vendors with unstructured data leads to delays and confusion. Without clear guidance, vendors may struggle to prioritize their actions. A better option is to use a tool like Black Kite’s FocusTags™ to offer specific, actionable steps for addressing vulnerabilities. This makes it much easier for vendors to know what exactly needs to be done and why.
4. Collaborate on post-mortem incident reviews
When incidents occur, the response shouldn’t end with mitigation. Collaborating with your vendors to conduct post-mortem reviews is much more constructive than pointing fingers. It also shifts the focus to learning and improvement rather than fault-finding. By honestly evaluating what went wrong, it’s easier to take the necessary steps to improve your, and their, response in the future.
Taking a team-oriented approach to post-incident reviews strengthens your collective defenses. These collaborative discussions show a commitment to mutual success and ongoing improvement, reinforcing your shared responsibility in maintaining a strong security posture.
The Power of Partnership
Vendor partnerships aren’t just about managing risk — they’re about building relationships that deliver mutual value. Collaboration shifts the dynamic from adversarial into one rooted in trust, transparency, and shared objectives. Partnerships accelerate threat responses, streamline third-party risk management processes, and enable both organizations and vendors to strengthen their defenses.
The real power of partnership lies in its ability to create a symbiotic cybersecurity ecosystem, where each party contributes to a stronger collective defense. Vendors become trusted allies, working alongside you to identify vulnerabilities, mitigate risks, and stay ahead of threats. In this unified ecosystem, the sum truly is greater than the parts.
To learn more practical strategies for building stronger vendor partnerships, check out our ebook: Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events.
E-commerce has become the main way for many companies to sell goods and services. For many customers it has become the way to make the vast majority of purchases. The success of your online store depends on various factors. These include a good branding and maximum website usability.
As well as the quality of the goods or services you offer. However, another factor is no less important. Namely, how the payment process you offer for your customers. Is it safe enough and convenient? That is why choosing the most secure payment gateway for your e-commerce platform is of utmost importance. We will help you understand how to choose the right payment gateway. We’ll also look at what types of payment gateways exist, and how to integrate online payments on your website.
In December 2024, a series of high-profile cyber attacks, data breaches, and ransomware incidents underscored the unrelenting threat landscape confronting businesses today. From telecommunications giant BT and healthcare platform ConnectOnCall to educational institutions such as Texas Tech University, the month witnessed a disturbing uptick in both frequency and severity of malicious activities.
Major engineering and technological services firms, including ENGlobal and Blue Yonder, were not spared, nor were critical infrastructure providers like Telecom Namibia. Healthcare also took a hit, with Anna Jaques Hospital suffering significant disruptions. Kadokawa, the renowned Japanese game maker, experienced breaches that rattled the gaming community.
Even global energy players like Electrica Group were caught in the crosshairs, alongside medical device company Artivion, proving that no sector is immune to cyber threats. Our monthly compilation delves into the biggest cyber attacks and breaches in December 2024. It also explores how these organisations navigated the aftermath of December’s most significant cyber incidents.
In today's digital landscape, monitoring the dark web has become increasingly important for cybersecurity professionals, researchers, and organisations looking to protect their digital assets.
LMS is the foundation of today’s learning and organisational training. Such systems facilitate the organisation of courses and course progress and also offer learning solutions. But here’s the catch: Such systems process a large volume of personal information, identity, academic achievements, and even payment information.
If not well protected, this data can be accessed by the wrong people and cause financial and or reputational loss. LMS solutions from syndicode.com emphasise the importance of incorporating foundational security measures from the ground up, ensuring a safe environment for all users.
Welcome! We’ve come together for the last Focus Friday blog post of 2024. As we close out 2024, I wish everyone a safe, happy, and healthy new year. At the same time, we’ve completed another significant year in cybersecurity. This year, we witnessed important developments in the cybersecurity world and encountered many critical vulnerabilities. Throughout the year, we have explored numerous high-profile vulnerabilities to help organizations manage third-party risks. Today, in this final post of 2024, we will focus on critical security flaws in widely used services like Gogs Server, CrushFTP, and Apache Tomcat. In this post, we will explore what these vulnerabilities mean for Third-Party Risk Management (TPRM) professionals and how Black Kite’s FocusTags™ can provide a more effective approach to managing these risks.
