nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Events

MAJOR Cloud Provider Breach

Background and Timeline

In today’s cloud-driven world, trust and transparency are fundamental pillars of cybersecurity. Organizations entrust cloud providers with critical infrastructure and sensitive data, expecting rigorous security controls and open communication when incidents occur. However, recent developments surrounding Oracle’s cloud environment tell a vastly different story.

March 21, 2025: A threat actor known as rose87168 claims to have breached Oracle services under the domain *.oraclecloud.com. The initial report emerges on Bleeping Computer, with Oracle immediately denying any alleged breach, stating that the leaked credentials were not associated with Oracle Cloud and that no customer data was compromised.

Late March 2025: Despite Oracle’s denial, the threat actor releases evidence, including an archive.org link that seemingly confirms unauthorized access to a system using Oracle Access Manager. The hacker also leaks a two-hour-long internal Oracle meeting recording, revealing discussions on internal password vaults and customer-facing systems.

March 28, 2025: Further investigation by cybersecurity researchers and media outlets confirms that Oracle customers’ data—including staff email addresses—has been leaked. Oracle maintains there was no breach, using nuanced language to shift attention toward ‘legacy’ systems instead of core infrastructure.

March 31, 2025: A lawsuit is filed against Oracle Health, accusing the company of attempting to conceal a separate breach and failing to notify affected customers. The suit highlights potential violations of data breach notification laws, underscoring concerns around cloud provider accountability and security transparency.

Early April 2025: The threat actor escalates by leaking additional configuration files and system details, further confirming the security lapse. Meanwhile, Oracle Health, a SaaS subsidiary of Oracle, experiences a separate breach compromising U.S. healthcare organizations and exposing patient data.

April 2-4, 2025: Oracle privately notifies select customers that attackers accessed old client credentials last used in 2017. However, contradicting this statement, leaked data samples include records from late 2024 and early 2025, proving recent exposure. Reports confirm that attackers exploited a 2020 Java vulnerability to gain access and deploy malware, leading to exfiltration of usernames, emails, and hashed passwords from Oracle Identity Manager (IDM) databases.

Implications

If the allegations about this breach hold true, they raise fundamental questions about Oracle’s security measures, incident response, and transparency with customers. While Oracle downplays the situation, attackers remain active, putting affected users at risk of fraud, regulatory consequences, and theft including intellectual property.

Recommended Mitigation

In light of incidents in the cloud, organizations must rethink their approach to protecting their overall infrastructure. Below are critical defenses every cloud-reliant business should implement—along with how nGuard delivers each in our specialized services:

  1. Cloud Security Posture Management (CSPM): Our Cloud Security Assessments include automated tools and expert analysis to identify compliance gaps, misconfigurations, and policy violations in real time.
  2. Strategic Gap Assessments: We evaluate your current cloud security strategy against Zero Trust frameworks and standards to help you close critical gaps to align with regulatory and operational benchmarks.
  3. Incident Response & Digital Forensics: When breaches do occur, nGuard experts deliver rapid containment, root cause analysis, and post-incident reporting to support recovery and regulatory response.
  4. Routine Penetration Testing & Vulnerability Scanning: nGuard’s thorough Penetration Testing and automated Vulnerability Scanning identify misconfigurations and exploitable weaknesses before attackers can act.
  5. Multi-Factor Authentication (MFA): Our team validates the proper use of MFA implementation across platforms to reduce the risk of account compromise—even when credentials are exposed.
  6. Continuous Security Monitoring & Threat Intelligence: Through our Managed Event Collection (MECC) service, nGuard offers real-time monitoring, alerting, and analysis of unusual or malicious activity within your cloud environment.

Conclusion

The Oracle breach serves as a warning that even industry giants are vulnerable to cyber threats. Safeguards and controls must be independently verified, continuously evaluated, and tailored to your unique risk profile.

Cloud security isn’t just a technical concern—it’s a business-critical priority. Harden your cloud infrastructure today with nGuard’s expert guidance and cutting-edge security solutions.

