In recent cybersecurity news, several high-profile incidents highlight growing threats and vulnerabilities across sectors. Belgium’s State Security Service is investigating a cyber-espionage operation allegedly linked to Chinese hackers, who compromised the agency’s email system. Meanwhile, the PolarEdge botnet is exploiting vulnerabilities in critical edge devices from Cisco, ASUS, and others, while reports reveal a significant increase in the time it takes to patch software vulnerabilities, now averaging eight and a half months. These incidents highlight the urgent need for robust cybersecurity measures to protect both government and private sector infrastructure.

A cybersecurity veteran takes CISA’s lead  

Karen Evans, a seasoned federal IT and cybersecurity expert, has been appointed as the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). In this prominent role, she will lead efforts to protect federal civilian agencies and the nation’s critical infrastructure against cyber threats. Evans brings extensive experience from her previous positions, including Chief Information Officer at the Department of Homeland Security, Assistant Secretary for Cybersecurity, Energy Security, and Emergency Response at the Department of Energy, and Administrator of E-Government and Information Technology at the Office of Management and Budget. Her appointment fills a key leadership position within CISA, which has been without a permanent director since January 2025. (Cyberscoop)

A Belgium spy agency is hacked  

Belgium has initiated a judicial investigation into an alleged Chinese cyber-espionage operation that compromised the email system of its State Security Service (VSSE). Between 2021 and 2023, unidentified Chinese state-sponsored hackers reportedly siphoned off 10% of the agency’s incoming and outgoing emails. The attackers exploited a vulnerability in an email security product from Barracuda Networks, deploying malware strains Saltwater, SeaSpy, and Seaside to establish backdoors into compromised systems. While classified internal communications remained secure, the breach affected an external server handling communications with government ministries and law enforcement, potentially exposing personal data of nearly half the VSSE’s staff and past applicants. Belgian officials have refrained from commenting on the specifics, citing the ongoing nature of the investigation. (The Record)

PolarEdge botnet exploits Cisco ASUS, QNAP, and Synology  

According to French cybersecurity company Sekoia, this is a new malware campaign which targets edge devices from Cisco, ASUS, QNAP, and Synology to pull them into a botnet named PolarEdge. It has been operating since at least the end of 2023. The campaign leverages an unpatched end of life CVE-numbered critical security flaw (CVE-2023-20118) that impacts Cisco Small Business routers that could result in arbitrary command execution on susceptible devices. The vulnerability is said to have been used to deliver a TLS backdoor that incorporates the ability to listen for incoming client connections and execute commands. (The Hacker News)

Software vulnerabilities take almost nine months to patch  

A State of Software Security report released by Veracode shows the average fix time for software security vulnerabilities has “risen to eight and a half months, a 47% increase over the past five years.” This is also 327% higher than 15 years ago, “largely as a result of increased reliance on third-party code and use of AI generated code.” Furthermore, the report says, “half of all organizations have critical security debt – defined as accumulated high severity vulnerabilities left open for longer than a year, and 70 percent of this critical security debt comes from third-party code and the software supply chain. (InfoSecurity Magazine)

Thousands of exposed GitHub repositories, now private, can still be accessed through Copilot  

Security researchers at Israeli cybersecurity company Lasso found that Microsoft Copilot retains access to thousands of once-public GitHub repositories, even after they’ve been set to  private. Using Bing’s cache, Lasso identified over 20,000 affected repositories, exposing sensitive data from major companies like Google, IBM, and Microsoft. Microsoft classified the issue as “low severity.”  (TechCrunch)

HaveIBeenPwned Adds 244 Million Passwords Stolen By Infostealers  

HaveIBeenPwned has added 244 million stolen passwords and 284 million compromised email accounts to its database, sourced from 1.5TB of infostealer logs shared on Telegram. The data was linked to a major distribution channel called “Alien Textbase,” which published the logs in 744 files. HIBP also introduced two new APIs allowing domain owners to check for compromised credentials. Infostealers, increasingly used in cyberattacks, spread through phishing, malicious ads, and pirated software, with stolen data fueling major breaches like those affecting Ticketmaster and AT&T. (Infosecurity)

