UDT
Company Details
Linkedin ID:
us-treasury
Website:
Employees number:
14,388
Number of followers:
152,116
NAICS:
92
Industry Type:
Homepage:
treasury.gov
IP Addresses:
0
Company ID:
U.S_1802045
Scan Status:
In-progress
U.S. Department of the Treasury Company CyberSecurity Posture
treasury.gov
The Treasury Department is the executive agency responsible for promoting economic prosperity and ensuring the financial security of the United States. The Department is responsible for a wide range of activities such as advising the President on economic and financial issues, encouraging sustainable economic growth, and fostering improved governance in financial institutions. The Department of the Treasury operates and maintains systems that are critical to the nation's financial infrastructure, such as the production of coin and currency, the disbursement of payments to the American public, revenue collection, and the borrowing of funds necessary to run the federal government. The Department works with other federal agencies, foreign governments, and international financial institutions to encourage global economic growth, raise standards of living, and to the extent possible, predict and prevent economic and financial crises. The Treasury Department also performs a critical and far-reaching role in enhancing national security by implementing economic sanctions against foreign threats to the U.S., identifying and targeting the financial support networks of national security threats, and improving the safeguards of our financial systems.
U.S. Department of the Treasury A.I CyberSecurity Scoring
UDT Risk Score (AI oriented)Between 0 and 549
UDT
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
UDT Global Score (TPRM)XXXX
UDT
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
UDT Company CyberSecurity News & History
Past Incidents
8
Attack Types
2
United States Treasury Department
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: An Advanced Persistent Threat group, suspected to be linked to the Chinese government, exploited vulnerabilities in BeyondTrust's software, resulting in a major breach of the Treasury Department. Authentication key theft allowed access to department computers with 'certain unclassified documents' compromised. The impact of this breach sees confidential governmental operations exposed, though classified as unclassified, could endanger financial stability or lead to further undisclosed consequences.
US Treasury
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The breach of the US Treasury by Chinese hackers, including 12 individuals indicted by the Department of Justice, resulted in significant data compromise. Over a three-month period, at least 400 PCs were infiltrated leading to the theft of more than 3,000 files. This attack highlights the risk posed by autonomous state-sponsored hacking groups who target and steal sensitive information from high-profile international entities, selling it to government clients for strategic advantages.
US Treasury Department
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: A breach in early December 2024 at the US Treasury Department involved remote access by hackers to Treasury computers, compromising certain unclassified documents. By exploiting vulnerabilities in remote support software from BeyondTrust, identified as CVE-2024-12356 and CVE-2024-12686, attackers stole an authentication key, enabling system access. Despite the breach being attributed to a Chinese state-sponsored APT actor, no ongoing access was found. The incident sparked collaborations with FBI, CISA, and intelligence agencies for a comprehensive evaluation.
US Treasury
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The US Treasury Department experienced a security breach where attackers exploited vulnerabilities in BeyondTrust's remote tech support software, leading to unauthorized access to Treasury computers and certain unclassified documents. Attackers stole an authentication key, compromising unclassified data. The incident was linked to a China state-sponsored APT actor. While the compromised service was taken offline, the breach was classified as a major cybersecurity incident, prompting collaboration with the FBI, CISA, and the intelligence community for investigation.
United States Treasury
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The United States Treasury suffered a 'major' breach when an Advanced Persistent Threat group, believed to be linked to the Chinese government, exploited flaws in BeyondTrust software. The attackers stole an authentication key, gaining access to department computers and managing to steal 'certain unclassified documents'. While classified as unclassified, the breach's full extent and subsequent risks, such as exposure to financial manipulations and international diplomatic consequences, are still under assessment.
U.S. Department of the Treasury
Cyber Attack
Rankiteo Explanation
Attack threatening the economy of a geographical region
Description: Companies suffered as a result of hacking attacks against US federal entities, affected departments included the US Department of Homeland Security, the Department of Commerce, and the Department of the Treasury. Early this year, Iranian government-sponsored hackers, including the FBI and CISA, gained access to a network of an unnamed US federal agency and used the Log4Shell vulnerability to install crypto miners and use stolen passwords. According to the advisory, "Cyber threat actors advanced to the domain controller (DC), compromised credentials, implanted Ngrok reverse proxies on multiple hosts to maintain persistence, and then exploited the Log4Shell vulnerability in an unpatched VMware Horizon server to install XMRig crypto mining software.
