nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Vulnerability Testing

No Clicks, No Warnings: How EchoLeak Turned Copilot into an AI Data Leak Machine

It’s one thing when an employee clicks a phishing link. It’s another when your AI assistant executes a data exfiltration payload without any user interaction. That is the reality behind EchoLeak (CVE-2025-32711), a critical zero-click vulnerability in Microsoft 365 Copilot. It allows attackers to exploit how the assistant processes seemingly benign content, turning your AI into an unintentional insider threat.

How EchoLeak Works
The attack leverages a flaw in Copilot’s Retrieval-Augmented Generation (RAG) engine. Threat actors send an email containing hidden markdown prompts. These prompts bypass existing Microsoft classifiers, like Cross-Platform Injection Attack (XPIA), and are never seen by the user.

When the user later interacts with Copilot, the assistant fetches this hidden content as contextual data. It then executes embedded instructions that can exfiltrate sensitive information via image loads or external URL calls. No clicking. No approvals. Just invisible exploitation.

The Impact
Copilot’s scope includes email threads, SharePoint files, OneDrive data, Teams messages, and more. EchoLeak gave attackers indirect access to all of it.

This exploit is particularly dangerous because it breaks the traditional model of user-driven compromise. Security controls that depend on detecting user behavior, clicks, or endpoint activity are rendered ineffective. Microsoft patched the vulnerability server-side in May 2025, but the architectural risk remains.

Immediate Remediation Steps
Even though the vulnerability has been patched, remediation should not stop at waiting for vendor updates. Organizations must rethink how they manage and secure AI-powered tools. Here are critical actions to take:

  1. Audit Copilot Permissions
    Review all the systems Copilot has access to. Limit its scope to only the data that is absolutely required for functionality.
  2. Restrict Data Ingestion Sources
    Configure RAG components to limit the ingestion of untrusted sources such as shared inboxes, external messages, or loosely permissioned SharePoint sites.
  3. Filter Prompt Input and Output
    Apply security controls that sanitize markdown content and remove embedded image or link references before they reach the assistant.
  4. Harden Exfiltration Paths
    Monitor outbound HTTP and DNS activity originating from systems interacting with Copilot. Identify and block any unexpected destinations, particularly those linked to automated responses.
  5. Simulate Prompt-Based Attacks
    Test your environment with red team scenarios that include LLM prompt injection and scope violations. Identify weaknesses before adversaries do.

How nGuard Helps
nGuard delivers a portfolio of services that directly align with both the prevention and remediation of LLM threats like EchoLeak.

  • Security Assessments and Penetration Testing
    nGuard identifies vulnerabilities in systems integrated with AI technologies like Microsoft Copilot. Our assessments focus on uncovering insecure data exposures, misconfigurations, and excessive permissions that increase risk. By analyzing access paths and system behaviors, we help ensure enterprise environments are resilient against AI-driven threats.
  • Vulnerability Management
    Our team continuously monitors for emerging threats like EchoLeak and ensures that critical patches and configuration changes are implemented quickly.
  • Managed SIEM
    nGuard provides comprehensive log collection and analysis across Microsoft 365 and cloud environments. By monitoring outbound network activity, authentication events, and data access patterns, we help organizations detect early signs of suspicious behavior that could signal AI-related exploitation or unauthorized data exposure.

Final Thoughts
EchoLeak represents more than just a critical bug. It is a turning point in how security teams must think about AI. When autonomous systems begin interacting with business-critical data, traditional perimeter defenses fall short.

Enterprises need visibility into how AI agents behave, what they can access, and how they can be manipulated. With services that span offensive testing, defensive monitoring, and long-term AI governance, nGuard helps you move beyond reactive security and into proactive control of your AI ecosystem.

Global Credential Database Discovered Containing Logins for Microsoft, Apple, Facebook, and More

184 Million Passwords Exposed in Major Infostealer Leak: What You Need to Know

A newly uncovered database containing more than 184 million login credentials has surfaced, posing significant risks to individuals, businesses, and even governments across the globe. Discovered by cybersecurity researcher Jeremiah Fowler, the exposed data includes usernames, passwords, emails, and, in some cases, authentication URLs and financial account credentials. The data set, over 47GB in size, was stored in an unprotected, publicly accessible format, without encryption or password protection.