This Week in Cybersecurity (TWiC): Exploit Edition – Veeam, Fortinet, ChatGPT, and WhatsApp

This week saw a sharp uptick in active exploitation, with major vulnerabilities surfacing across backup systems, firewalls, AI platforms, and messaging apps. From remote code execution flaws in Veeam and Fortinet to an SSRF bug in ChatGPT and a WhatsApp zero-day abused by spyware, attackers are leveraging both old and new tactics to gain footholds. Here’s what you need to know.

Veeam Backup Flaw Enables Domain-Wide Remote Code Execution
A critical remote code execution vulnerability (CVE-2025-23120) in Veeam Backup & Replication has been patched, but domain-joined environments remain at serious risk. This deserialization flaw allows any domain user to execute code on vulnerable servers. The vulnerability can allow attackers to bypass existing blacklist-based protections to gain full control of backup infrastructure. All are encouraged to upgrade to Veeam version 12.3.1 immediately.

Risks Identified:

  • Remote execution of arbitrary code by low-privilege domain users
  • Compromised backup servers enabling data exfiltration and deletion
  • Potential full-network compromise via lateral movement

Security Recommendations:

Fortinet Firewalls Under Active Exploitation by Ransomware Groups
CISA has added CVE-2025-24472 and CVE-2024-55591, two authentication bypass flaws in Fortinet’s FortiOS and FortiProxy, to its Known Exploited Vulnerabilities catalog. These bugs allow unauthenticated attackers to gain super-admin access via exposed management interfaces. Ransomware actor Mora_001 has been seen exploiting these vulnerabilities to deploy malware, create persistent access, and conduct full attack chains including data theft and encryption.

Risks Identified:

  • Exploitation of Internet-exposed FortiGate consoles
  • Privilege escalation using crafted proxy requests and WebSocket attacks
  • Deployment of custom ransomware (“SuperBlack”)

Security Recommendations:

  • Immediately apply Fortinet’s patches and restrict access to management interfaces
  • Firewall & Network Device Audits: Uncover vulnerabilities in edge infrastructure and enforce segmentation and access controls. Monitor for suspicious admin account creation and unauthorized script scheduling.
  • Log Management & SIEM Solutions: Allow for real-time detection of post-exploitation activity like unauthorized account creation or lateral movement.

ChatGPT SSRF Bug Under Active Attack by Threat Actors
A newly discovered server-side request forgery (SSRF) vulnerability (CVE-2024-27564) in ChatGPT has become a popular exploit path for attackers. The bug allows malicious actors to inject URLs into ChatGPT inputs, tricking the application into making unauthorized requests. Though rated as medium severity, it has already been weaponized in over 10,000 attack attempts, with financial services and government organizations most heavily targeted.

Risks Identified:

  • Injection of malicious URLs into ChatGPT requests
  • Access to internal services or sensitive resources via SSRF
  • Misconfigured IPS, WAF, and firewalls increase exposure

Security Recommendations:

  • Validate IPS and WAF rules to detect and block SSRF behavior
  • Monitor traffic from known malicious IP addresses
  • Web Application Security Assessments: Simulate attacks like SSRF and reveal weaknesses in your application defenses.
  • Configuration Assessments: Help ensure your WAF, firewall, and intrusion prevention systems are properly tuned to defend against modern web-based threats.

Paragon Spyware Leveraged WhatsApp Zero-Day
Citizen Lab and Meta have confirmed that the Graphite spyware from surveillance firm Paragon exploited a WhatsApp zero-day to carry out zero-click attacks against mobile users in over two dozen countries. Despite Paragon’s claims of ethical use, the spyware has targeted journalists, activists, and government critics, suggesting potential misuse of its capabilities.

Risks Identified:

  • Exploits required no user interaction (zero-click)
  • Attacks affected both Android and iOS users

Security Recommendations:

  • Encourage regular updates for all messaging and mobile apps
  • Limit sensitive communications over third-party messaging platforms
  • Social Engineering Testing: Phishing campaigns that emulate realistic adversary tactics, helping you train staff to avoid common pitfalls.

