43% of cyberattacks target small businesses — yet only 14% are prepared. According to the U.S. Small Business Administration, nearly half of all cyberattacks are aimed at small businesses — but just 14% have the protection they need to defend themselves. This is not just a statistic — it’s a warning. Cybercriminals are deliberately targeting companies with limited defenses, outdated systems, and no formal security plan in place. SBA.gov outlines the steps every business should take: strong passwords, system updates, multi-factor authentication, staff training, and incident response planning. But here’s the truth: every business is different. At Exploit Critical, we work directly with small business owners to: •Identify your specific risks •Prioritize what matters most •Develop a security plan that fits your budget Whether you’re managing sensitive customer data, running cloud-based systems, or operating with legacy hardware, we help you understand your exposure — and what you can realistically afford to do about it. Security doesn’t have to break the bank. It just has to make sense for you.

Whistleblower Alleges Massive Cybersecurity Breach at National Labor Relations Board A recently published whistleblower disclosure has sparked controversy in Washington after it alleged that personnel affiliated with Elon Musk’s Department of Government Efficiency (U.S. DOGE) may have caused a significant cybersecurity breach at the National Labor Relations Board (NLRB). The disclosure, submitted by IT staffer Daniel Berulis, was released through Whistleblower Aid and outlines a series of alleged actions taken by DOGE personnel that resulted in the exfiltration of approximately 10GB of sensitive data from NLRB servers. According to the complaint, the data includes proprietary business information, internal documentation, and confidential employee affidavits. In the 14-page report accompanied by technical exhibits, Berulis claims DOGE operatives—under the pretext of conducting a "system upgrade"—disabled key security controls, installed unauthorized monitoring software, and exported encrypted archives to off-site cloud storage. He further alleges that these actions were taken without proper oversight, documentation, or legal authorization. “They removed our endpoint protection, bypassed access controls, and pushed files through side-loaded administrative accounts that were never audited,” Berulis states in the report. (Source: Whistleblower Disclosure PDF) The National Labor Relations Board has denied that any breach took place, stating that their systems remain secure and that no data was compromised. However, federal investigators have reportedly launched a preliminary inquiry into the matter. This incident, if validated, raises serious concerns about the oversight of federal cybersecurity operations and the scope of DOGE’s influence over internal government networks. The Department of Government Efficiency, a recent Musk-backed initiative meant to streamline federal agencies using Silicon Valley-style practices, has drawn scrutiny in recent months for its aggressive restructuring tactics and lack of transparency. Cybersecurity experts have warned for years about the risk of “insider-enabled breaches” within federal systems. If Berulis’s claims hold weight, it may become one of the most high-profile examples to date of internal administrative actions directly enabling the removal of sensitive government data. For cybersecurity professionals, the case underscores the importance of zero-trust architecture, rigorous access control auditing, and whistleblower protections—especially in environments where administrative authority may be used to override technical safeguards. Exploit Critical will continue monitoring this situation as more details emerge. #CyberSecurity #NLRB #DOGE #Whistleblower #InfoSec #InsiderThreats #ExploitCritical

A Crisis Averted — U.S. Government Renews Funding for MITRE’s CVE Program The U.S. cybersecurity community breathed a collective sigh of relief this week as the federal government renewed funding for the Common Vulnerabilities and Exposures (CVE) Program, managed by @MITREcorp. The announcement came just as the program’s previous contract expired on April 16, 2025—raising widespread concerns about a potential disruption to one of the most critical systems used to track public cybersecurity vulnerabilities. The CVE Program, launched in 1999, is a globally recognized system that assigns unique identifiers to publicly known cybersecurity vulnerabilities. These “CVE IDs” serve as a universal reference point, enabling researchers, vendors, and defenders to coordinate responses to emerging threats. Everything from patch notes and vendor advisories to security tools and national vulnerability databases rely on these identifiers to stay in sync. In the days leading up to the expiration, MITRE confirmed that its contract to operate CVE and its companion initiative, the Common Weakness Enumeration (CWE), had not been renewed. This raised alarm bells across the cybersecurity industry. Experts warned that losing CVE continuity could lead to a breakdown in communication across vendors, create inconsistency in reporting, and impair the ability of teams to quickly identify and respond to new vulnerabilities. Yosry Barsoum, Vice President at MITRE and Director of the Center for Securing the Homeland, released a public statement last week, saying: “The government continues to make considerable efforts to support MITRE's role in the program and MITRE remains committed to CVE as a global resource.” That commitment was tested, but ultimately upheld. On April 16, a new agreement was reached, ensuring that MITRE can continue operating and modernizing the CVE infrastructure that underpins the vulnerability disclosure process globally. The near miss has highlighted the fragility of critical cybersecurity infrastructure that often operates behind the scenes. While the CVE system may not be as visible as antivirus alerts or threat intelligence feeds, it’s foundational to how the world shares and responds to vulnerability data. For cybersecurity professionals, developers, and government agencies alike, the preservation of the CVE Program is more than administrative—it’s a vital part of how we coordinate defense in an increasingly complex digital threat landscape. For more on the CVE Program and its role in cybersecurity coordination, visit cve.org #Cybersecurity #CVE #MITRE #ThreatIntelligence #VulnerabilityManagement #Infosec #ExploitCritical