U.S. Treasury's Office of Foreign Assets Control (OFAC)
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: The Chinese state-sponsored hacking group **Murky Panda (Silk Typhoon)** exploited trusted cloud relationships and zero-day vulnerabilities to breach the **U.S. Treasury’s Office of Foreign Assets Control (OFAC)**. By compromising a SaaS provider’s cloud environment, the attackers gained access to application registration secrets in **Entra ID (formerly Azure AD)**, allowing them to authenticate as a legitimate service and infiltrate downstream networks. This enabled them to **read sensitive emails, steal confidential government data, and maintain persistent access** through backdoor accounts with escalated privileges.The attack leveraged **supply chain vulnerabilities**, abusing delegated administrative privileges (DAP) granted to cloud providers, which allowed Murky Panda to move laterally across multiple tenants. Their use of **custom malware (CloudedHope RAT), web shells (Neo-reGeorg, China Chopper), and compromised SOHO devices as proxies** ensured stealthy, long-term access while evading detection. The breach posed a **severe risk to national security**, given OFAC’s role in enforcing economic sanctions and combating financial threats. The attackers’ **operational security (OPSEC) measures**, including log tampering and timestamp manipulation, further obscured forensic traces, amplifying the threat’s sophistication and impact.
US Treasury
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The US Treasury experienced a significant cyberespionage campaign resulting in the penetration of at least 400 of its PCs and the theft of over 3,000 files. Though hackers targeted sanctions and law-enforcement related information, they did not obtain access to emails or classified network segments, nor was long-term access malware identified. The scope of intrusion by Chinese state-sponsored hackers, including efforts by Salt Typhoon, suggests a focus on espionage without immediate financial or personal data leak but potential long-term strategic implications.
UDT Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for UDT
Incidents vs Government Administration Industry Average (This Year)
U.S. Department of the Treasury has 669.23% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
U.S. Department of the Treasury has 681.25% more incidents than the average of all companies with at least one recorded incident.
Incident Types UDT vs Government Administration Industry Avg (This Year)
U.S. Department of the Treasury reported 5 incidents this year: 2 cyber attacks, 0 ransomware, 0 vulnerabilities, 3 data breaches, compared to industry peers with at least 1 incident.
Incident History — UDT (X = Date, Y = Severity)
UDT cyber incidents detection timeline including parent company and subsidiaries
UDT Company Subsidiaries
The Treasury Department is the executive agency responsible for promoting economic prosperity and ensuring the financial security of the United States. The Department is responsible for a wide range of activities such as advising the President on economic and financial issues, encouraging sustainable economic growth, and fostering improved governance in financial institutions. The Department of the Treasury operates and maintains systems that are critical to the nation's financial infrastructure, such as the production of coin and currency, the disbursement of payments to the American public, revenue collection, and the borrowing of funds necessary to run the federal government. The Department works with other federal agencies, foreign governments, and international financial institutions to encourage global economic growth, raise standards of living, and to the extent possible, predict and prevent economic and financial crises. The Treasury Department also performs a critical and far-reaching role in enhancing national security by implementing economic sanctions against foreign threats to the U.S., identifying and targeting the financial support networks of national security threats, and improving the safeguards of our financial systems.
Loading...
UDT Similar Companies
Transportation Security Administration (TSA)
The Transportation Security Administration (TSA) is a component agency of the U.S. Department of Homeland Security (DHS), committed to securing the nation’s transportation systems to ensure safe and efficient travel for all. Our mission is to protect the American people by preventing threats and dis
FDA
The Food and Drug Administration is an agency within the Department of Health and Human Services. The FDA is responsible for protecting the public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological products, and medical devices; and by ensuring the safet
Year after year, the Commonwealth of Massachusetts has continued to pioneer bold legislative actions and programs, some of which have been embraced on a national scale. We are always looking for talented individuals to help us maintain this momentum and improve the services that millions of people d
City of Cape Town
Cape Town, or the Mother City, is South Africa’s oldest city, its second-most populous and the legislative capital. It is made up of a diverse population, a rich history, world-famous tourist attractions and an exciting calendar of international and local events. More than 231 councillors and 26 22
Gobierno de la Provincia de San Luis
Gobierno de la Provincia de San Luis. Cuando se produjo la Revolución de Mayo de 1810, el cabildo de San Luis, fue el primero en adherir a la Primera Junta de Gobierno Porteña. Tres años más tarde, en noviembre de 1813, por decreto del gobierno de las Provincias Unidas del Río de la Plata, Mendoza,
U.S. Census Bureau
The Census Bureau serves as the nation’s leading provider of quality data about its people and economy. We have been headquartered in Suitland, Maryland since 1942, and currently employ about 4,285 staff members. We are part of the U.S. Department of Commerce and overseen by the Economics and Statis
Vlaamse overheid
Bij de Vlaamse overheid geef je elke dag opnieuw het beste van jezelf, in een job die een verschil maakt in de maatschappij. Pas afgestudeerd of al een aantal jaren professionele ervaring achter de rug? Op zoek naar een job als arbeider, bediende, leidinggevende, administratief medewerker, ingenie
U.S. Department of Veterans Affairs
Welcome to the United States Department of Veterans Affairs (VA) Official LinkedIn page. We're recruiting the finest employees to care for our #Veterans. Following/engagement ≠ signify VA endorsement. This is a moderated page, meaning that all comments will be reviewed for appropriate content. Ple
Centers for Disease Control and Prevention
CDC works 24/7 keeping America safe from health, safety and security threats, both foreign and domestic. Whether diseases start at home or abroad, are chronic or acute, curable or preventable, human error or deliberate attack, CDC fights it and supports communities and citizens to prevent it. CDC is
.png)
UDT CyberSecurity News
August 28, 2025 07:00 AM
U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing $600K Crypto Transfers and $1M+ Profits
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced a fresh round of sanctions against two individuals...
