Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

External attack surfaces have never been more sprawling, or more vulnerable. As organizations increasingly rely on dynamic, cloud-based infrastructures, and third-party services, digital footprints are only going to carry on growing. So, it’s no surprise many are turning towards External Attack Surface Management (EASM) tools for more visibility into both known and unknown assets. But what should you be looking for in a solution?

Digital Risk Protection (DRP) helps organizations identify, monitor, and protect against threats across their digital footprint. The goal is to catch risks on the open, deep, and dark web before they can be exploited, by aggregating threat intelligence from diverse external sources (social media, underground forums, code repositories, and paste sites). Organizations scan continuously for exposed credentials, brand impersonations, data leaks, and emerging malware campaigns.

Despite advancements in security, web applications are still a problem. Attackers target web applications because they’re exposed, complex, and not as well protected as they should be. According to Verizon1, web applications are the most prevalent attack vector, with exploitations of vulnerabilities increasing by 180% in 2024.

Digital Risk Protection (DRP) lets organizations proactively identify and mitigate external threats that emerge from their digital footprints. This can span public sources as well as deep and dark web channels. DRP is a key element of Outpost24’s external attack surface management (EASM) platform, so we’re pleased to announce two new integrations have been added: Social Media and Data Leakage. These new DRP modules will help cybersecurity teams to.

Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from April about EncryptHub, EncryptRAT, and the Media Land leak.

Authentication is used by most web applications. Both for letting users have access to individual accounts, but also for protecting certain resources from the public. Basic authentication allows an individual to prove to the application that they are the user that is trying to access it. Unfortunately, authentication vulnerabilities are often found by pen testers too. While there are many forms of authentication, the most common implementations are that of the username and password.

The concept of responsible disclosure is a simple one. If you find a vulnerability, you let the affected organization or software vendor know before making the information public. This gives them time to patch the vulnerability before it can be exploited. It also helps maintain trust and fosters a collaborative environment between security researchers and companies. As a cybersecurity vendor, do we want our researchers to be credited when they discover vulnerabilities? Of course.

Several years ago, a security researcher discovered a vulnerability in Google Chrome that allowed fake domains to bypass the browser’s security measures. The researcher registered a domain that appeared as “xn--80ak6aa92e.com” but displayed as “apple.com” in the browser, demonstrating how easy it was to deceive users. This is just one example of what’s known as a homograph attack, or sometimes a ‘look-a-like domain’.

This is the second part of Outpost24’s KrakenLabs investigation into EncryptHub, an up-and-coming cybercriminal who has been gaining popularity in recent months and is heavily expanding and evolving operations at the time of writing. We’ve already published one article explaining EncryptHub’s campaigns and TPPs, infrastructure, infection methods, and targets.

Outpost24 analysts recently discovered a critical authentication bypass vulnerability in CrushFTP, identified as CVE-2025-31161. The vulnerability has a CVSSv3.1 score of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). We reached out to MITRE for a CVE on 13th March 2025 and were within an agreed 90-day non-disclosure period with CrushFTP. The plan was to give users plenty of time to patch before attackers were alerted to the vulnerability and able to exploit it.