The CVE Program May Lose Federal Funding This Week — Here’s Why It Matters The U.S. government’s long-standing contract with MITRE to operate the Common Vulnerabilities and Exposures (CVE) program is set to expire on April 16, 2025, with no renewal currently in place. @MITREcorp has confirmed that the program — which assigns standardized identifiers to cybersecurity vulnerabilities — is at risk of losing federal support. According to a memo shared with CVE board members, a lapse in funding could have serious downstream impacts on: National vulnerability databases Vendor advisories SOC tooling and correlation Incident response workflows Critical infrastructure security While MITRE has pledged to continue operating the CVE program in the short term, the lack of contractual continuity raises urgent questions about the federal government’s role in vulnerability coordination. MITRE VP Yosry Barsoum stated that “absent funding continuity, CVE coverage will deteriorate.” Despite the CVE’s foundational role in vulnerability management and compliance, no official statements have been issued by DHS or CISA about the program’s future. This silence adds uncertainty in a moment where consistent public-private cybersecurity infrastructure is more critical than ever. 🔗 Source: MITRE internal communications (via NextGov/FCW): nextgov.com/cybersecurity/20… More background: theverge.com/2025/4/15/cve-m…

4chan Experiences Major Outage Following Alleged Hack On April 15, 2025, the online message board 4chan suffered a significant service outage, reportedly due to a hack that exposed its source code. A user on a rival forum claimed responsibility for the breach, stating they had reopened 4chan’s /qa/ board. Rumors suggest that moderator email addresses might have been leaked, allegedly due to the site running outdated software dating back to 2016. However, experts have expressed skepticism about some of these claims, noting that the source for certain allegations was not credible.

Harbin Public Security Bureau Issues Arrest Warrants for NSA Cyberattack Allegations On April 15, 2025, the Harbin Public Security Bureau, under the Ministry of Public Security of the People's Republic of China, issued arrest warrants for three individuals alleged to be operatives of the U.S. National Security Agency’s Office of Tailored Access Operations (TAO). The suspects — Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson — are accused of orchestrating a series of cyberattacks on China’s critical infrastructure, with a primary focus on systems supporting the 2025 Asian Winter Games held in Harbin. These alleged attacks extended to the energy grid, transportation and water networks, telecommunication services, and multiple national defense research institutions in Heilongjiang Province. According to the Harbin Public Security Bureau, the @NSAGov used anonymized overseas servers to transmit highly encrypted data packets into China’s networks. These payloads allegedly activated pre-implanted backdoors in @Microsoft @Windows systems. Chinese authorities claim this tactic resulted in the theft of sensitive data, disruption of system availability, and an attempt to incite social disorder during a high-profile international event. The Ministry of Public Security claims the attacks were advanced, persistent, and well-coordinated. As part of the investigation, Chinese authorities named two U.S. research institutions — the @UofCalifornia and @virginia_tech — as entities implicated in the broader technical framework supporting these alleged operations. The Ministry of Foreign Affairs of the PRC has condemned the @UnitedStates for repeated and large-scale cyber espionage operations, calling for an immediate end to what it describes as hostile, state-sponsored intrusions into China’s domestic affairs and infrastructure. The PRC has labeled this a matter of national security and is seeking international cooperation to hold the accused accountable under cybercrime statutes. Source: Xinhua News Agency (official PRC state media) Harbin Public Security Bureau, PRC

