February Cybersecurity News: The Guardian Has You Covered

Welcome to the February edition of the NodeZero? Guardian: equipping you with essential cybersecurity news and updates, plus Horizon3.ai content and events.?Ready for this month's trivia question?

In 2021, researchers discovered a critical vulnerability in Microsoft Exchange Server that was actively exploited by state-sponsored threat actors, leading to widespread compromises of on-premises email servers worldwide. What was the name of this vulnerability (or set of vulnerabilities), and what specific flaw made it exploitable?

You'll find the answer at the end of the newsletter.

In the News

CISA and FBI Warn of Malicious Cyber Actors Using Buffer Overflow Vulnerabilities to Compromise Software

February 12, 2025: CISA and the Federal Bureau of Investigation (FBI) have released a Secure by Design Alert, Eliminating Buffer Overflow Vulnerabilities, as part of their cooperative Secure by Design Alert series—an ongoing series aimed at advancing industry-wide best practices to eliminate entire classes of vulnerabilities during the design and development phases of the product lifecycle.

CISA Partners with ASD’s ACSC, CCCS, NCSC-UK, and Other International and US Organizations to Release Guidance on Edge Devices

February 04, 2025: CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems.

CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware

January 30, 2025: CISA released a fact sheet, Contec CMS8000 Contains a Backdoor, detailing an analysis of three firmware package versions of the Contec CMS8000, a patient monitor used by the U.S. Healthcare and Public Health (HPH) sector. Analysts discovered that an embedded backdoor function with a hard-coded IP address, and functionality that enables patient data spillage exists in all versions analyzed.

The Digital Operational Resilience Act (DORA) becomes binding as of today (17 January 2025) for all financial entities across the EU.

January 17, 2025: ?DORA is a harmonised and comprehensive regulatory framework on digital operational resilience. The regulation is designed to strengthen digital operational resilience and oversight over Critical Third-party ICT Providers (CTPPs). The regulatory framework entered into force on 16 January 2023 and financial entities had until 17 January 2025 to fully deploy and implement it.

H3 Announcements

Press Releases

February 19, 2025: The Market Shifts to Autonomous Pentesting: Horizon3.ai Surpasses 100,000 NodeZero? Tests - Horizon3.ai, a global leader in autonomous security solutions, announced today that NodeZero? has surpassed 100,000 pentests conducted by over 3,000 customers, with projections exceeding 400,000 by the end of 2026.

January 22, 2025: Horizon3.ai Expands on Disruptive Value of Autonomous Penetration Testing for Security Teams Worldwide- Between August and December of 2024, Horizon3.ai released three new products to drive cybersecurity excellence and help organizations combat emerging threats: NodeZero Insights?,? NodeZero Tripwires?,? NodeZero Kubernetes Pentesting.

Research and Blogs

February 19, 2025: Ivanti Endpoint Manager – Multiple Credential Coercion Vulnerabilities - Back in October of 2024, we were investigating one of the many Ivanti vulnerabilities and found ourselves without a patch to “patch diff” with – leading us to audit the code base at mach speed. This led to the discovery of four critical vulnerabilities in Ivanti Endpoint Manager (EPM). These vulnerabilities were patched last month in Ivanti’s January patch rollup.

February 3, 2025: Securing Financial Services: From Promises to Proof with NodeZero? - The financial services sector continues to experience a sharp rise in cyber threats targeting their industry. In just the third quarter of 2024, 141 breaches in this sector impacted over 16 million victims, highlighting the urgent need for modern, continuous security measures to address this growing risk.

Special Features

Fireside Chat: Horizon3.ai and Jerome’s Furniture

In this exclusive fireside chat, Adam Warren, IT Director at Jerome’s Furniture, sits down with Horizon3.ai's Principle Security SME, Stephen Gates, to discuss how Jerome’s has evolved its cybersecurity strategy over the years. From early vulnerability management struggles to the adoption of autonomous penetration testing with NodeZero, Adam shares real-world insights on how a lean IT team can efficiently defend against modern threats.