Filtered view of companies with Apache Tomcat RCE FocusTag™ on the Black Kite platform.
What are the Apache Tomcat Remote Code Execution (RCE) Vulnerabilities?
Apache Tomcat has been identified with two critical RCE vulnerabilities: CVE-2024-50379 and CVE-2024-56337. These vulnerabilities arise from Time-of-Check to Time-of-Use (TOCTOU) race conditions, allowing attackers to execute unauthorized code on affected systems.
CVE-2024-50379 occurs during JavaServer Pages (JSP) compilation in Apache Tomcat, enabling RCE on case-insensitive file systems when the default servlet is configured with write functionality (non-default configuration). Similarly, CVE-2024-56337 results from the incomplete mitigation of CVE-2024-50379, affecting systems under the same configuration but requiring additional configuration depending on the Java version. Both vulnerabilities have a CVSS score of 9.8, indicating critical severity.
These vulnerabilities were first reported on December 17, 2024. While proof-of-concept (PoC) exploit code is available, no evidence of active exploitation has been reported. They have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and no advisory has been published by CISA.
Why should TPRM professionals care about these vulnerabilities?
Apache Tomcat is widely used to deploy Java-based web applications, making these vulnerabilities highly impactful. The risks associated with these vulnerabilities include:
Unauthorized Access: Attackers exploiting these vulnerabilities could gain unauthorized access to systems and sensitive data.
Service Disruption: Successful exploitation could lead to service disruption and potential data loss.
Reputation Damage: Compromises may damage an organization’s reputation and erode customer trust.
What questions should TPRM professionals ask vendors about these vulnerabilities?
To assess the risk posed by these vulnerabilities, TPRM professionals can ask the following questions:
Have you updated all instances of Apache Tomcat to versions 11.0.2, 10.1.34, or 9.0.98 or later to mitigate the risk of CVE-2024-50379 and CVE-2024-56337?
Can you confirm that the default servlet’s write functionality has been disabled on your Apache Tomcat servers to prevent the occurrence of the TOCTOU race condition associated with CVE-2024-50379 and CVE-2024-56337?
Depending on your Java version, have you adjusted the sun.io.useCanonCaches system property as recommended to fully mitigate the risk of CVE-2024-50379 and CVE-2024-56337?
Are you regularly reviewing your system logs and network activity to detect any signs of exploitation attempts related to these Apache Tomcat vulnerabilities?
Remediation recommendations for vendors subject to this risk
Vendors should take the following actions to mitigate these vulnerabilities:
Upgrade Apache Tomcat: Update to the latest secure versions:
Apache Tomcat 11.0.2 or later
Apache Tomcat 10.1.34 or later
Apache Tomcat 9.0.98 or later
Configure Java System Properties: Depending on the Java version in use:
For Java 8 or Java 11: Explicitly set the sun.io.useCanonCaches system property to false.
For Java 17: Ensure sun.io.useCanonCaches is set to false.
For Java 21 and later: No additional configuration is required as the property and related cache have been removed.
Restrict Write Access: Ensure that the default servlet’s write functionality is disabled unless absolutely necessary.
Regular Monitoring: Continuously review system logs and network activity for signs of exploitation attempts.
How TPRM professionals can leverage Black Kite for this vulnerability
Black Kite offers a FocusTag titled “Apache Tomcat RCE” which provides the following benefits:
Vendor Exposure Assessment: Identifies vendors potentially impacted by these vulnerabilities.
Asset Information: Supplies details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to these vulnerabilities.
This FocusTag™ ensures efficient vendor management and proactive risk mitigation, empowering TPRM professionals to address critical vulnerabilities effectively.