July 25, 2025 07:00 AM
Microsoft Used China-Based Support for Multiple U.S. Agencies, Potentially Exposing Sensitive Data
Microsoft says it will no longer use China-based engineers to support the Pentagon. But ProPublica found that the tech giant has relied on...
July 21, 2025 07:00 AM
AI, Cybersecurity, and Tech: What’s Inside the House’s FSGG Budget
Members of the House Appropriations Financial Services and General Government Subcommittee (FSGG) are funding several artificial...
July 01, 2025 07:00 AM
Watch Exclusive: Why the US Treasury Keeps Getting Hacked
A Bloomberg News investigation has found that in three major hacks the US Treasury didn't deploy cybersecurity measures that could have...
June 30, 2025 07:00 AM
A Trio of US Treasury Hacks Exposes a Pattern Making Banks Nervous
In three major hacks, Treasury didn't deploy cybersecurity measures that could have prevented the attacks or flagged the intruders sooner.
June 16, 2025 07:00 AM
Banking Groups Urge Treasury to Strengthen Cybersecurity
A coalition of banking trade groups has urged the US Treasury to overhaul how federal financial regulators manage sensitive data.
June 10, 2025 07:00 AM
Banks Challenge Treasury on Cybersecurity Failures
A coalition of powerful financial trade associations has issued a direct challenge to the US Treasury, demanding significant reforms to how regulators handle...
June 09, 2025 07:00 AM
Banking Groups Urge US Treasury to Improve Security After Email Hack
Financial-sector trade groups are urging the US Treasury Department to bolster its cybersecurity in response to hackers intercepting the sensitive emails of...
June 06, 2025 07:46 PM
What does the Cybersecurity and Infrastructure Security Agency (CISA) do?
The Cybersecurity and Infrastructure Security Agency (CISA) is a subdivision of the US Department of Homeland Security responsible for protecting the nation's...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
UDT CyberSecurity History Information
Official Website of U.S. Department of the Treasury
The official website of U.S. Department of the Treasury is https://home.treasury.gov/.
U.S. Department of the Treasury’s AI-Generated Cybersecurity Score
According to Rankiteo, U.S. Department of the Treasury’s AI-generated cybersecurity score is 482, reflecting their Critical security posture.
How many security badges does U.S. Department of the Treasury’ have ?
According to Rankiteo, U.S. Department of the Treasury currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does U.S. Department of the Treasury have SOC 2 Type 1 certification ?
According to Rankiteo, U.S. Department of the Treasury is not certified under SOC 2 Type 1.
Does U.S. Department of the Treasury have SOC 2 Type 2 certification ?
According to Rankiteo, U.S. Department of the Treasury does not hold a SOC 2 Type 2 certification.
Does U.S. Department of the Treasury comply with GDPR ?
According to Rankiteo, U.S. Department of the Treasury is not listed as GDPR compliant.
Does U.S. Department of the Treasury have PCI DSS certification ?
According to Rankiteo, U.S. Department of the Treasury does not currently maintain PCI DSS compliance.
Does U.S. Department of the Treasury comply with HIPAA ?
According to Rankiteo, U.S. Department of the Treasury is not compliant with HIPAA regulations.
Does U.S. Department of the Treasury have ISO 27001 certification ?
According to Rankiteo,U.S. Department of the Treasury is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of U.S. Department of the Treasury
U.S. Department of the Treasury operates primarily in the Government Administration industry.
Number of Employees at U.S. Department of the Treasury
U.S. Department of the Treasury employs approximately 14,388 people worldwide.
Subsidiaries Owned by U.S. Department of the Treasury
U.S. Department of the Treasury presently has no subsidiaries across any sectors.
U.S. Department of the Treasury’s LinkedIn Followers
U.S. Department of the Treasury’s official LinkedIn profile has approximately 152,116 followers.
NAICS Classification of U.S. Department of the Treasury
U.S. Department of the Treasury is classified under the NAICS code 92, which corresponds to Public Administration.
U.S. Department of the Treasury’s Presence on Crunchbase
No, U.S. Department of the Treasury does not have a profile on Crunchbase.