CISA adds an Oracle Agile PLM flaw to its Known Exploited Vulnerabilities (KEV) catalog

CISA has added CVE-2024-20953, an Oracle Agile PLM flaw, to its Known Exploited Vulnerabilities (KEV) catalog. The high-severity deserialization vulnerability, patched in January 2024, allows low-privileged attackers to execute arbitrary code. While no public reports confirm active exploitation, experts believe attackers likely use it post-initial access. Oracle vulnerabilities, particularly WebLogic flaws, remain frequent attack targets. (Security Week)

A sophisticated macOS malware campaign is distributing Poseidon Stealer  

A sophisticated macOS malware campaign is distributing Poseidon Stealer via a fake DeepSeek AI website, according to cybersecurity researchers. The malware bypasses macOS Gatekeeper and harvests sensitive data, including browser credentials, cryptocurrency wallets, and system keychains. Attackers use malvertising to lure victims to a counterfeit site, delivering the malicious DMG file. Poseidon employs anti-analysis techniques and exfiltrates stolen data via curl POST requests. Security experts recommend restricting osascript execution, using next-gen antivirus (NGAV), and educating users on Terminal-based threats to mitigate the risk.

Meanwhile, a privilege escalation vulnerability in Parallels Desktop remains unpatched, with two exploits publicly disclosed, allowing attackers to gain root access on Macs. Security researcher Mickey Jin bypassed Parallels’ previous fix for CVE-2024-34331, a flaw stemming from missing code signature verification. Despite seven months of warnings, Parallels has not addressed the issue, leaving all known versions vulnerable. Jin urges users to take proactive security measures as attackers could exploit this in the wild. (Bleepingcomputer)

Chinese group Silver Fox is spoofing medical software  

A Chinese government-backed hacking group, Silver Fox, is spoofing medical software to infect hospital patients’ computers with backdoors, keyloggers, and cryptominers, according to Forescout’s Vedere Labs. The malware mimics Philips DICOM image viewers and other healthcare applications, tricking victims into installing ValleyRAT, a remote access tool. The attack uses PowerShell commands to evade detection and downloads encrypted payloads from Alibaba Cloud. While targeting individuals, the malware could spread into hospital networks through infected patient devices, posing a major cybersecurity risk to healthcare organizations. (The Register)

Cyberattacks targeting ICS and OT surged dramatically last year  

Cyberattacks targeting industrial control systems (ICS) and operational technology (OT) surged dramatically by 87% in 2024, according to cybersecurity firm Dragos. Ransomware attacks on industrial infrastructure also increased by 60%, reflecting heightened geopolitical tensions involving conflicts like Russia-Ukraine and China-Taiwan. Experts warn that state-sponsored groups, such as China’s Volt Typhoon, are infiltrating critical infrastructure, preparing potential future disruptions. Volt Typhoon has notably identified strategic U.S. targets, including power substations critical for military deployments. Alarmingly, non-state cybercriminals are gaining ICS expertise through collaboration with state actors, broadening attack capabilities and risks to critical infrastructure. This shift threatens more frequent, indiscriminate attacks as cybercriminal groups increasingly target industrial systems for financial or disruptive objectives. (Cyberscoop)

Linux backdoor used in the wild  

Researchers at Palo Alto Networks’ Unit 42 discovered an undocumented Linux backdoor called Auto-Color, used by threat actors against government and university targets in North America and Asia from November to December 2024. Researchers don’t know the initial attack vector. If run with root privileges, it installs a malicious library implant, copies itself to the system directory, and modifies files to ensure it executes before other system libraries. Without root access, the malware can still provide remote access to threat actors but lacks persistence. Once running, it uses a custom encryption algorithm to talk with C2 servers. (Bleeping Computer)

Researchers uncover zero-day vulnerabilities in a widely used cloud logging utility  