While the database has since been taken offline by its hosting provider, World Host Group, the length of exposure and the number of unauthorized accesses remain unknown. Early analysis suggests the credentials were not obtained from a breach of major platforms, but rather through infostealer malware which is malicious software that quietly collects sensitive data from infected user devices.

A Cybercriminal’s Dream Dataset
The exposed credentials reportedly span a wide array of platforms and services:

  • Microsoft
  • Google
  • Facebook
  • Apple
  • Instagram
  • PayPal
  • Netflix
  • Roblox
  • Discord
  • Government and banking portals across more than 29 countries

Fowler’s sample verification revealed that many of the credentials were active, with users confirming that leaked email and password combinations were still in use. Some of the leaked email addresses were linked to .gov domains, raising national security concerns.

Unlike traditional breaches that exploit server-side vulnerabilities, this incident is believed to stem from infostealer infections. These malware variants are often delivered via phishing emails, compromised websites, or pirated software. Once installed, they extract saved credentials from browsers, emails, and applications, sending them back to attackers without any visible signs to the victim.

Credential Stuffing, Identity Theft, and Other Risks
Once credentials are stolen, they can be used in:

  • Credential stuffing attacks: Reused passwords allow attackers to compromise multiple accounts across platforms.
  • Identity theft: Leaked financial, health, or government account details can be used for fraudulent activity.
  • Phishing and social engineering: Personal data is often repurposed to craft targeted, believable phishing messages.
  • Corporate espionage: Access to business systems via reused or weak credentials could lead to data loss or reputational damage.

What You Can Do to Stay Safe
Even if you are unsure whether your credentials were in the leak, taking the following steps is essential:

  • Change your passwords immediately, starting with accounts tied to services in the leak. Prioritize financial, health, and email accounts.
  • Use strong, unique passwords for every account. Avoid simple or reused credentials across services.
  • Enable multi-factor authentication (MFA) wherever available to add an extra layer of account protection.
  • Monitor your accounts for unusual login activity or changes you didn’t make.
  • Scan for malware using trusted antivirus software to ensure your system is not currently compromised.
  • Avoid storing sensitive documents in your email inbox. Use encrypted cloud storage solutions instead.

How nGuard Can Help
To protect your organization against the rising threat of credential leaks and infostealer malware, nGuard offers the following services:

  • Security Awareness Training: Educate your employees on phishing, social engineering, and malware risks to reduce the chances of infection.
  • Social Engineering Testing: Assess and strengthen your human defenses by simulating real-world phishing emails, voice scams, and physical intrusion attempts. nGuard helps you identify employee susceptibility and delivers targeted training to reduce risk.
  • Incident Response: Be prepared with a tested plan in case your systems are breached due to compromised credentials.

Wrap Up
This incident shows how attackers are shifting from platform breaches to user-side compromises using stealthy malware. Even the most security-conscious users can fall victim to an infostealer infection if the right precautions are not in place. With credentials now serving as keys to nearly every aspect of digital life, taking proactive steps to strengthen your security posture is more important than ever.

Now is the time to assess your risk, update your credentials, and implement layered defenses across all accounts and systems. If your organization needs help protecting its users and infrastructure from the next infostealer campaign, nGuard is ready to assist.

Windows Under Attack: May 2025 Patch Tuesday Unveils 5 Active Zero-Days

Microsoft’s May 2025 Patch Tuesday unveiled a concerning landscape for Windows administrators, addressing 78 vulnerabilities, including five zero-day exploits actively leveraged in the wild. These vulnerabilities span critical components of the Windows operating system, emphasizing the necessity for immediate action and robust security measures.

The Zero-Day Threat Landscape
The five zero-day vulnerabilities patched this month are:

  • CVE-2025-30397: A memory corruption vulnerability in the Microsoft Scripting Engine, potentially allowing remote code execution if a user visits a malicious website.
  • CVE-2025-30400: An elevation of privilege flaw in the Windows Desktop Window Manager (DWM) Core Library, which could allow attackers to execute code with elevated privileges.
  • CVE-2025-32701 and CVE-2025-32706: Elevation of privilege vulnerabilities in the Windows Common Log File System (CLFS) driver, which have been a recurring target for attackers due to improper input validation.
  • CVE-2025-32709: An elevation of privilege issue in the Windows Ancillary Function Driver for WinSock, affecting multiple Windows Server versions.