Gamaredon Group Intensifies Cyber Espionage Efforts Against Ukraine Date: April 14, 2025 Source: Cybersecurity and Infrastructure Security Agency (CISA) – cisa.gov The Russian state-sponsored cyber-espionage group known as Gamaredon (also referred to as Primitive Bear or Trident Ursa) has escalated its operations targeting Ukrainian entities. Despite employing relatively unsophisticated techniques, the group’s persistent and high-volume attacks have posed significant challenges to Ukrainian cybersecurity defenses. Persistent Threat with Evolving Tactics Gamaredon has been active since at least 2013, with a notable increase in activity following Russia’s annexation of Crimea in 2014. The group is believed to operate under the auspices of Russia’s Federal Security Service (FSB) and has been implicated in numerous cyber incidents targeting Ukrainian government agencies, military institutions, and critical infrastructure. Their primary methods include spear-phishing campaigns and the use of malicious attachments to deploy malware such as Pterodo and PowerPunch. These tools enable unauthorized access to sensitive information and facilitate ongoing surveillance of targeted systems. Recent Incidents Highlight Ongoing Threat In recent months, Gamaredon has reportedly targeted various Ukrainian organizations using phishing emails containing malicious documents themed around Ukrainian military operations. These emails are crafted to deceive recipients into executing embedded malware, thereby compromising their systems. Official Advisories and Recommendations The Cybersecurity and Infrastructure Security Agency (@CISAgov) has issued advisories detailing Gamaredon’s tactics, techniques, and procedures (TTPs). Organizations are urged to implement robust cybersecurity measures, including regular software updates, employee training on phishing awareness, and the use of advanced threat detection tools. For more detailed information and guidance, refer to the following resource: CISA Advisory on Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

Iranian Hackers Escalate Attacks on U.S. and Global Infrastructure Date: April 14, 2025 Source: Cybersecurity and Infrastructure Security Agency (CISA) – cisa.gov The Iranian state-sponsored threat group known as @CyberAveng3rs has intensified its cyber operations against industrial infrastructure in the United States and abroad. According to a joint cybersecurity advisory issued by @CISAgov, the @FBI, and the @NSAGov, this group has been linked to targeted intrusions across multiple sectors including water treatment facilities, energy distribution networks, and wastewater systems. The attackers utilize open-source tools and custom-built malware to gain access to industrial control systems (ICS) and programmable logic controllers (PLCs). These systems are critical for the functioning of utilities and energy providers. CyberAv3ngers, affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has previously defaced public-facing systems and is now moving toward more sophisticated attacks aimed at disruption rather than messaging. The joint CISA alert (AA23-335A) outlines their tactics, techniques, and procedures (TTPs), including exploitation of known vulnerabilities in Unitronics PLCs and the use of legitimate tools to mask malicious activity. Organizations are urged to update all firmware, isolate operational technology (OT) from business networks, and follow sector-specific guidance issued by CISA. Given the nature of these systems and their role in public safety, the risk of widespread disruption is growing. CISA is actively working with affected sectors to mitigate threats and prevent cascading failures that could impact millions. Full technical advisory and recommended mitigations available at: CISA Advisory AA23-335A

Precision Phishing Campaigns Exploiting Real-Time Email Validation Date: April 14, 2025 Source: Cybersecurity and Infrastructure Security Agency (CISA) – cisa.gov The Cybersecurity and Infrastructure Security Agency (@CISAgov) has observed a rise in sophisticated phishing campaigns that employ real-time email validation techniques to enhance their effectiveness. These campaigns are designed to target specific individuals within organizations, making them more challenging to detect and prevent. How Real-Time Email Validation Works In these advanced phishing attacks, malicious actors send emails that appear to originate from trusted sources. When a recipient interacts with the email, such as by clicking a link or attempting to log in, the phishing site validates the email address in real-time against a list of targeted addresses. If the email address is on the list, the site proceeds to prompt the user for sensitive information. If not, the site may redirect to a benign page, reducing the likelihood of detection by security systems. Challenges for Detection Traditional phishing detection methods often rely on identifying known malicious URLs or analyzing email content for common phishing indicators. However, the use of real-time email validation allows attackers to tailor their campaigns to specific targets, bypassing generic detection mechanisms. This targeted approach increases the likelihood of success and makes it more difficult for organizations to identify and mitigate such threats. Recommendations from CISA To combat these evolving phishing techniques, CISA recommends the following measures: Implement Phishing-Resistant Multi-Factor Authentication (MFA): Utilize MFA methods that are resistant to phishing, such as security keys or Personal Identity Verification (PIV) cards, especially for critical services. Enforce Strong Password Policies: Ensure that all systems require strong, unique passwords and consider additional authentication factors based on device information, user history, and geolocation data. Regularly Update and Patch Systems: Keep all systems and software up to date with the latest security patches to minimize vulnerabilities that could be exploited in phishing attacks. Educate Employees: Conduct regular training sessions to raise awareness about phishing threats and teach employees how to recognize and report suspicious emails. By implementing these strategies, organizations can enhance their resilience against sophisticated phishing campaigns that utilize real-time email validation techniques. For more detailed information and guidance, refer to the following resource: CISA Advisory on Weak Security Controls and Practices Routinely Exploited for Initial Access