U.S. Department of the Treasury’s Presence on LinkedIn
Yes, U.S. Department of the Treasury maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/us-treasury.
Cybersecurity Incidents Involving U.S. Department of the Treasury
As of November 27, 2025, Rankiteo reports that U.S. Department of the Treasury has experienced 8 cybersecurity incidents.
Number of Peer and Competitor Companies
U.S. Department of the Treasury has an estimated 11,106 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at U.S. Department of the Treasury ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach and Cyber Attack.
How does U.S. Department of the Treasury detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with fbi, third party assistance with cisa, and third party assistance with fbi, third party assistance with cisa, third party assistance with intelligence agencies, and and third party assistance with fbi, third party assistance with cisa, third party assistance with intelligence community, and and containment measures with taking compromised service offline, and and third party assistance with crowdstrike (investigation/reporting), and enhanced monitoring with recommended: monitor entra id service principal sign-ins, enforce mfa for cloud accounts, patch cloud infrastructure..
Incident Details
Can you provide details on each incident ?
Title: Hacking Attacks Against US Federal Entities
Description: Companies suffered as a result of hacking attacks against US federal entities, affected departments included the US Department of Homeland Security, the Department of Commerce, and the Department of the Treasury. Early this year, Iranian government-sponsored hackers, including the FBI and CISA, gained access to a network of an unnamed US federal agency and used the Log4Shell vulnerability to install crypto miners and use stolen passwords. According to the advisory, 'Cyber threat actors advanced to the domain controller (DC), compromised credentials, implanted Ngrok reverse proxies on multiple hosts to maintain persistence, and then exploited the Log4Shell vulnerability in an unpatched VMware Horizon server to install XMRig crypto mining software.'
Type: Hacking
Attack Vector: Log4Shell vulnerabilityStolen passwordsNgrok reverse proxies
Vulnerability Exploited: Log4Shell vulnerability in an unpatched VMware Horizon server
Threat Actor: Iranian government-sponsored hackers
Motivation: Cryptocurrency mining
Title: US Treasury Department Breach
Description: A breach in early December 2024 at the US Treasury Department involved remote access by hackers to Treasury computers, compromising certain unclassified documents. By exploiting vulnerabilities in remote support software from BeyondTrust, identified as CVE-2024-12356 and CVE-2024-12686, attackers stole an authentication key, enabling system access. Despite the breach being attributed to a Chinese state-sponsored APT actor, no ongoing access was found. The incident sparked collaborations with FBI, CISA, and intelligence agencies for a comprehensive evaluation.
Date Detected: 2024-12-01
Type: Breach
Attack Vector: Remote Access
Vulnerability Exploited: CVE-2024-12356CVE-2024-12686
Threat Actor: Chinese state-sponsored APT actor
Motivation: Data Theft
Title: BeyondTrust Software Breach
Description: An Advanced Persistent Threat group, suspected to be linked to the Chinese government, exploited vulnerabilities in BeyondTrust's software, resulting in a major breach of the Treasury Department. Authentication key theft allowed access to department computers with 'certain unclassified documents' compromised. The impact of this breach sees confidential governmental operations exposed, though classified as unclassified, could endanger financial stability or lead to further undisclosed consequences.
Type: Data Breach
Attack Vector: Exploitation of software vulnerabilities
Vulnerability Exploited: BeyondTrust software
Threat Actor: Advanced Persistent Threat group linked to the Chinese government
Motivation: Potentially espionage
Title: US Treasury Department Security Breach
Description: The US Treasury Department experienced a security breach where attackers exploited vulnerabilities in BeyondTrust's remote tech support software, leading to unauthorized access to Treasury computers and certain unclassified documents. Attackers stole an authentication key, compromising unclassified data. The incident was linked to a China state-sponsored APT actor. While the compromised service was taken offline, the breach was classified as a major cybersecurity incident, prompting collaboration with the FBI, CISA, and the intelligence community for investigation.
Type: Data Breach
Attack Vector: Exploited vulnerabilities in BeyondTrust's remote tech support software
Vulnerability Exploited: BeyondTrust's remote tech support software
Threat Actor: China state-sponsored APT actor
Motivation: Data theft
Title: United States Treasury Breach
Description: The United States Treasury suffered a 'major' breach when an Advanced Persistent Threat group, believed to be linked to the Chinese government, exploited flaws in BeyondTrust software. The attackers stole an authentication key, gaining access to department computers and managing to steal 'certain unclassified documents'. While classified as unclassified, the breach's full extent and subsequent risks, such as exposure to financial manipulations and international diplomatic consequences, are still under assessment.