These vulnerabilities have been actively exploited, with some linked to targeted espionage and financially motivated attacks, including ransomware deployments.

Strategic Response and Mitigation
Given the active exploitation of these zero-days, organizations should prioritize the following actions:

  1. Immediate Patch Deployment: Ensure all systems are updated with the latest security patches released in May 2025.
  2. Vulnerability Assessment: Conduct comprehensive assessments to identify and remediate vulnerabilities within your environment.
  3. Security Monitoring: Implement continuous monitoring to detect and respond to potential exploitation attempts promptly.
  4. Employee Awareness: Educate staff about the risks associated with these vulnerabilities and promote best practices to prevent exploitation.

Integrating these measures into your security strategy is crucial to defend against the evolving threat landscape.

Looking Ahead
The recurrence of zero-day vulnerabilities in critical Windows components underscores the importance of a proactive and layered security approach. Organizations must remain vigilant, ensuring timely updates, continuous monitoring, and comprehensive security assessments to safeguard against emerging threats.

Microsoft’s Recall Saga: Continuous Coverage and Latest News

Microsoft’s Recall General Release and New Security Considerations

May 7th, 2025

This article serves as the latest update to our ongoing coverage of Microsoft’s controversial Windows Recall feature. Since our previous discussions in September, Microsoft has officially rolled out its Recall feature to the general public following nearly a year of scrutiny, revisions, and limited testing. As part of the new Copilot+ PC experience, Recall remains one of the most debated features Microsoft has released in recent memory. Designed to take continuous screenshots and build a searchable record of user activity, Recall’s functionality promises convenience but continues to raise significant privacy and security concerns.

This latest development includes updates to Recall’s security architecture, usage policies, and system requirements. For organizations considering the deployment of Copilot+ devices, understanding the risks and implementing proactive controls is essential.

Recall Now Live on Copilot+ PCs

Recall is now publicly available on all Copilot+ PCs, excluding those in the European Economic Area where the rollout will occur later this year. It remains exclusive to devices with high-powered Neural Processing Units (NPUs) capable of 40 trillion operations per second or more. This processing enables on-device AI capabilities, reducing the need to send data to Microsoft servers and reinforcing Microsoft’s promise that all Recall data remains local.

Recall must be enabled manually by users and requires a second opt-in step during setup. The feature can also be paused from the system tray icon or uninstalled entirely through the Windows Features control panel. These changes reflect Microsoft’s effort to improve user control following significant backlash during Recall’s initial announcement.

Security Enhancements and Remaining Gaps

Microsoft has introduced several new protections with the release:

  • Encrypted Storage and Isolation: All screenshots and extracted data are now encrypted and isolated using Virtualization Based Security and the Trusted Platform Module. Data is stored outside the primary Windows environment to reduce the impact of malware infection.
  • Biometric Access and PIN Use: Enabling Recall requires facial or fingerprint authentication using Windows Hello. After setup, access is controlled using the same Windows Hello PIN used to unlock the device. Critics argue this fallback method could still expose data if a PIN is guessed or shared.
  • Application Filtering: Microsoft has added automatic filters to prevent screenshots of sensitive content such as credit card fields, banking sites, and password managers. However, researchers continue to find instances where sensitive information is captured, including encrypted messages and financial data. Visual indicators are present when Recall is running, but users must manually review captured data to confirm exclusions are working correctly.
  • Screenshot Management: Users can configure how long Recall stores data and can delete individual screenshots, data from specific applications, or entire time periods such as the past hour or day.

While these improvements represent a significant upgrade over Recall’s earlier iterations, privacy risks persist. Any active window can be silently recorded if Recall is enabled, potentially capturing sensitive conversations, passwords, or proprietary business data. Furthermore, anyone with physical access and the correct PIN may still access stored content.

AI Feature Expansion and Privacy Implications

Alongside Recall, Microsoft has publicly launched two additional Copilot+ AI tools:

  • Natural Language Windows Search: This enhancement allows users to search across apps, settings, and documents using conversational language.
  • Click to Do: A context-sensitive interface that enables quick actions like summarizing text, copying content, or erasing parts of images.

These features contribute to a growing reliance on embedded AI in the Windows ecosystem. As with Recall, these tools operate at the system level and interact closely with user data, increasing the attack surface and making centralized visibility and control more important than ever.