Black Kite’s Apache Tomcat RCE FocusTagTM details critical insights on the event for TPRM professionals.
What is the CrushFTP Account Takeover Vulnerability?
CrushFTP, a widely used file transfer server, has disclosed a critical vulnerability identified as CVE-2024-53552. This flaw affects versions prior to 10.8.3 in the 10.x series and prior to 11.2.3 in the 11.x series. The vulnerability arises from improper handling of password reset functionalities, enabling attackers to craft malicious password reset links. If a user clicks on such a link, their account can be compromised, granting unauthorized access to sensitive data and system controls. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. This issue was first reported on November 11, 2024. While PoC exploit code is not available, there is no evidence of active exploitation in the wild. The vulnerability has not been added to the CISA’s KEV catalog, and no advisory has been published by CISA.
Why should TPRM professionals care about this vulnerability?
CrushFTP is widely used for secure file transfers in enterprise environments. This vulnerability poses significant risks, including:
Unauthorized Access: Exploitation can lead to unauthorized access to sensitive data and systems.
Service Disruption: Successful attacks can disrupt services, leading to downtime and potential data loss.
Reputation Damage: Compromises can damage an organization’s reputation and erode customer trust.
What questions should TPRM professionals ask vendors about this vulnerability?
To assess the risk posed by this vulnerability, consider asking vendors the following questions:
Can you confirm if you have updated all instances of CrushFTP to version 10.8.3 or 11.2.3 to mitigate the risk of CVE-2024-53552?
Have you configured the Allowed Domains for Password Resets as recommended in the advisory to prevent unauthorized access through manipulated password reset links?
Can you confirm if you have taken measures to educate users about the legitimacy of password reset emails and the risks associated with clicking on malicious links?
Have you implemented any additional security measures to monitor and detect unusual activity that could indicate attempted exploitation of the CVE-2024-53552 vulnerability?
Remediation recommendations for vendors subject to this risk
Vendors should take the following actions to mitigate this vulnerability:
Upgrade CrushFTP: Update to the latest secure versions:
CrushFTP 10.8.3 or later
CrushFTP 11.2.3 or later
Configure Allowed Domains for Password Resets:
For version 10.x: Navigate to Preferences > WebInterface > MiniURL, and specify a comma-separated list of allowed domains.
For version 11.x: Go to Preferences > WebInterface > Login Page, and set a domain pattern that is not a wildcard (‘*’), as wildcards are no longer permitted.
User Awareness: Inform users to be cautious with password reset emails and to verify the legitimacy of such requests before clicking on any links.
Regular Monitoring: Regularly review system logs for any unusual activity that could indicate attempted exploitation.
How TPRM professionals can leverage Black Kite for this vulnerability
Black Kite offers a FocusTag titled “CrushFTP Account Takeover,” which provides:
Vendor Exposure Assessment: Identifies vendors potentially impacted by this vulnerability.
Asset Information: Supplies details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to this vulnerability.
Black Kite’s CrushFTP FocusTagTM details critical insights on the event for TPRM professionals.
Gogs Server Path Traversal Vulnerabilities (CVE-2024-55947, CVE-2024-54148)
What Are the Gogs Server Path Traversal Vulnerabilities?
Gogs, an open-source self-hosted Git service, has been identified with two critical path traversal vulnerabilities. CVE-2024-55947 is a vulnerability in the file update API of Gogs that allows authenticated users to write files to arbitrary paths on the server. Exploiting this flaw could enable an attacker to gain unauthorized SSH access, compromising the integrity of the server. Similarly, CVE-2024-54148 affects the file editing UI of Gogs, where authenticated users can commit and edit crafted symbolic link (symlink) files within a repository. This manipulation can lead to unauthorized SSH access to the server, posing significant security risks. Both vulnerabilities have a CVSS score of 8.7, indicating high severity, with an EPSS score of 0.05%, suggesting a low likelihood of exploitation. These vulnerabilities were first reported on December 23, 2024. While PoC exploit code is publicly available, there is no evidence of active exploitation in the wild, and the vulnerabilities have not yet been added to the CISA’s KEV catalog. No advisory has been published by CISA at this time.