Security researchers at Tenable uncovered zero-day vulnerabilities in Fluent Bit, a widely used logging utility embedded in cloud platforms like AWS, Google Cloud, and Microsoft Azure. The flaws, CVE-2024-50608 and CVE-2024-50609 (CVSS 8.9), exploit null pointer dereference weaknesses in the Prometheus Remote Write and OpenTelemetry plugins, exposing billions of production environments to cyber threats. Attackers can crash Fluent Bit servers or leak sensitive data using simple HTTP requests. These vulnerabilities affect Kubernetes deployments, enterprise logging systems, and compliance workflows, with major users including Cisco, Splunk, and VMware. Patches are available in v3.0.4 and v2.2.3, but unpatched systems remain at high risk. Experts urge immediate updates, API access restrictions, and security audits to prevent widespread service disruptions and data leaks. (Cyber Security News)

Researchers uncover a LockBit ransomware attack exploiting a Windows Confluence server  

Security researchers at The DFIR Report have uncovered a LockBit ransomware attack that exploited CVE-2023-22527 in a Windows Confluence server. The attackers gained initial access through a remote code execution (RCE) vulnerability, quickly deploying Mimikatz, Metasploit, and AnyDesk to escalate privileges and move laterally across the network via RDP. They used Rclone to exfiltrate data to MEGA.io before executing the ransomware. PDQ Deploy was leveraged to automate the spread of LockBit across critical systems, ensuring widespread encryption. The entire attack—from initial compromise to ransomware deployment—was completed in just two hours.The researchers emphasize the importance of patching Confluence vulnerabilities, monitoring network activity, and restricting remote access to prevent similar intrusions. This case underscores the growing sophistication and speed of ransomware operations targeting unpatched enterprise applications. (The DFIR Report)

Retired Gen. Paul Nakasone warns the U.S. is falling behind in cyberspace  

Retired Gen. Paul Nakasone warned that the U.S. is falling behind in cyberspace, with adversaries expanding their capabilities. Speaking over the weekend at DistrictCon in Washington DC, he cited Chinese-backed breaches and ransomware attacks as evidence of weak cybersecurity. He also expressed concern about cyber operations causing physical damage, predicting future attacks could disable platforms through digital means. Nakasone, now at Vanderbilt University, highlighted AI’s role in cyber offense, including autonomous targeting by AI-powered drones. He questioned the limits of AI-driven cyber weapons and their ability to bypass defenses.

He endorsed a more aggressive U.S. cyber strategy, citing past Cyber Command operations against Russian and Iranian hackers. He emphasized “persistent engagement” to keep cyber enemies in check. Nakasone stressed the need for top cyber talent, warning of recruitment challenges due to past government actions. He acknowledged ongoing Cyber Command reforms but avoided direct criticism of political leadership changes, stating that presidents choose their own advisers. (Cyberscoop)

Australia bans Kaspersky over security concerns  

Australia has joined the growing list of countries to ban Kaspersky products from government systems. Citing national security risks and concerns over potential Russian government influence, Australian agencies must remove the software by April 1, though limited exemptions may apply for national security or law enforcement functions. In a statement to multiple outlets, Kaspersky criticized the decision, arguing it lacked technical justification and was driven by geopolitical tensions. This move follows similar bans by the U.S., U.K., and Canada within the last year. (Security Week) , (The Hacker News), (Bleeping Computer), (The Record)

At RedSeal, we protect your network by providing precise asset visibility and attack path analysis. Our solutions help you proactively manage risks, identify vulnerabilities before they turn into threats, and ensure your defense strategy stays one step ahead. Read on for the full breakdown of this week’s critical cyber news.

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

The cybersecurity landscape never rests, and this week’s high-impact stories highlight the ever-evolving nature of threats and vulnerabilities. We’ve got the latest on a penetration test that escalated from a simulated breach to real-life arrests, a $500,000 business email compromise, and the latest on a critical vulnerability affecting Juniper Networks. Plus, don’t miss how Russian hackers are targeting Signal users and the ongoing risks posed by Salt Typhoon.

At RedSeal, we protect your network by providing precise asset visibility and attack path analysis. Our solutions help you proactively manage risks, identify vulnerabilities before they turn into threats, and ensure your defense strategy stays one step ahead. Read on for the full breakdown of this week’s critical cyber news.