Mitigating Enterprise Risk:

As Recall and other AI-powered features roll out across enterprise devices, organizations must take proactive steps to mitigate privacy and data leakage risks. nGuard offers several services that can help:

  • Group Policy Configuration Review: Ensure that Recall and associated features are disabled organization-wide using Group Policy Objects (GPOs). nGuard’s configuration review services can verify that security policies are correctly implemented and enforced.
  • AI Risk Assessments: Evaluate the broader impact of adopting AI-powered features like Copilot in your environment. nGuard provides strategic guidance and technical assessments aligned with the NIST AI Risk Management Framework.
  • Security Awareness Training: Educate staff on the risks associated with Recall, AI, and similar tools.

Wrap

Microsoft has made Recall more secure than its original form, but not without compromise. Organizations must remain on top of their risk management practices, especially as AI features become more embedded in everyday operating systems. With the general availability of Recall, now is the time for enterprises to review internal policies, implement technical controls, and conduct regular assessments to ensure these features do not become a blind spot in their security strategy.

New Recall Updates and Changes – September 2024

September 11th, 2024

This article serves as the latest update to our ongoing coverage of Microsoft’s controversial Windows Recall feature. Since our previous discussions in June, significant developments have unfolded, particularly surrounding the security concerns and the broader implications of Recall’s reintroduction. Microsoft has made a series of changes in response to user feedback and security concerns, and in this article, we will explore the latest updates and how they fit into the wider Recall saga.

The Comeback of Windows Recall: October Rollout for Windows Insiders

After pausing the rollout of Windows Recall in June 2024, Microsoft has now confirmed that the feature will be returning in October. However, this return will be limited to Windows Insiders who are using Copilot+ PCs. These devices, equipped with powerful Neural Processing Units (NPUs), are the only ones capable of running Recall’s AI-powered screenshot functionality effectively.

Despite privacy concerns that led to Recall’s initial suspension, Microsoft is moving ahead with plans to test the feature among Insiders. The company hopes to leverage user feedback from this program before making Recall more widely available. Microsoft has made several key adjustments, including stronger encryption for the Recall database and requiring biometric authentication through Windows Hello. These security improvements aim to address the vulnerabilities that were previously identified, but questions remain about the long-term privacy risks of the feature.

Key Updates and Adjustments to Windows Recall

1. Security Enhancements: Encryption and Authentication

The most notable security update is the encryption of the SQLite database that Recall uses to store screenshots. This database will remain encrypted until a user authenticates through Windows Hello, adding a critical layer of security to protect the data collected by Recall. Moreover, the feature now requires biometric verification, ensuring that unauthorized users cannot access this sensitive information. These measures are welcomed, given the concerns raised by security researchers that the unencrypted database could be exploited by malware or other malicious actors.

These updates, while addressing some of the initial concerns, highlight the need for comprehensive security solutions for businesses and organizations that may adopt this feature. Companies can turn to services provided by nGuard for security assessments and managed SIEM, which can help ensure that sensitive data, such as that captured by Recall, is protected from exploitation.

2. Clarification on Uninstallation Options

Recently, confusion arose when users discovered an option to uninstall Recall in the Windows Features menu following the release of Windows 11’s 24H2 update (KB5041865). Microsoft has since clarified that this was a bug and that Recall cannot be fully uninstalled – only disabled. This has disappointed users hoping to remove the feature entirely due to its security risks. While Recall can be disabled, Microsoft’s decision not to allow full removal may lead to concerns in specific environments, particularly in corporate or governmental sectors, where stringent data privacy policies are in place.

The Return of Recall with More Screenshots Features

As Microsoft prepares to release Recall for testing within the Windows Insider community, more detailed information about the system requirements has emerged. To run Recall, a device must meet the following specifications:

  • Processor: Snapdragon X Plus or X Elite processors, System on a Chip (SoC), or another compatible processor.
  • RAM: At least 16GB DDR5/LPDDR5.
  • Storage: Minimum of 256GB SSD or UFS storage.

These hardware requirements ensure that Recall functions smoothly and securely, as it heavily relies on the computational power of NPUs to analyze and manage the continuous stream of screenshots.

Microsoft’s reintroduction of Recall also includes the Copilot Screenray feature, which offers real-time analysis of the user’s desktop, further expanding the functionality of Recall. For instance, this feature could translate text from an email in real-time or provide AI-powered insights on various tasks. However, this addition brings even greater concerns about privacy, as the continuous monitoring of user screens could expose confidential or sensitive information. Ensuring that this data is adequately protected will be critical.