Wrap
This week’s advisory highlights the continued pressure placed on backup platforms, firewalls, AI systems, and messaging apps. As attackers evolve their strategies from exploiting overlooked bugs to chaining zero-days into spyware campaigns organizations must strengthen their defenses with timely patching, rigorous access control, and continuous monitoring. Stay ahead of the threats by combining proactive assessments, intelligent detection, and user-focused training.

This Little-Known Microsoft Feature Could Be Your Biggest Security Risk!

In a previous This week in Cyber Security advisory, we highlighted how threat actors are successfully exploiting organization’s Microsoft 365 infrastructure using device code phishing attacks. In this advisory, we’ll take a deeper look at how device code authentication works and why it’s targeted, as well as mitigations for device code phishing and other attack vectors that target Microsoft Entra ID tokens.

How Device Code Authentication Works
Instead of signing in directly, users navigate to https://microsoft.com/devicelogin which will redirect them to the login portal seen in the screenshot below, prompting the user to enter a code that will allow a device or app to access their Microsoft Entra ID account.

Just as streaming services like Netflix use device code authentication to simplify logins on remote controls, Entra ID leverages device codes for similar scenarios. This method is particularly useful for Internet of Things (IoT) devices—such as smart appliances and industrial sensors—and command-line interface (CLI) tools, which developers use to interact with software via text commands. These environments often lack traditional authentication options, making device codes an effective solution.
On the back-end, device code authentication uses OAuth 2.0 to authenticate the device or app to the user’s account. Once a user completes the authentication process (including MFA if prompted), an access token and a refresh token are issued to that device or app session. There are other types of tokens within Entra ID but we’ll be focusing on access and refresh tokens here.

  • Access Tokens: This token is used to authenticate or access an Entra ID resource. The default lifetime is a random value between 60 and 90 minutes.
  • Refresh Tokens: Used to refresh or generate new access tokens. This can be continually used with a 90-day timeframe to generate new access tokens.

This is especially useful for attackers for several reasons:

  • By abusing legitimate functionality of a trusted resource, an attacker increases the likelihood of a successful attack.
  • Tokens offer the same level of access and/or privileges as the user’s credentials (e.g., access to Outlook, SharePoint, Teams, etc.).
  • Attackers can maintain access to the account even if a user’s password is updatedTokens need to be manually revoked using PowerShell.
  • MFA is not required to access resources after the device is authenticated to the user’s account.
  • After gaining this initial access via device code phishing, attackers can potentially move laterally, escalate privileges, steal sensitive data, and maintain persistence within the environment through unauthorized access to Microsoft 365 services (Outlook, Teams, SharePoint, etc.) or other Entra ID–protected resources.

Broader Initial Access Threats
In addition to device code phishing, there are other attack vectors that attackers use to try and gain access to Entra ID tokens. Awareness of these types of attacks can help organizations prioritize their defense and mitigation strategies.

Mitigation Guidance
nGuard recommends implementing layered countermeasures to prevent or contain threats to Entra ID. The table below contains Entra ID defense recommendations focusing on removing or restricting initial access (IA) attack vectors first, then focuses on eliminating privilege escalation (PE) vectors.

The table also notes which attack vectors are mitigated by each control. If your organization does not rely on device authentication, disabling it outright can eliminate that attack vector.

Once technical controls are in place, security assessments should be performed regularly to validate that implemented protections are working effectively and ensure misconfigurations or new vulnerabilities haven’t been introduced between assessments.