Type: Data Breach
Attack Vector: Exploited flaws in BeyondTrust software
Vulnerability Exploited: Authentication key theft
Threat Actor: Advanced Persistent Threat group linked to the Chinese government
Motivation: Data Theft
Title: US Treasury Cyberespionage Campaign
Description: The US Treasury experienced a significant cyberespionage campaign resulting in the penetration of at least 400 of its PCs and the theft of over 3,000 files. Though hackers targeted sanctions and law-enforcement related information, they did not obtain access to emails or classified network segments, nor was long-term access malware identified. The scope of intrusion by Chinese state-sponsored hackers, including efforts by Salt Typhoon, suggests a focus on espionage without immediate financial or personal data leak but potential long-term strategic implications.
Type: Cyberespionage
Attack Vector: Unspecified
Threat Actor: Chinese state-sponsored hackers
Motivation: Espionage
Title: Breach of US Treasury by Chinese Hackers
Description: The breach of the US Treasury by Chinese hackers, including 12 individuals indicted by the Department of Justice, resulted in significant data compromise. Over a three-month period, at least 400 PCs were infiltrated leading to the theft of more than 3,000 files. This attack highlights the risk posed by autonomous state-sponsored hacking groups who target and steal sensitive information from high-profile international entities, selling it to government clients for strategic advantages.
Type: Data Breach
Threat Actor: Chinese state-sponsored hacking groups
Motivation: EspionageStrategic Advantage
Title: Murky Panda (Silk Typhoon) Exploits Trusted Cloud Relationships for Cyberespionage
Description: A Chinese state-sponsored hacking group known as Murky Panda (Silk Typhoon) exploits trusted relationships in cloud environments to gain initial access to the networks and data of downstream customers. The group targets government, technology, academic, legal, and professional services organizations in North America, leveraging zero-day vulnerabilities, compromised cloud service providers, and custom malware to maintain stealthy access for espionage purposes.
Date Publicly Disclosed: 2024-03
Type: cyberespionage
Attack Vector: exploitation of trusted cloud relationships (SaaS providers, Microsoft CSPs)zero-day vulnerabilities (e.g., Citrix NetScaler CVE-2023-3519, Ivanti Pulse Connect CVE-2025-0282)ProxyLogon (Microsoft Exchange)compromised SOHO devices as proxiesweb shells (Neo-reGeorg, China Chopper)custom Linux RAT (CloudedHope)
Vulnerability Exploited: CVE-2023-3519 (Citrix NetScaler)ProxyLogon (Microsoft Exchange)CVE-2025-0282 (Ivanti Pulse Connect VPN)zero-day vulnerabilities in SaaS provider cloud environmentsEntra ID application registration secretsDelegated Administrative Privileges (DAP) in Microsoft cloud solutions
Threat Actor: Murky PandaSilk Typhoon (Microsoft)Hafnium
Motivation: cyberespionage (targeting government, technology, legal, and professional services for sensitive data)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Log4Shell vulnerability, Remote support software from BeyondTrust, BeyondTrust software, compromised cloud service providers (SaaS, Microsoft CSPs)zero-day vulnerabilities in cloud environmentsinternet-exposed devices (Citrix NetScaler, Ivanti VPN and Microsoft Exchange)compromised SOHO devices (as proxies).
Impact of the Incidents
What was the impact of each incident ?
Incident : Hacking USD13361222
Systems Affected: Domain controller (DC)Multiple hostsVMware Horizon server
Incident : Breach US-000010125
Data Compromised: Unclassified documents
Systems Affected: Treasury computers
Incident : Data Breach US-000010525
Data Compromised: Certain unclassified documents
Systems Affected: Treasury Department computers
Operational Impact: Confidential governmental operations exposed
Incident : Data Breach US-000010925
Data Compromised: Unclassified documents and authentication key
Systems Affected: Treasury Department computers
Incident : Data Breach US-000011025
Data Compromised: Unclassified documents
Systems Affected: Department computers
Incident : Cyberespionage US-000012325
Data Compromised: Sanctions and law-enforcement related information
Systems Affected: 400 PCs
Incident : Data Breach US-000030825
Data Compromised: More than 3,000 files
Systems Affected: At least 400 PCs
Incident : cyberespionage US-526082425
Data Compromised: Emails, Sensitive organizational data, Application data
Systems Affected: cloud environments (Microsoft Entra ID, SaaS providers)downstream customer networkscompromised SOHO devices (used as proxies)servers with deployed web shells (Neo-reGeorg, China Chopper)
Operational Impact: long-term stealthy access for data exfiltration, persistence via backdoor accounts
Brand Reputation Impact: high risk for targeted organizations (government, legal, professional services)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Unclassified documents, Unclassified documents, Unclassified documents and authentication key, Unclassified documents, Sanctions and law-enforcement related information, Sensitive information, Emails, Sensitive Organizational Data, Application Data and .