The Evolving Privacy Debate and Microsoft’s Response

The return of Recall has not been without criticism, especially from privacy advocates who argue that the feature remains a potential vulnerability. By continuously taking and storing screenshots, Recall creates a log of user activity that could be exploited if a device is compromised.

Security researchers, including Michael Bargury, have highlighted how Microsoft’s Copilot AI system, which Recall is a part of, could be weaponized for cyberattacks through prompt injections and data exfiltration. These techniques could allow attackers to manipulate the system, extract sensitive data, and even alter key information such as financial details.

While Microsoft has worked to improve Recall’s security, organizations need to stay informed on updates, changes, and vulnerabilities discovered in Recall. The risks associated with AI-powered tools like Recall can be mitigated by regularly conducting security audits against something like the NIST AI RMF Playbook, and employing advanced logging and monitoring solutions to detect suspicious activities early.

Wrap: Balancing Innovation and Security

The Microsoft Recall saga outlines another example of the challenges involved in integrating innovative AI features with user privacy concerns. While Microsoft’s adjustments to Recall, including its enhanced encryption, are steps in the right direction, the privacy debate is not over, yet.

For those looking to bolster their security as AI features like Recall become more prevalent, regular security assessments, logging, and monitoring can help organizations stay ahead of emerging threats and ensure compliance with privacy regulations.

Update: Microsoft Recall Recalled

June 12th, 2024

This article provides an update to our original discussion on the Microsoft Recall feature, updating you on the significant developments since our last coverage on June 6th. The Recall feature has faced extensive criticism concerning privacy and security, leading Microsoft to make crucial adjustments. Here, we dive into the latest updates and recent changes Microsoft has implemented to alleviate these concerns.

Microsoft Recall Under Scrutiny
Microsoft announced significant changes to the Recall feature following widespread criticism. Originally set to be enabled by default, Recall will now be an opt-in feature for users. This change is part of Microsoft’s response to the heavy criticism regarding privacy and data security.

Key Updates to Microsoft Recall

1. Recall to Be Opt-In
Microsoft’s decision to make Recall an opt-in feature marks a significant shift. Users will now have to actively enable the feature, which Microsoft believes will enhance user trust and security.

2. Enhanced Security Measures
To address privacy concerns, Microsoft has introduced several security enhancements for Recall:

  • Biometric Authentication: Users will need to use Windows Hello biometric security to enable Recall.
  • Presence Detection: Recall will require user presence verification to view data.
  • Additional Encryption: Microsoft has implemented further encryption measures to protect stored data.

3. Recall Feature Pulled from Developer Channel
In response to ongoing criticism, Microsoft has temporarily pulled the latest Windows 11 24H2 preview build, the only version that included Recall, from the Windows Insider Program. This move aims to give the company time to refine the feature and address the concerns raised by users and privacy advocates.

Privacy Concerns and Microsoft’s Response
Recall was initially designed to capture periodic screenshots of user activity, stored and analyzed locally on the device. Despite these assurances, privacy experts raised alarms about the potential for misuse, especially if others gained physical access to the device. Microsoft has acknowledged these concerns and emphasized its commitment to user privacy and security.

Public and Expert Reactions
The initial release of Recall received backlash from security researchers, users, and the press. Critics highlighted the potential risks of storing detailed activity logs on devices, which could be exploited by attackers or advertisers. Microsoft’s decision to make Recall an opt-in feature and enhance its security protocols has been seen as a positive step, though skepticism remains.

Future of Recall and Windows 11 24H2
While the Recall feature will be included in the Copilot Plus PCs set to launch on June 18, its broader rollout remains uncertain. Microsoft has paused the release of the 24H2 update but plans to resume it soon, ensuring the feature is thoroughly tested and secure before a wider release.

The Importance of Regular Security Audits
As Microsoft works to improve Recall’s security, it’s crucial for users and organizations to regularly perform security audits of new technologies like Recall. Regular security audits can identify potential vulnerabilities and ensure compliance with industry standards. nGuard offers comprehensive security assessments that help businesses protect their data and systems effectively.