The pentesters’ breach was simulated — their arrest was not  

And finally, two penetration testers from Threat Spike Labs learned the hard way that miscommunication can be more dangerous than actual hacking. During a simulated breach at a corporate office in Malta, the duo successfully gained unauthorized access, stole a master key card, and retrieved sensitive data—all part of an approved security assessment.

But then, things took a turn. The general manager who authorized the test panicked and called the police, convinced that real criminals were at work. Despite waving their authorization documents like a backstage pass at a concert, the testers were arrested and hauled in for questioning. Later, Curt Hems reflected on the experience: “Penetration tests don’t always end with a report—sometimes they end with flashing lights and handcuffs.”

Lesson learned? Tell law enforcement about security tests before they happen. Ironically, the security test worked—the company’s response was swift, even if it resulted in unnecessary arrests. (Cyber Security News)

Minerals company loses $500,000 to BEC scam  

NioCorp Developments, a company that operates a minerals project in southeast Nebraska focusing on the production of niobium, scandium, and titanium, has alerted regulators to a break-in that occurred on February 14. Threat actors allegedly “broke into its information systems, including portions of its email systems,” and misdirected a half-million dollars intended to be sent to a vendor. The company is taking steps to remediate the incident and to search for any additional damage. (The Register)

Microsoft working on fix for Windows 11 SSH connections bug  

Following up on a story we covered last November, Microsoft is now testing a fix for an issue that has been around since November which is breaking SSH connections on some Windows 11 22H2 and 23H2 systems. A fix has been included in the Windows 11 Build 26100 in its Release Preview Channel. When the problem first emerged in November, Microsoft said that only a limited number of devices running Windows 11 enterprise, IOT, and education editions were affected but the company is now investigating whether consumer customers using Windows 11 Home or Pro editions may also be at risk. (BleepingComputer)

Credential theft puts sensitive corporate and military networks at risk  

Hudson Rock has published an analysis of compromised credentials for sale on criminal marketplaces, finding hundreds of credentials belonging to US military agencies and contractors, Infosecurity Magazine reports. The credentials were likely stolen by infostealer malware delivered via social engineering. The researchers identified credentials belonging to accounts at Lockheed Martin, Boeing, and Honeywell, as well as the US Army and Navy, the FBI, and the Government Accountability Office. Some of the logs also included active session cookies that could allow attackers to bypass multifactor authentication. (infostealers)

Russian hackers tap into Signal conversations  

Russian state-backed hackers are exploiting Signal’s “linked devices” feature to hijack accounts by tricking targets—often Ukrainian military personnel—into scanning malicious QR codes. Once linked, attackers can intercept messages in real time without fully compromising the victim’s device. Google researchers identified multiple threat groups using this technique, with some embedding QR codes in phishing pages disguised as military applications or security alerts. Signal has rolled out security updates to counter these threats but urging users to take extra precautions when scanning QR codes.(Bleeping Computer), (The Record), (The Hacker News)

FBI official provides more detail on Salt Typhoon attack  

A top official at the FBI painted a clearer picture as to the sheer impact of the Salt Typhoon attack, speaking at the 2025 Zero Trust Summit, FBI deputy assistant director Cynthia Kaiser, emphasized the scale and indiscriminate nature of China’s data collection from major telecom providers. Officials say the breach compromised every group of people including, law enforcement information, call records, and even data on American children—raising concerns over its long-term impact. Kaiser asked the crowd, “Can any of you imagine a world in which China would have been stealing information about you as a 13-year-old? That’s precisely what American children are facing. And that’s going to follow them in the future.” Since being exposed last year, the U.S. has since sanctioned a Chinese national and a cybersecurity firm linked to the operation but Salt Typhoon remains active, with ongoing attacks on global networks.  (CyberScoop)

Juniper Networks has issued a critical security advisory for an API authentication bypass vulnerability  

Juniper Networks has issued a critical security advisory for CVE-2025-21589, an API authentication bypass vulnerability affecting Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router products. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to gain full administrative control by injecting spoofed JWTs, bypassing authentication checks.