Recommended DefenseHow It HelpsAttack Vectors Mitigated
Disable or Restrict Device Authentication Flow (if not needed, or limit access via Conditional Access Policies) Removes or locks down device code phishing attack vectors Device Code Phishing
Phishing-Resistant MFA
(e.g., FIDO2 tokens, certificate based, number matching)		 Neutralizes credential attacks such as brute force
Stops easy approvals for MFA fatigue
Increases difficulty of device code phishing attacks		 AiTM Phishing
Credential Attacks
Device Code Phishing
MFA Fatigue
Restrict OAuth App Consents
(admin workflows, governance)		 Blocks malicious apps from tricking users into illicit consent
Prevents unauthorized device code usage if combined with restricted app permission		 Device Code Phishing
Illicit OAuth Consent
Disable Legacy/Basic Authentication (if not needed) Enforces modern authentication / MFA usage
Prevents credential attacks via old protocols that skip MFA		 Credential Attacks
Strong Password Management
(banned password lists, lockout policies)		 Reduces effectiveness of credential attacks
Improves overall credential hygiene		 Credential Attacks
Monitor & Alert on Anomalous SignIns
(Entra ID Protection, SIEM)		 Identifies device code anomalies or suspicious reverse proxy sign-ins
Flags repeated MFA prompts
Spots unusual IP and geolocation usage to detect token theft		 Device Code Phishing
AiTM Phishing
MFA Fatigue
Post Compromise Attacks
Shorter Token Lifetimes & Continuous Access Evaluation (CAE) Limits timeframe tokens validity
Forces frequent reauthentication
Real time risk-based token revocation
Limits the utility of stolen or replayed tokens
Reduces long-lived sessions that man-in-the-middle phishing attackers can exploit		 AiTM Phishing
Post Compromise Attacks
 
Harden Endpoints & Browsers
(EDR, patching, limiting extensions)		 Detects malware that steals tokens or session cookies
Encourages least privilege to contain endpoint compromise		 Post Compromise Attacks

Summary
In addition to implementing technical controls, organizations can enhance security by educating users on recognizing suspicious device code prompts and illicit consent phishing attempts. Regular security awareness training and social engineering exercises help reinforce this knowledge, ensuring users remain vigilant and identifying those who may need additional guidance. By adopting a layered security approach, organizations can increase the difficulty of attacks and provide additional protection in case of unauthorized access. Focusing on high-impact defenses and environment-specific mitigations enables efficient protection against device code phishing and other threats targeting Entra ID.

This Week in Cybersecurity (TWiC): Medical Devices, Phishing, and Espionage

Welcome to this week’s cybersecurity advisory, where we expose the most pressing cyber threats targeting industries worldwide. This edition uncovers major vulnerabilities in medical monitors, a new wave of Microsoft 365 phishing attacks, North Korean cyber espionage tactics, and the hijacking of Signal accounts through malicious QR codes. Here’s what you need to know:

Medical Monitors Contain Embedded Security Risks

The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) recently issued an alert regarding Contec CMS8000 and Epsimed MN-120 patient monitors. The devices, which track vital signs such as heart rate and oxygen saturation, were initially thought to contain a hidden backdoor. However, cybersecurity researchers have since determined that the issue stems from insecure design rather than intentional malware.

Risks Identified:

  • Unauthorized remote access and control of the device.
  • Potential lateral movement within hospital networks.
  • Possible exfiltration of patient health information (PHI).

Security Recommendations:

Russian Threat Actors Exploit Microsoft 365 with Device Code Phishing

Security researchers from Volexity and Microsoft warn that Russian-backed cyber actors are targeting Microsoft 365 accounts using a technique called device code phishing. This method manipulates the OAuth authentication process designed for input-constrained devices like smart TVs and printers.

Attackers masquerade as trusted entities, such as the U.S. Department of State or the Ukrainian Ministry of Defense, to lure victims into entering an authentication code on a phishing page. Once completed, the attackers gain persistent access to the victim’s Microsoft 365 account.

Mitigation Measures:

North Korean APT Exploits PowerShell and Dropbox for Cyber Espionage

Researchers have uncovered a sophisticated cyber espionage operation, DEEP#DRIVE, orchestrated by North Korea’s Kimsuky group (APT43). The campaign targets South Korean government agencies, businesses, and cryptocurrency users using phishing emails that deploy malicious PowerShell scripts via Dropbox.

Threat Tactics:

  • Malicious Windows shortcut (.LNK) files initiate payload execution.
  • PowerShell scripts retrieve additional malware from Dropbox.
  • A scheduled task maintains persistence and exfiltrates sensitive data.

Defensive Actions:

  • Organizations should restrict PowerShell script execution and implement application control policies.
  • Cloud storage access should be monitored for unauthorized API activity.
  • Security awareness training must emphasize phishing lures disguised as document files.