Through engaging storytelling and industry insights, attendees will learn:

• Lessons from recent retail cyberattacks and how they influenced Jerome’s security posture
• How Jerome’s transformed its cybersecurity approach from reactive scanning to proactive offensive security
• Best practices for retailers looking to improve security without increasing overhead

Straight From the Source: Latest H3 Content

Proactive Cyber Defense: Why Continuous Security Testing is Essential for General Counsels in Regulated Industries

This white paper discusses how continuous security testing helps General Counsels and executives mitigate legal risks, prove compliance, and strengthen cybersecurity defenses. Increased scrutiny from regulators and shareholders means that security lapses now carry real legal consequences.

Maximizing MSSP Revenue with NodeZero?: A Four-Pillar Strategy for Comprehensive Security Services

This white paper discusses how integrating Horizon3.ai’s NodeZero? autonomous security platform into MSSP service portfolios enables providers to offer a holistic suite of services across four core areas: Assess, Secure, Defend, and Advise.

Building an Overwatch Service with NodeZero Tripwires?: A Strategic Guide for MSSPs

This white paper highlights how MSSPs can create an advanced “Overwatch Service” to proactively detect threats, improve incident response capabilities, and unlock new revenue streams with NodeZero Tripwires.?

Latest NodeZero Attack Content

Ivanti Endpoint Manager – Multiple Credential Coercion Vulnerabilities

Back in October of 2024, we were investigating one of the many Ivanti vulnerabilities and found ourselves without a patch to “patch diff” with – leading us to audit the code base at mach speed. This led to the discovery of four critical vulnerabilities in Ivanti Endpoint Manager (EPM). These vulnerabilities were patched last month in Ivanti’s January patch rollup.

The vulnerabilities discovered allow an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially allowing for server compromise. Additionally, a NodeZero Rapid Response test is available for these vulnerabilities:

1. CVE-2024-10811: Credential Coercion Vulnerability in GetHashForFile
2. CVE-2024-13161: Credential Coercion Vulnerability in GetHashForSingleFile
3. CVE-2024-13160: Credential Coercion Vulnerability in GetHashForWildcard
4. CVE-2024-13159: Credential Coercion Vulnerability in GetHashForWildcardRecursive

Read the full blog HERE.

New Attack Content

• CVE-2024-21762: Fortinet FortiOS - Remote code execution vulnerability.
• CVE-2024-8069: Citrix XenServer - Unauthenticated remote code execution.
• CVE-2024-46909: WhatsUp Gold - Arbitrary code execution.
• CVE-2024-56145: Craft CMS - RCE vulnerability from improper PHP handling.

Over the Horizon

Come see our crew virtually or in person near you! Here are some of our upcoming events:

• 5 March - Denver Cybersecurity Summit (Register HERE)
• 6 March - New York Cybersecurity Summit (Register HERE)
• 12 March - Cloud and Cybersecurity Expo (Register HERE)
• 17 March – MES IT Security Atlanta (Register HERE)
• 27 April – 2025 MES Spring Orlando (Register HERE)
• 28 April – RSA Conference 2025 (Register HERE)

Cybersecurity Tip of the Month

Don’t Just Patch – Validate Your Fixes: Many organizations diligently apply security patches, but few take the critical extra step of validating that the fix actually works. Attackers are banking on this oversight.

Why It Matters:

• Misconfigurations and Partial Fixes – Applying a patch doesn’t always mean the vulnerability is closed. Firewalls, outdated dependencies, or registry settings might still leave the door open.
• Compensating Controls Can Fail – Relying on virtual patching (e.g., WAF rules) or EDR detections? Without verification, you’re trusting that an attacker won’t find a way around them.
• Attackers Test – So Should You – Adversaries don't assume your patching worked; they actively test it. Organizations should adopt the same mindset.

Get in Touch

Enjoyed the newsletter, but maybe got tricked by the trivia question? Think we forgot something important? Let us know! Please feel free to reach out to us at [email protected].

Trivia Answer:

Name: The ProxyLogon vulnerabilities (CVE-2021-26855 and related CVEs)

Exploitable Flaw: The attack chain leveraged a server-side request forgery (SSRF) vulnerability (CVE-2021-26855) in Exchange's Client Access Service (CAS), allowing an unauthenticated attacker to send arbitrary requests and authenticate as an admin. Once access was gained, attackers exploited CVE-2021-27065, a post-authentication arbitrary file write vulnerability, to drop web shells and execute remote code on the Exchange server.