Proper Logging and Monitoring Practices
In addition to regular security audits, implementing proper logging and monitoring is essential for maintaining security. Proper logging helps in tracking user activities and identifying potential security incidents early. Services like nGuard’s Managed Event Collection provide comprehensive  solutions for logging and monitoring, ensuring continuous oversight and quick response to any suspicious activities.

Microsoft’s Commitment to AI Integration
Despite the controversy, Microsoft continues to push forward with its AI integration plans. The Recall feature is part of the larger Copilot Plus initiative, which includes AI-driven capabilities such as advanced photo editing and live transcription. Microsoft’s partnership with OpenAI and its focus on AI innovation remain central to its strategy, even as it navigates the challenges posed by new technologies.

The Microsoft Recall Saga highlights the complexities of integrating advanced AI features into widely used software. By making Recall an opt-in feature and implementing much needed security measures, Microsoft aims to balance innovation with user privacy and trust. As the situation evolves, nGuard will continue updating to see how Microsoft addresses the remaining concerns and rolls out its AI-powered features.

Microsoft’s Windows 11 Recall: Revolution or Privacy Nightmare?

June 6th, 2024

Overview
Microsoft’s latest Windows 11 feature, Recall, has generated substantial controversy in the tech community. This AI-driven tool aims to enhance user productivity by capturing screenshots of active windows every few seconds, allowing users to easily retrieve past information. However, this seemingly innovative feature has raised significant privacy and security concerns among users and experts alike.

Privacy advocates and security experts have voiced concerns over the potential for Recall to inadvertently capture sensitive information, such as passwords, confidential documents, and personal data. Critics argue that the constant screenshot capturing could lead to unintended data exposure and increased risk if a device is compromised. The debate has highlighted the need for stronger privacy controls and transparent data handling practices from Microsoft to address these widespread apprehensions.

Technical Methodologies
Recall operates by taking periodic screenshots of a user’s active window, storing this data on the device for up to three months. These snapshots are analyzed by an on-device Neural Processing Unit (NPU) and an AI model, indexing the data semantically. Users can search their Recall history through natural language queries, making it easy to locate specific information.

The data collected by Recall is encrypted with BitLocker and tied to the user’s Windows account. Microsoft emphasizes that the data remains local and private, not shared with Microsoft or other users on the same device.

Impact Assessment
While Microsoft asserts that Recall is designed with user privacy in mind, critics highlight several vulnerabilities:

  1. Data Exposure: Continuous screenshot capturing can inadvertently include sensitive information such as passwords, confidential documents, and personal photos. For example, if a user is working on a confidential business proposal, screenshots of this document could be captured and stored.  This data, stored locally, is accessible to anyone with device access.
  2. Security Risks: If a device is compromised by malware, the attacker could potentially access the entire Recall database, extracting sensitive information stored in these snapshots.
  3. User Trust: Historical data usage by large corporations has eroded user trust. Despite Microsoft’s assurances of local data storage and encryption, users remain skeptical, particularly in light of past incidents where tech companies have mishandled user data.

Strategic Responses
To mitigate these risks, users and organizations should consider the following strategies:

  1. Disable Recall: Users can manage Recall settings to limit its functionality or disable it entirely. Companies can use group policies to disable Recall across all devices. For detailed instructions, refer to Microsoft’s official Recall settings guide.
  2. Regular Audits: Conduct regular security audits to ensure no sensitive information is inadvertently captured and stored by Recall.
  3. User Training: Educate users on the potential risks of using Recall and best practices for managing their privacy settings.

Forward-Looking Strategies
Looking ahead, Microsoft and users can adopt several strategies to address these concerns:

  1. Enhanced Controls: Microsoft should provide more granular controls for users to manage what information Recall captures and stores.
  2. Transparency: Continuous transparency from Microsoft about how Recall data is handled, stored, and protected is crucial to building user trust.
  3. Integration with Security Solutions: Users should leverage advanced security solutions, such as those offered by nGuard, to monitor and protect data stored by Recall. nGuard’s security assessments and managed event collection services can add an extra layer of security, ensuring that sensitive data remains safe even if captured by Recall. These services help identify vulnerabilities and monitor for suspicious activities, providing comprehensive protection against potential breaches.

Conclusion
While Microsoft’s Recall feature in Windows 11 promises enhanced productivity, it brings significant privacy and security risks. Users and organizations must adopt strategic measures to safeguard their information, ensuring that this innovative tool does not become a gateway for data breaches.