Attackers can exploit this flaw to modify routing policies, intercept encrypted traffic, and move laterally across networks. The vulnerability affects multiple software versions and requires network adjacency but no user interaction. Juniper discovered the issue through internal testing, with no known exploitation as of February 18, 2025. Patches are available, and cloud-managed WAN Assurance routers received automatic fixes. Organizations must apply updates immediately, audit configurations, monitor API requests, and implement network segmentation to mitigate risks. Unpatched systems pose serious threats to SD-WAN and 5G infrastructure. (Cyber Security News)

CISA warns of an actively exploited iOS vulnerability  

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about CVE-2025-24200, a zero-day vulnerability in Apple iOS and iPadOS, actively exploited in targeted attacks. The flaw, an authorization bypass in Apple’s USB Restricted Mode, allows attackers with physical access to disable security protections on locked devices, potentially exposing sensitive data.

Apple confirmed the exploit has been used in highly sophisticated attacks against high-value individuals, possibly by state-sponsored groups. The vulnerability affects a wide range of Apple devices, including iPhone XS and later models. Emergency patches were released on February 10, 2025, and CISA urges users to update before March 5. While no specific surveillance vendors are named, the attack methods resemble those used by firms like NSO Group. Users should update immediately and enforce physical security measures. (Cyber Security News)

Palo Alto Networks confirms a recently patched firewall vulnerability is being actively exploited  

Palo Alto Networks has confirmed that CVE-2025-0108, a recently patched firewall vulnerability, is being actively exploited. The flaw, disclosed on February 12, allows unauthenticated attackers to bypass authentication and execute PHP scripts via the PAN-OS management interface. Threat intelligence firm GreyNoise detected exploit attempts starting February 13, with attacks originating from nearly 30 unique IPs. The vulnerability can be chained with CVE-2024-9474 for remote code execution, posing a serious risk to unpatched systems.

A proof-of-concept (PoC) exploit is publicly available, and researchers warn that roughly 3,500 PAN-OS management interfaces remain exposed. Palo Alto urges immediate patching, emphasizing that securing external-facing management interfaces is critical. Assetnote, which discovered the flaw, coordinated disclosure with Palo Alto, arguing transparency helps defenders track attacks rather than leaving organizations vulnerable in the dark. (Security Week)

New OpenSSH Flaws Enable Man-in-the-Middle and DoS Attacks — Patch Now  

Two security vulnerabilities have been discovered in OpenSSH that could enable man-in-the-middle (MitM) attacks and denial-of-service (DoS) attacks. The MitM vulnerability affects versions 6.8p1 to 9.9p1 when the VerifyHostKeyDNS option is enabled, letting attackers impersonate legitimate servers. The DoS vulnerability affects versions 9.5p1 to 9.9p1, leading to resource exhaustion. Both issues are fixed in OpenSSH 9.9p2, which was released Tuesday. (The Hacker News)

Hackers waste no time exploiting a SonicWall proof-of-concept vulnerability  

Hackers are actively exploiting CVE-2024-53704, a high-severity authentication bypass in SonicWall firewalls, after a proof-of-concept (PoC) exploit was published. This vulnerability allows attackers to bypass multi-factor authentication (MFA), access private data, and disrupt VPN sessions. SonicWall released patches in January 2025, but as of February 7, around 4,500 devices remain unpatched. Arctic Wolf warns that cybercriminals often exploit firewall and VPN vulnerabilities for ransomware attacks, citing past incidents involving Akira ransomware. Organizations should immediately update SonicWall firewalls or follow mitigation steps to prevent attacks. Disabling SSLVPN is recommended if patching is not possible, as the public PoC increases the risk of exploitation. (Security Week)

Russian threat actors target Microsoft 365 accounts  

Volexity and Microsoft have published separate reports warning that multiple Russian threat actors are launching spearphishing attacks designed to compromise Microsoft 365 accounts. The threat actors are impersonating individuals from the US State Department, the Ukrainian Ministry of Defense, the European Union Parliament, and prominent research institutions. Volexity attributes the campaigns to at least three different Russian groups, including CozyLarch (which overlaps with Cozy Bear). Microsoft describes attacks from a Russian threat actor the company tracks as “Storm-2372.”