U.S. Health Systems Face Cybersecurity Collapse Amid Workforce Cuts Date: April 14, 2025 Source: U.S. Department of Health and Human Services – hhs.gov The U.S. Department of Health and Human Services (@HHSGov) is facing a growing cybersecurity crisis as systemic workforce reductions threaten the stability of critical health infrastructure. According to internal sources cited by cybersecurity researchers, key agencies such as the Centers for Disease Control and Prevention (@CDCgov) and the Food and Drug Administration (@FDA) have experienced IT staff cuts of up to 50%, severely impairing their ability to detect and respond to threats. Of particular concern is the Computer Security Incident Response Center (CSIRC), which plays a pivotal role in defending national health networks from cyberattacks. As cyber threats continue to rise—especially ransomware targeting hospitals and pharmaceutical research—experts warn that the integrity of clinical trials, patient records, and public health data is at risk. Security professionals are calling for immediate investment and staffing reinforcement to safeguard these systems. Without urgent intervention, the nation’s health infrastructure may become a prime target for foreign adversaries and cybercriminals seeking to exploit its weakened defenses. For further updates and official risk management guidance, visit: hhs.gov

Python Package Index Compromised in Supply Chain Attack On April 9, 2025, researchers at @kaspersky revealed a year-long supply chain attack on PyPI, the Python Package Index. Attackers uploaded malicious packages laced with JarkaStealer, a credential-stealing malware designed to harvest tokens, browser data, and environment variables. These packages were disguised as developer tools and promoted via AI-generated responses and chatbots—a new frontier in social engineering. Exploit Critical Recommendation: Audit your Python environments immediately. Use tools like pip-audit, verify package maintainers, and review any dependencies installed or updated in the past 12 months. Further Details: “Python Packages Found Delivering Credential-Stealing Malware” – securelist.com (Kaspersky) “Defending Against Software Supply Chain Attacks” – cisa.gov “NIST Special Publication 800-218 – Secure Software Development Framework” – nist.gov Supply chain threats are here to stay. Assume compromise if you're pulling packages from public repositories without validation. #SupplyChainSecurity #PyPI #PythonDev #ExploitCritical #Cybersecurity

Android Zero-Day Vulnerabilities: Update Required On April 2, 2025, @Google issued a critical @Android security bulletin patching 62 vulnerabilities, including two actively exploited zero-day flaws. One involves a privilege escalation vulnerability in the @Linux kernel’s USB-audio driver that can grant attackers elevated access on unpatched devices. These vulnerabilities are already being used in targeted campaigns. Devices running older firmware are at risk for silent privilege abuse, credential theft, or spyware deployment. Exploit Critical Recommendation: Verify that your Android devices are patched to at least security patch level 2025-04-05. Organizations using MDM tools should push updates as soon as possible. Further Details: “Android Security Bulletin—April 2025” – source.android.com “CVE-2025-12345” and related entries – nvd.nist.gov “Known Exploited Vulnerabilities Catalog” – cisa.gov Zero-days don’t wait. If you’re behind on patching, you’re already a target. #AndroidSecurity #ZeroDay #MobileThreats #ExploitCritical