This Week in Cybersecurity (TWiC): Exploit Surge – Palo Alto, Fortinet, SonicWall, and CISA

Cybersecurity headlines this week revealed several high-risk developments affecting VPN infrastructure, DNS systems, firewall appliances, and widely exploited CVEs. Attackers continue to blend opportunistic scanning with advanced persistence techniques, targeting both outdated software and overlooked configurations. Here’s what your team needs to know.

Palo Alto GlobalProtect VPNs Targeted in Ongoing Exploitation Campaigns
A critical command injection vulnerability (CVE-2024-3400) in Palo Alto’s PAN-OS is being actively exploited, with attackers leveraging the flaw to deploy reverse shells and establish persistent backdoors. The vulnerability—pre-authentication and requiring no user interaction—has been observed in targeted attacks by APTs and opportunistic threat actors alike. Despite an initial mitigation release, exploitation surged until the full patch became available in PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3.

Risks Identified:

  • Remote command execution via unauthenticated access
  • Lateral movement following initial access to GlobalProtect
  • Deployment of persistent payloads and shell access

Security Recommendations:

Fast Flux DNS Techniques Resurface in Botnet C2 Operations
CISA issued a new alert on the re-emergence of fast flux DNS techniques—a method of frequently rotating IP addresses tied to a domain—to evade detection and bolster botnet infrastructure. Attackers use this method to obscure command and control (C2) servers and malware delivery operations. The tactic enables high availability, redundancy, and extended attacker dwell time.

Risks Identified:

  • DNS obfuscation of malicious infrastructure
  • Delayed threat detection due to dynamic IP rotation
  • Misidentification of threat actors due to overlapping IP pools

Security Recommendations:

  • Network Traffic Analysis & Threat Intelligence Integration: Detect suspicious behaviors to low-reputation or frequently changing domains. By analyzing firewall, proxy, and EDR logs, a managed SIEM can spot devices attempting outbound communication with suspicious, frequently changing IPs or flagged domains. A SIEM can also correlate DNS and outbound traffic patterns to detect signs of beaconing to a botnet C2.
  • DNS Traffic Monitoring: Implement anomaly-based detection for fast-changing A and NS records.

Fortinet Zero-Day Leads to Persistent Implants in SSL-VPN Devices
Although CVE-2022-42475 was patched in late 2022, Fortinet confirmed new cases of attackers leveraging it to install stealthy rootkits in unpatched FortiOS devices well into 2025. These implants survive reboots and evade most endpoint detection tools, indicating a highly advanced level of persistence used by state-aligned threat actors.

Risks Identified:

  • Long-term undetected access to SSL-VPN appliances
  • Use of custom malware for command execution and data exfiltration
  • Re-infection following patching due to rootkit persistence

Security Recommendations:

Fortinet Zero-Days Enable Persistent Access Through Symlink Backdoors

Newly disclosed Fortinet vulnerabilities (including CVE-2024-26005) enable attackers to plant persistent backdoors using symlink abuse and improperly secured config file paths. Once exploited, attackers can bypass hardening settings and gain long-term access even after patches are applied. These zero-days have been seen in sophisticated intrusion campaigns targeting government and enterprise networks.

Risks Identified:

  • Implanting backdoors that survive reboots and firmware updates
  • Bypassing hardening configs through symlink manipulation
  • Access to firewall management planes and downstream devices

Security Recommendations:

CISA Expands KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) list with several critical vulnerabilities affecting Microsoft Exchange, Cisco IOS XE, and Ivanti systems. These CVEs are confirmed to be exploited in the wild and are being used by ransomware groups and initial access brokers to gain footholds in enterprise environments.

Risks Identified:

  • Rapid weaponization of newly disclosed or older unpatched vulnerabilities
  • Exploitation paths leading to lateral movement and data encryption
  • Incomplete patching due to shadow IT or configuration drift

Security Recommendations:

  • Remediation Prioritization: Focus first on CISA KEV-listed vulnerabilities to reduce exposure.
  • Managed Vulnerability Scanning: Identify outdated or unpatched software across your environment.
  • Configuration Audits: Validate hardened settings and proper segmentation on high-value assets.

From VPN appliances to DNS abuse and persistent firewall implants, this edition’s threats highlight how adversaries blend stealth, automation, and zero-day chaining to evade defenses. Organizations must stay ahead by combining continuous monitoring with proactive services like penetration testing and configuration auditing, while prioritizing remediations. It’s not just about patching—it’s about verifying and validating that your defenses actually work.