Which entities were affected by each incident ?
Incident : Hacking USD13361222
Entity Name: ['US Department of Homeland Security', 'Department of Commerce', 'Department of the Treasury']
Entity Type: Government
Industry: Government
Location: United States
Incident : Breach US-000010125
Entity Name: US Treasury Department
Entity Type: Government Agency
Industry: Public Administration
Location: United States
Incident : Data Breach US-000010525
Entity Name: Treasury Department
Entity Type: Government
Industry: Government
Incident : Data Breach US-000010925
Entity Name: US Treasury Department
Entity Type: Government Agency
Industry: Public Sector
Location: United States
Incident : Data Breach US-000011025
Entity Name: United States Treasury
Entity Type: Government Agency
Industry: Government
Location: United States
Incident : Cyberespionage US-000012325
Entity Name: US Treasury
Entity Type: Government Agency
Industry: Public Sector
Location: United States
Incident : Data Breach US-000030825
Entity Name: US Treasury
Entity Type: Government
Industry: Government
Location: United States
Incident : cyberespionage US-526082425
Entity Name: U.S. Treasury's Office of Foreign Assets Control (OFAC)
Entity Type: government agency
Industry: financial regulation
Location: United States
Incident : cyberespionage US-526082425
Entity Name: Committee on Foreign Investment in the United States (CFIUS)
Entity Type: government committee
Industry: national security
Location: United States
Incident : cyberespionage US-526082425
Entity Name: Unnamed SaaS provider (compromised via zero-day)
Entity Type: cloud service provider
Industry: technology
Customers Affected: downstream customers (number unspecified)
Incident : cyberespionage US-526082425
Entity Name: Unnamed Microsoft Cloud Solution Provider (CSP)
Entity Type: managed service provider
Industry: technology
Customers Affected: multiple tenants (Global Administrator access obtained)
Incident : cyberespionage US-526082425
Entity Name: Government, technology, academic, legal, and professional services organizations
Entity Type: government agencies, private sector
Industry: public sector, technology, education, legal, professional services
Location: primarily North America
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Hacking USD13361222
Third Party Assistance: Fbi, Cisa.
Incident : Breach US-000010125
Third Party Assistance: Fbi, Cisa, Intelligence Agencies.
Incident : Data Breach US-000010925
Third Party Assistance: Fbi, Cisa, Intelligence Community.
Containment Measures: Taking compromised service offline
Incident : Data Breach US-000030825
Incident : cyberespionage US-526082425
Third Party Assistance: Crowdstrike (Investigation/Reporting).
Enhanced Monitoring: recommended: monitor Entra ID service principal sign-ins, enforce MFA for cloud accounts, patch cloud infrastructure
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through FBI, CISA, , FBI, CISA, intelligence agencies, , FBI, CISA, Intelligence Community, , CrowdStrike (investigation/reporting), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Breach US-000010125
Type of Data Compromised: Unclassified documents
Sensitivity of Data: Low
Incident : Data Breach US-000010525
Type of Data Compromised: Unclassified documents
Sensitivity of Data: Confidential governmental operations
Incident : Data Breach US-000010925
Type of Data Compromised: Unclassified documents and authentication key
Sensitivity of Data: Unclassified
Incident : Data Breach US-000011025
Type of Data Compromised: Unclassified documents
Sensitivity of Data: Unclassified
Incident : Cyberespionage US-000012325
Type of Data Compromised: Sanctions and law-enforcement related information
Number of Records Exposed: 3,000 files
Sensitivity of Data: High
Data Exfiltration: Yes
Incident : Data Breach US-000030825
Type of Data Compromised: Sensitive information
Number of Records Exposed: More than 3,000 files
Sensitivity of Data: High
Incident : cyberespionage US-526082425
Type of Data Compromised: Emails, Sensitive organizational data, Application data
Sensitivity of Data: high (government, legal, and professional services data)
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by taking compromised service offline and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : cyberespionage US-526082425
Data Exfiltration: True
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach US-000030825
Legal Actions: 12 individuals indicted by the Department of Justice,
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through 12 individuals indicted by the Department of Justice, .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : cyberespionage US-526082425
Lessons Learned: Trusted cloud relationships (e.g., SaaS providers, CSPs with DAP) are high-value targets for APT groups., Zero-day exploits in cloud environments enable stealthy lateral movement to downstream customers., Monitoring for unusual Entra ID service principal activity is critical for detecting abuse of trusted relationships., Compromised SOHO devices can be repurposed as proxies to evade geographic-based detection., Custom malware (e.g., CloudedHope RAT) and open-source tools (e.g., Neo-reGeorg) are used for persistence.
What recommendations were made to prevent future incidents ?