Notably, the attacks involve a lesser-known technique called “device code phishing,” in which users are tricked into granting access via the Microsoft Device Code OAuth workflow. Microsoft explains, “In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors.” Volexity says “this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.” (Volexity, Microsoft)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

In this edition of our Cyber News Roundup, we cover the latest cybersecurity threats and critical updates from around the world. From vulnerabilities in the U.S. Coast Guard’s Maritime Transportation System to malicious mobile apps making their way into app stores, it’s clear that the threat landscape is growing more complex. RedSeal’s exposure management solutions are designed to help organizations stay ahead, providing a comprehensive view of potential vulnerabilities and attack paths.

The GAO  identifies cybersecurity gaps in the U.S. Coast Guard’s efforts to secure the Maritime Transportation System

The Government Accountability Office (GAO) has identified cybersecurity gaps in the U.S. Coast Guard’s efforts to secure the Maritime Transportation System (MTS) and issued five recommendations. The Coast Guard must improve incident data accuracy, enhance cyber deficiency tracking, align its strategy with national goals, and address competency gaps in cybersecurity personnel. GAO’s findings, based on reports, inspections, and stakeholder interviews from 2019 to mid-2024, highlight threats from state-sponsored actors (China, Iran, North Korea, Russia) and cybercriminals. Past cyberattacks have disrupted port operations, and future incidents could have severe consequences.

The Coast Guard assists MTS operators with cybersecurity guidance, inspections, and technical support but lacks a complete cybersecurity incident tracking system. GAO also found gaps in its cyber strategy and workforce competencies. The Department of Homeland Security (DHS) concurred with GAO’s recommendations, emphasizing the need for urgent improvements to prevent cyberattacks on critical maritime infrastructure. (Security Week)

The White House plans to nominate a new national cyber director

President Donald Trump plans to nominate Sean Cairncross as the next national cyber director, despite his lack of cybersecurity leadership experience. Cairncross, a longtime GOP insider, previously served as CEO of the Millennium Challenge Corporation and held senior roles within the Republican National Committee. If confirmed, he would lead the White House’s Office of the National Cyber Director (ONCD), which was created in 2021 to oversee U.S. cyber strategy. The Biden administration’s approach to ONCD was marked by leadership turnover and concerns about competing power centers. Observers worry the Trump administration may downsize the office, even as the U.S. faces growing cyber threats from China-linked hacking campaigns. Cairncross would replace Harry Coker, who recently left for Maryland’s commerce secretary role. (The Record)

This Ad-Tech Company Is Powering Surveillance of US Military Personnel

WIRED and 404 Media jointly report Lithuanian ad-tech company Eskimi was the source of sensitive location data on U.S. military personnel overseas, which was sold by Florida-based data broker Datastream Group. The data included precise coordinates from devices at U.S. military sites in Germany and was collected through SDKs in mobile apps. U.S. Senator Ron Wyden’s office raised national security concerns, contacting Eskimi, Lithuania’s Data Protection Authority, and Google, which listed Eskimi as an Authorized Buyer. The Lithuanian DPA is assessing the situation, and Eskimi could face penalties under GDPR if found in violation. (Wired)

Apple and Google take down malicious mobile apps from their app stores

In a follow up from our reporting last week, Apple and Google both removed 20 apps from their app stores after security researchers at Kaspersky discovered they contained malware called SparkCat since March 2024. The malware has been downloaded over 242,000 times, used optical character recognition to scan image galleries for cryptocurrency wallet recovery phrases and other personal information. Google banned the developers and confirmed that its Play Protect feature safeguarded users from known malware versions. Apple did not comment. (TechCrunch)

U.S. adversaries increasingly turning to cybercriminals and their malware for help  