Why should TPRM professionals care about these vulnerabilities?
Gogs is widely used for managing Git repositories, making it a critical component in many enterprise environments. These vulnerabilities can expose organizations to significant risks. Exploiting these flaws allows attackers to gain unauthorized SSH access to servers, which can lead to unauthorized access to sensitive data, server compromises, or even the manipulation of critical code repositories. Such breaches could lead to service disruption, data loss, and severe reputational damage. Given the high severity of these vulnerabilities and their potential impact on systems that rely on Gogs for version control and collaboration, TPRM professionals should prioritize assessing the exposure of their vendors.
What questions should TPRM professionals ask vendors about these vulnerabilities?
To assess the risk posed by these vulnerabilities, TPRM professionals should ask the following questions:
Have you upgraded all instances of Gogs to version 0.13.1 or later to mitigate the risk of CVE-2024-55947 and CVE-2024-54148?
Can you confirm if you have inspected your existing repositories for any suspicious symlink files or unauthorized modifications that could indicate exploitation attempts of CVE-2024-54148?
Have you restricted repository access to trusted users until the upgrade to Gogs version 0.13.1 or later was completed to mitigate potential exploitation of CVE-2024-55947?
Have you implemented regular inspections of server logs for unusual activities, particularly those related to file editing and commits, to detect potential intrusion attempts related to CVE-2024-54148 and CVE-2024-55947?
Remediation recommendations for vendors subject to this risk
Vendors should take the following actions to mitigate the risks posed by these vulnerabilities:
Upgrade Gogs: Immediately update to version 0.13.1 or later, where these vulnerabilities have been addressed.
Restrict User Access: Until the upgrade is completed, limit repository access to trusted users only to mitigate potential exploitation.
Review Repository Contents: Examine existing repositories for any suspicious symlink files or unauthorized modifications that could indicate exploitation attempts.
Monitor Server Logs: Regularly inspect server logs for unusual activities, particularly those related to file editing and commits, to detect potential intrusion attempts.
Implement Security Best Practices: Ensure that your Gogs instance follows security best practices, including proper configuration and regular updates, to prevent similar vulnerabilities in the future.
How TPRM professionals can leverage Black Kite for these vulnerabilities
Black Kite offers a FocusTag titled “Gogs Server,” which provides the following benefits:
Vendor Exposure Assessment: Identifies vendors potentially impacted by these vulnerabilities.
Asset Information: Provides details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to these vulnerabilities.
Black Kite’s Gogs Server FocusTagTM details critical insights on the event for TPRM professionals.
Enhancing TPRM Strategies With Black Kite’s FocusTags™
In the face of increasingly sophisticated cyber threats, Black Kite’s FocusTags™ stand as a beacon for proactive Third-Party Risk Management (TPRM). This week’s vulnerabilities highlight the pressing need for targeted, efficient, and informed risk management strategies. Here’s how FocusTags™ enhance TPRM practices:
Real-Time Risk Identification: Instantly pinpoint vendors impacted by the latest vulnerabilities, enabling rapid responses that mitigate potential threats.
Strategic Risk Prioritization: Evaluate risks based on the criticality of vendors and the severity of vulnerabilities, ensuring focused efforts where they matter most.
Informed Vendor Conversations: Provide the intelligence necessary to engage vendors in detailed discussions about their exposure and response strategies, fostering transparency and collaboration.
Strengthened Cybersecurity Ecosystems: Deliver a comprehensive view of the evolving threat landscape, empowering organizations to build resilient and adaptive security frameworks.
By transforming complex cybersecurity data into actionable insights, Black Kite’s FocusTags™ revolutionize TPRM, ensuring businesses can protect their supply chains and partners against even the most sophisticated cyber threats. As vulnerabilities continue to emerge, these tags provide the clarity and precision needed for proactive and effective risk management.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
Login