Russian Hackers Exploit Signal’s Linked Device Feature Using QR Codes

Russia-aligned cyber actors have been actively targeting Signal users through malicious QR codes, enabling them to covertly eavesdrop on encrypted communications. Google’s Threat Intelligence Group (GTIG) discovered that these attackers use phishing techniques to trick victims into scanning fraudulent QR codes, unknowingly linking their Signal accounts to adversary-controlled devices.

Key Findings:

  • Attackers disguise QR codes as legitimate Signal group invites.
  • Messages are intercepted in real-time, compromising private conversations.
  • Some campaigns use phishing pages mimicking military applications to deceive Ukrainian personnel.

Protective Measures:

  • Signal users should verify device-linking prompts before scanning QR codes.
  • Organizations should seek out employee training and social engineering efforts to test employee awareness.
  • Users should regularly review and unlink unrecognized devices from their accounts.

Conclusion

This week’s headlines emphasize the continued risk posed by both nation-state and financially motivated actors targeting critical infrastructure, enterprise environments, and personal communication tools. Organizations must adopt a proactive defense strategy, combining network segmentation, endpoint monitoring, phishing awareness, and access control measures to reduce evolving cyber risks.

Stay vigilant, stay secure, and follow nGuard on LinkedIn to stay on top of the latest cyber updates and insights.

DeepSeek’s Security & Privacy Risks: What You Need to Know

The rapid growth of artificial intelligence has introduced groundbreaking innovations, but also new security risks. DeepSeek AI, a China-based company that recently launched a powerful chatbot, has come under scrutiny for serious security and privacy concerns. Reports indicate that DeepSeek’s AI assistant app transmits sensitive user data without encryption, stores information on servers in China, and has ties to ByteDance, the Chinese company behind TikTok. Additionally, the company’s infrastructure has been exposed to major security vulnerabilities, including leaked secret keys, a publicly accessible database, and possible intellectual property violations. Given these alarming findings, organizations and individuals using DeepSeek AI should be aware of the risks and take immediate action to protect their data.

Security Risks Associated with DeepSeek AI

  1. Unencrypted Data TransmissionResearch has revealed that DeepSeek’s iOS app sends sensitive data over unencrypted channels, making it vulnerable to interception and tampering. Despite Apple’s strong recommendation to implement App Transport Security (ATS), DeepSeek has globally disabled this feature, leaving user data exposed. Additionally, the data is sent to ByteDance-controlled servers, where it can be cross-referenced with other datasets to track users.
  2. Exposed Database & Leaked CredentialsIt has been discovered that DeepSeek left a ClickHouse database publicly accessible on the internet, containing over one million log lines with chat history, API secrets, and operational metadata. This lack of security oversight allowed unauthorized access to DeepSeek’s backend and exposed user data to potential cyber threats. While DeepSeek has since secured the database, it is unclear if malicious actors exploited the exposure before it was patched.
  3. Ties to China Mobile & Potential State SurveillanceAn investigation found that DeepSeek’s web login system contains obfuscated code linking to China Mobile, a Chinese state-owned telecom company that has been banned from operating in the U.S. due to national security concerns. This connection raises red flags about the potential for user data to be monitored by the Chinese government, similar to concerns previously raised about TikTok.
  4. Jailbreaking & Prompt Injection VulnerabilitiesSecurity researchers successfully jailbroke DeepSeek’s AI model, exposing its system prompt and internal instructions. This demonstrated that the model could be manipulated into revealing restricted information. Additionally, DeepSeek’s AI has been found to be susceptible to well-known jailbreak techniques such as Do Anything Now (DAN) and EvilBOT, allowing malicious actors to bypass safety restrictions and generate harmful content.
  5. Regulatory Action & BansDue to privacy concerns, Italy’s data protection watchdog has banned DeepSeek from operating in the country, citing insufficient responses regarding data storage and processing practices. Investigations are also underway in Ireland, and U.S. lawmakers are pushing for an immediate ban on DeepSeek from government devices, citing national security threats.