According to a Google Threat Intelligence Group report, adversarial governments are increasingly leveraging cybercriminals and their tools to advance cyber-espionage goals, fueled by resource constraints and the operational demands of conflicts like the war in Ukraine. This trend is also observed in China, Iran, and North Korea, where state-sponsored hackers utilize malware and techniques commonly associated with cybercriminals to enhance deniability and cost-efficiency. Google and other cybersecurity firms warn that this growing overlap between state actors and cybercriminals poses a significant national security threat worldwide. (CyberScoop)

Elon Musk leads a group of investors making an unsolicited bid to acquire OpenAI  

Elon Musk and a group of investors have made a $97.4 billion unsolicited bid to acquire OpenAI, escalating his ongoing feud with CEO Sam Altman. Altman dismissed the offer on X, jokingly offering to buy Twitter for $9.74 billion, to which Musk responded, “Swindler.” Musk’s consortium, which includes Baron Capital and Valor Management, seeks to restore OpenAI’s original open-source mission. Musk argues that OpenAI has strayed from its founding principles, while his own x.AI follows the values he was promised.

The bid complicates Altman’s efforts to take OpenAI private, as the for-profit arm must fairly value the nonprofit’s assets. Musk also urged California’s attorney general to open competitive bidding. Musk co-founded OpenAI in 2015 but left in 2018. His ongoing legal battles against OpenAI focus on its shift toward profit-driven AI. In other OpenAI news, a hacker named ‘emirking’ claimed on BreachForums to be selling 20 million OpenAI credentials, but experts believe the data originates from infostealer malware, not an OpenAI breach.

OpenAI investigated and found no evidence of a compromise. Threat intelligence firm Kela analyzed the data and confirmed it matches infostealer logs, likely collected from malware like Redline, RisePro, and Vidar. The hacker’s post was later deleted, reinforcing suspicions that the claim was exaggerated. BreachForums is known for hosting misleading data breach claims. (Techspot)

Apple patches actively exploited zero-day  

Apple has issued emergency security updates for iOS 18 and iPadOS 18 to fix a zero-day flaw (CVE-2025-24200) that the company says “may have been exploited in an extremely sophisticated attack against specific targeted individuals.” The company explained, “A physical attack may disable USB Restricted Mode on a locked device.” USB Restricted Mode is designed to block forensic tools from accessing data on devices that have been locked for more than an hour. Apple credits the flaw’s discovery to Bill Marczak from the University of Toronto’s Citizen Lab. The company hasn’t shared specifics on the potential exploitation, but BleepingComputer notes that Citizen Lab often focuses on exploits used by commercial spyware tools. (Apple, Bleepingcomputer)

A peak at DeepSeek’s weak security  

According to researchers at AppSOC, DeepSeek’s R1 large language model failed various security tests for business applications, largely due to a lack of comprehensive guardrails. They found that R1 could not prevent users from creating malware 93% of the time. They could also jailbreak away from system safeguards 91% of the time. The model showed stronger scores when it came to leaking training data, failing in 1.4% of attempts. But overall, the researchers found it extremely easy to cause the model to hallucinate and generate toxic or harmful content. (Dark Reading)

Sandworm targeting Ukraine with trojanized KMS  

Researchers at EclecticIQ found signs that since late 2023, the Russian cyber-espionage group Sandworm began using fake Windows updates and a trojanized version of Microsoft Key Management Service activators to target victims in Ukraine. There was evidence of seven malware campaigns using these similar lures. The attack starts by attracting victims to typo-squatted domains to get the DcRAT trojan on their machine. From there, it presents a fake Windows activation interface, disables Windows Defender, and delivers a further payload. This approach appears effective due to the prominent use of pirated software in Ukraine, even in the government sector. (Bleeping Computer)

Google Tag Manager used to deploy card skimmers  

Just when you thought it was safe to go shopping. A handful of sites were discovered to be using what looked like a typical Google Tag Manager and Google Analytics script for store analytics but included a containerized backdoor that allowed for persistent access, according to researchers at Sucuri. This was used to collect payment information during the checkout process. What vector is being used to get the script onto these sites is unclear. (The Hacker News)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.