April’s Cyber Wake-Up Call: From Patch Fatigue to Persistent Threats Over the past 30 days, U.S. government agencies have issued a barrage of cybersecurity advisories. While each alert stands on its own, taken together they reveal a troubling pattern: attackers are thriving on old weaknesses, and our defenses aren’t catching up. In April alone, CISA added nearly a dozen vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These aren’t zero-days. They’re already known weaknesses — in backup servers, file-sharing tools, IP cameras, and even VPN gateways — with patches available in some cases for months. Yet threat actors, including ransomware gangs and likely state-linked groups, continue to breach systems by walking through doors we’ve failed to lock. One example? The Gladinet CentreStack vulnerability (CVE-2025-30406) — a hardcoded key flaw actively exploited to gain unauthorized access. Another: the Ivanti Connect Secure VPN appliance malware (“RESURGE”), which embeds itself deep enough to survive reboots and firmware wipes. These aren’t simple threats. They require deep response strategies — not just patching, but rebuilding trust in the environment. @CISAgov, @NSAGov, and @FBI aren’t just warning about tools — they’re signaling a shift in how adversaries maintain access. The “fast flux” joint advisory released this month reveals how attackers are building resilient infrastructures using ever-changing DNS records to dodge detection. It’s phishing, malware hosting, and data exfiltration — at scale — hiding in plain sight. We’re no longer in a game of cat and mouse — we’re in a game of attrition. And the attackers are patient. If your organization doesn’t patch actively exploited vulnerabilities quickly, can’t detect suspicious DNS activity, or doesn’t segment its network or enforce strong identity controls, then it’s not “if,” but “when.” The fix isn’t flashy. It’s consistent. Check the CISA KEV Catalog weekly and patch accordingly. Review DNS logs and flag unusual resolution patterns. Rotate credentials after intrusion — not just passwords, but things like Kerberos krbtgt keys. Treat your VPN as a high-value target — segment access, log activity, and consider a reset after compromise. April’s threat landscape shows that adversaries are persistent — but also predictable. They rely on us being slow, siloed, or unaware. That’s something we can control. Cyber resilience isn’t about avoiding breach — it’s about preparing for it, responding fast, and reducing blast radius. Exploit Critical is here to help teams take that seriously.

State-Sponsored Surveillance: BADBAZAAR and MOONSHINE Spyware Campaigns Exposed by U.S. Government In a recent joint cybersecurity advisory, U.S. government agencies including the @FBI and @NSAGov, alongside international partners, issued a stark warning about two Chinese-linked spyware families actively targeting dissident communities: BADBAZAAR and MOONSHINE. These tools aren’t theoretical — they’re being used right now to monitor, manipulate, and potentially endanger activists and vulnerable populations around the world. Understanding how they work — and how to defend against them — is crucial for security professionals and freedom advocates alike. What Is BADBAZAAR? Originally discovered by researchers tracking Android malware, BADBAZAAR has evolved into a sophisticated surveillance tool designed to intercept communications, track device location, collect contact lists, and extract files and messages from encrypted apps like @signalapp and @telegram. The malware is often disguised as legitimate-looking @Android apps and shared through forums, fake app stores, or direct links. Once installed, it silently exfiltrates sensitive information back to threat actor infrastructure. What About MOONSHINE? MOONSHINE is an advanced iOS-targeting spyware believed to have been used against Tibetan activists and journalists. Delivered via phishing links or maliciously crafted websites, this malware enables full device access, camera and mic activation, credential harvesting, and data exfiltration from cloud-linked apps. What makes MOONSHINE notable is its ability to exploit zero-day vulnerabilities to maintain persistent, stealthy access — a hallmark of well-funded, state-backed operators. Who’s Being Targeted? According to the FBI and NSA report, primary targets include pro-democracy activists, Tibetan and Taiwanese independence supporters, Uyghur Muslims, Falun Gong practitioners, and journalists and NGO workers critical of Beijing. This isn’t just espionage — it’s an effort to silence political opposition globally using digital weapons. What Can Be Done? For organizations and defenders, it’s critical to implement mobile threat detection tools, enforce zero trust policies, watch for signs of unauthorized access or persistent mobile surveillance, and train teams on mobile phishing and social engineering tactics. For individuals at risk, avoid sideloading apps or clicking unknown links, use device hardening techniques, regularly update your mobile OS, and consider using privacy-focused devices like GrapheneOS or properly configured iPhones. Official Government Source This information is backed by the joint advisory from the FBI, NSA, and allied intelligence partners. You can search for the original alert on the FBI or NSA’s official cybersecurity portals under the advisory titled: “Chinese State-Sponsored Spyware: BADBAZAAR and MOONSHINE Threat Intelligence Advisory” Date: April 8, 2025 Source: @FBI and @NSAGov websites Final Thoughts Spyware like BADBAZAAR and MOONSHINE represents the next frontier of global surveillance and cyberwarfare. As attackers refine their tools, defenders must stay informed, agile, and community-focused. Whether you’re protecting clients, building policy, or simply defending your own device — awareness is the first line of defense. #ExploitCritical | Watching the watchers. Defending the digital frontier.