How nGuard Can Help
As organizations face increasing threats from AI-driven security risks, nGuard provides comprehensive cybersecurity solutions to help mitigate these dangers. Our services include:

  • Penetration Testing & Vulnerability Assessments – nGuard can evaluate whether DeepSeek AI or similar applications introduce security risks to your organization’s network.
  • Risk Assessments – nGuard offers in-depth security risk assessments to identify vulnerabilities in your organization’s environment, ensuring compliance with industry regulations and strengthening overall security posture.
  • Compliance Consulting – Our experts help organizations implement standards and ensure compliance with regulatory requirements to safeguard sensitive data.
  • Security Awareness Training – Employees are often the first line of defense. nGuard provides training to help organizations recognize and avoid AI-related threats, including phishing and social engineering attacks.

DeepSeek’s security vulnerabilities, questionable data practices, and ties to Chinese state-affiliated entities present significant risks to users and organizations. Given the exposure of unencrypted data, leaked credentials, and potential government surveillance, businesses should reconsider using DeepSeek in any capacity. With increasing regulatory scrutiny and growing concerns from cybersecurity experts, the risks outweigh the benefits. Organizations should take immediate steps to secure their data and consult nGuard for tailored security solutions to mitigate AI-related threats.

This Week in Cybersecurity (TWiC): Major Breaches, Vulnerabilities, and Emerging AI Threats

In the past few weeks, the cybersecurity landscape has been marked by significant incidents affecting both governmental institutions and private enterprises. This advisory delves into the technical methodologies employed in these breaches, assesses their impacts, and outlines strategic responses to mitigate similar risks in the future.

Fortinet Device Configurations Leaked
A recent disclosure revealed that configuration data and VPN credentials for approximately 15,474 Fortinet devices were posted on the Dark Web. The breach is attributed to the exploitation of CVE-2022-40684, a critical authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager. This vulnerability allowed unauthenticated attackers to perform administrative operations via crafted HTTP requests. The leaked data, though over two years old, underscores the importance of timely patch management and continuous monitoring.

Cisco’s Denial-of-Service Vulnerability
Cisco has released security updates addressing a heap-based buffer overflow vulnerability (CVE-2025-20128) in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV. Exploiting this flaw allows remote attackers to cause a denial-of-service (DoS) condition by submitting crafted files containing OLE2 content, leading to the termination of the ClamAV scanning process. While no active exploitation has been reported, the availability of proof-of-concept exploit code necessitates immediate attention to patching and system hardening.

Chinese Hackers Breach U.S. Treasury
An investigation has uncovered that Chinese hackers infiltrated the U.S. Department of Treasury, gaining access to systems belonging to Secretary Janet Yellen and other top officials. The attackers compromised over 400 computers and accessed more than 3,000 unclassified files, including sensitive information related to sanctions and international affairs. The breach was facilitated by exploiting vulnerabilities in BeyondTrust’s software, highlighting the critical need for robust third-party risk management and regular security assessments.

Emerging AI Threats Identified by OWASP
The Open Web Application Security Project (OWASP) has updated its Top 10 list to include emerging threats associated with Large Language Models (LLMs). Notably, ‘Prompt Injection’ attacks, where adversaries manipulate AI models through crafted inputs, and ‘Supply Chain Vulnerabilities,’ involving compromised pretrained models, have been identified as significant risks. This development emphasizes the necessity for security-focused development practices and thorough vetting of AI components integrated into applications.

Strategic Responses and Forward-Looking Strategies
To mitigate the risks highlighted by these incidents, organizations should consider the following strategies:

  • Regular Security Assessments: Conduct comprehensive evaluations of IT infrastructure to identify and remediate vulnerabilities. nGuard offers tailored security assessment services to proactively address potential weaknesses.
  • Patch Management: Implement a robust patch management program to ensure timely application of security updates, reducing the window of opportunity for attackers.
  • Third-Party Risk Management: Regularly assess and monitor the security posture of third-party vendors to prevent supply chain compromises.
  • AI Security Best Practices: Adopt secure coding practices and thoroughly vet AI models and components to mitigate emerging AI-related threats.

By integrating these strategies, organizations can enhance their resilience against evolving cyber threats and safeguard their critical assets.

Chat Icon Chat Close

Learn how nGuard can secure your data

Ready to take the next step? Speak to an nGuard expert and get your questions answered today.

Chat Popup

No thanks, maybe later