Incident : cyberespionage US-526082425
Recommendations: Monitor Entra ID logs for anomalous service principal sign-ins., Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges., Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities., Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships., Segment cloud environments to limit lateral movement via trusted relationships., Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware., Audit and rotate application registration secrets in Entra ID., Monitor for traffic originating from compromised SOHO devices.Monitor Entra ID logs for anomalous service principal sign-ins., Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges., Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities., Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships., Segment cloud environments to limit lateral movement via trusted relationships., Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware., Audit and rotate application registration secrets in Entra ID., Monitor for traffic originating from compromised SOHO devices.Monitor Entra ID logs for anomalous service principal sign-ins., Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges., Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities., Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships., Segment cloud environments to limit lateral movement via trusted relationships., Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware., Audit and rotate application registration secrets in Entra ID., Monitor for traffic originating from compromised SOHO devices.Monitor Entra ID logs for anomalous service principal sign-ins., Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges., Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities., Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships., Segment cloud environments to limit lateral movement via trusted relationships., Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware., Audit and rotate application registration secrets in Entra ID., Monitor for traffic originating from compromised SOHO devices.Monitor Entra ID logs for anomalous service principal sign-ins., Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges., Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities., Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships., Segment cloud environments to limit lateral movement via trusted relationships., Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware., Audit and rotate application registration secrets in Entra ID., Monitor for traffic originating from compromised SOHO devices.Monitor Entra ID logs for anomalous service principal sign-ins., Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges., Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities., Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships., Segment cloud environments to limit lateral movement via trusted relationships., Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware., Audit and rotate application registration secrets in Entra ID., Monitor for traffic originating from compromised SOHO devices.Monitor Entra ID logs for anomalous service principal sign-ins., Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges., Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities., Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships., Segment cloud environments to limit lateral movement via trusted relationships., Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware., Audit and rotate application registration secrets in Entra ID., Monitor for traffic originating from compromised SOHO devices.Monitor Entra ID logs for anomalous service principal sign-ins., Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges., Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities., Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships., Segment cloud environments to limit lateral movement via trusted relationships., Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware., Audit and rotate application registration secrets in Entra ID., Monitor for traffic originating from compromised SOHO devices.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Trusted cloud relationships (e.g., SaaS providers, CSPs with DAP) are high-value targets for APT groups.,Zero-day exploits in cloud environments enable stealthy lateral movement to downstream customers.,Monitoring for unusual Entra ID service principal activity is critical for detecting abuse of trusted relationships.,Compromised SOHO devices can be repurposed as proxies to evade geographic-based detection.,Custom malware (e.g., CloudedHope RAT) and open-source tools (e.g., Neo-reGeorg) are used for persistence.
References
Where can I find more information about each incident ?
Incident : cyberespionage US-526082425
Source: CrowdStrike Report on Murky Panda/Silk Typhoon
Date Accessed: 2024-03
Incident : cyberespionage US-526082425
Source: Microsoft Threat Intelligence (Silk Typhoon)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: CrowdStrike Report on Murky Panda/Silk TyphoonDate Accessed: 2024-03, and Source: Microsoft Threat Intelligence (Silk Typhoon).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach US-000010925
Investigation Status: Ongoing
Incident : cyberespionage US-526082425
Investigation Status: ongoing (per CrowdStrike and Microsoft reports)
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : cyberespionage US-526082425
Customer Advisories: Organizations relying on cloud/SaaS providers advised to review trust models and monitoring practices.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Organizations Relying On Cloud/Saas Providers Advised To Review Trust Models And Monitoring Practices. and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Hacking USD13361222
Entry Point: Log4Shell vulnerability
Backdoors Established: Ngrok reverse proxies
High Value Targets: Domain Controller (Dc), Vmware Horizon Server,
Data Sold on Dark Web: Domain Controller (Dc), Vmware Horizon Server,
Incident : Breach US-000010125
Entry Point: Remote support software from BeyondTrust
Incident : Data Breach US-000011025
Entry Point: BeyondTrust software
Incident : Data Breach US-000030825
Reconnaissance Period: Three-month period
Incident : cyberespionage US-526082425
Entry Point: Compromised Cloud Service Providers (Saas, Microsoft Csps), Zero-Day Vulnerabilities In Cloud Environments, Internet-Exposed Devices (Citrix Netscaler, Ivanti Vpn, Microsoft Exchange), Compromised Soho Devices (As Proxies),