MAJOR Cloud Provider Breach

Background and Timeline

In today’s cloud-driven world, trust and transparency are fundamental pillars of cybersecurity. Organizations entrust cloud providers with critical infrastructure and sensitive data, expecting rigorous security controls and open communication when incidents occur. However, recent developments surrounding Oracle’s cloud environment tell a vastly different story.

March 21, 2025: A threat actor known as rose87168 claims to have breached Oracle services under the domain *.oraclecloud.com. The initial report emerges on Bleeping Computer, with Oracle immediately denying any alleged breach, stating that the leaked credentials were not associated with Oracle Cloud and that no customer data was compromised.

Late March 2025: Despite Oracle’s denial, the threat actor releases evidence, including an archive.org link that seemingly confirms unauthorized access to a system using Oracle Access Manager. The hacker also leaks a two-hour-long internal Oracle meeting recording, revealing discussions on internal password vaults and customer-facing systems.

March 28, 2025: Further investigation by cybersecurity researchers and media outlets confirms that Oracle customers’ data—including staff email addresses—has been leaked. Oracle maintains there was no breach, using nuanced language to shift attention toward ‘legacy’ systems instead of core infrastructure.

March 31, 2025: A lawsuit is filed against Oracle Health, accusing the company of attempting to conceal a separate breach and failing to notify affected customers. The suit highlights potential violations of data breach notification laws, underscoring concerns around cloud provider accountability and security transparency.

Early April 2025: The threat actor escalates by leaking additional configuration files and system details, further confirming the security lapse. Meanwhile, Oracle Health, a SaaS subsidiary of Oracle, experiences a separate breach compromising U.S. healthcare organizations and exposing patient data.

April 2-4, 2025: Oracle privately notifies select customers that attackers accessed old client credentials last used in 2017. However, contradicting this statement, leaked data samples include records from late 2024 and early 2025, proving recent exposure. Reports confirm that attackers exploited a 2020 Java vulnerability to gain access and deploy malware, leading to exfiltration of usernames, emails, and hashed passwords from Oracle Identity Manager (IDM) databases.

Implications

If the allegations about this breach hold true, they raise fundamental questions about Oracle’s security measures, incident response, and transparency with customers. While Oracle downplays the situation, attackers remain active, putting affected users at risk of fraud, regulatory consequences, and theft including intellectual property.

Recommended Mitigation

In light of incidents in the cloud, organizations must rethink their approach to protecting their overall infrastructure. Below are critical defenses every cloud-reliant business should implement—along with how nGuard delivers each in our specialized services:

  1. Cloud Security Posture Management (CSPM): Our Cloud Security Assessments include automated tools and expert analysis to identify compliance gaps, misconfigurations, and policy violations in real time.
  2. Strategic Gap Assessments: We evaluate your current cloud security strategy against Zero Trust frameworks and standards to help you close critical gaps to align with regulatory and operational benchmarks.
  3. Incident Response & Digital Forensics: When breaches do occur, nGuard experts deliver rapid containment, root cause analysis, and post-incident reporting to support recovery and regulatory response.
  4. Routine Penetration Testing & Vulnerability Scanning: nGuard’s thorough Penetration Testing and automated Vulnerability Scanning identify misconfigurations and exploitable weaknesses before attackers can act.
  5. Multi-Factor Authentication (MFA): Our team validates the proper use of MFA implementation across platforms to reduce the risk of account compromise—even when credentials are exposed.
  6. Continuous Security Monitoring & Threat Intelligence: Through our Managed Event Collection (MECC) service, nGuard offers real-time monitoring, alerting, and analysis of unusual or malicious activity within your cloud environment.

Conclusion

The Oracle breach serves as a warning that even industry giants are vulnerable to cyber threats. Safeguards and controls must be independently verified, continuously evaluated, and tailored to your unique risk profile.

Cloud security isn’t just a technical concern—it’s a business-critical priority. Harden your cloud infrastructure today with nGuard’s expert guidance and cutting-edge security solutions.

Chat Icon Chat Close

Learn how nGuard can secure your data

Ready to take the next step? Speak to an nGuard expert and get your questions answered today.

Chat Popup

No thanks, maybe later