Backdoors Established: ['custom backdoor accounts in customer Entra ID environments', 'Neo-reGeorg/China Chopper web shells', 'CloudedHope RAT']
High Value Targets: Government Agencies (E.G., Ofac, Cfius), Technology And Legal Firms, Academic Institutions, Professional Services With Sensitive Data,
Data Sold on Dark Web: Government Agencies (E.G., Ofac, Cfius), Technology And Legal Firms, Academic Institutions, Professional Services With Sensitive Data,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Hacking USD13361222
Root Causes: Unpatched VMware Horizon server
Incident : Breach US-000010125
Root Causes: Vulnerabilities in remote support software
Incident : Data Breach US-000011025
Root Causes: Flaws in BeyondTrust software
Incident : cyberespionage US-526082425
Root Causes: Over-Reliance On Trusted Cloud Relationships Without Sufficient Monitoring., Lack Of Visibility Into Delegated Administrative Privileges (Dap) In Cloud Environments., Delayed Patching Of Zero-Day Vulnerabilities In Cloud-Facing Infrastructure., Insufficient Detection For Web Shells And Custom Malware In Compromised Systems.,
Corrective Actions: Implement Stricter Access Controls For Cloud Provider Accounts (E.G., Least Privilege, Mfa)., Enhance Logging And Monitoring For Entra Id And Other Identity Providers., Conduct Regular Audits Of Third-Party Cloud Provider Access And Permissions., Deploy Advanced Threat Detection For Post-Exploitation Tools (E.G., Rats, Web Shells)., Isolate Soho Devices From Corporate Networks To Prevent Proxy Abuse.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Fbi, Cisa, , Fbi, Cisa, Intelligence Agencies, , Fbi, Cisa, Intelligence Community, , Crowdstrike (Investigation/Reporting), , Recommended: Monitor Entra Id Service Principal Sign-Ins, Enforce Mfa For Cloud Accounts, Patch Cloud Infrastructure, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Implement Stricter Access Controls For Cloud Provider Accounts (E.G., Least Privilege, Mfa)., Enhance Logging And Monitoring For Entra Id And Other Identity Providers., Conduct Regular Audits Of Third-Party Cloud Provider Access And Permissions., Deploy Advanced Threat Detection For Post-Exploitation Tools (E.G., Rats, Web Shells)., Isolate Soho Devices From Corporate Networks To Prevent Proxy Abuse., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Iranian government-sponsored hackers, Chinese state-sponsored APT actor, Advanced Persistent Threat group linked to the Chinese government, China state-sponsored APT actor, Advanced Persistent Threat group linked to the Chinese government, Chinese state-sponsored hackers, Chinese state-sponsored hacking groups and Murky PandaSilk Typhoon (Microsoft)Hafnium.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2024-12-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-03.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Unclassified documents, Certain unclassified documents, Unclassified documents and authentication key, Unclassified documents, Sanctions and law-enforcement related information, More than 3,000 files, emails, sensitive organizational data, application data and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Domain controller (DC)Multiple hostsVMware Horizon server and and and and and and and cloud environments (Microsoft Entra ID, SaaS providers)downstream customer networkscompromised SOHO devices (used as proxies)servers with deployed web shells (Neo-reGeorg, China Chopper).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was fbi, cisa, , fbi, cisa, intelligence agencies, , fbi, cisa, intelligence community, , crowdstrike (investigation/reporting), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Taking compromised service offline.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were application data, sensitive organizational data, Unclassified documents and authentication key, Unclassified documents, emails, More than 3,000 files, Sanctions and law-enforcement related information and Certain unclassified documents.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 6.0K.
Regulatory Compliance
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was 12 individuals indicted by the Department of Justice, .
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Custom malware (e.g., CloudedHope RAT) and open-source tools (e.g., Neo-reGeorg) are used for persistence.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities., Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware., Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges., Audit and rotate application registration secrets in Entra ID., Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships., Monitor Entra ID logs for anomalous service principal sign-ins., Segment cloud environments to limit lateral movement via trusted relationships. and Monitor for traffic originating from compromised SOHO devices..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Microsoft Threat Intelligence (Silk Typhoon) and CrowdStrike Report on Murky Panda/Silk Typhoon.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Organizations relying on cloud/SaaS providers advised to review trust models and monitoring practices.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Log4Shell vulnerability, BeyondTrust software and Remote support software from BeyondTrust.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Three-month period.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Unpatched VMware Horizon server, Vulnerabilities in remote support software, Flaws in BeyondTrust software, Over-reliance on trusted cloud relationships without sufficient monitoring.Lack of visibility into delegated administrative privileges (DAP) in cloud environments.Delayed patching of zero-day vulnerabilities in cloud-facing infrastructure.Insufficient detection for web shells and custom malware in compromised systems..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Implement stricter access controls for cloud provider accounts (e.g., least privilege, MFA).Enhance logging and monitoring for Entra ID and other identity providers.Conduct regular audits of third-party cloud provider access and permissions.Deploy advanced threat detection for post-exploitation tools (e.g., RATs, web shells).Isolate SOHO devices from corporate networks to prevent proxy abuse..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=us-treasury' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
