This week’s cyber news roundup highlights key incidents, including the exposure of over 150 U.S. government database servers, shifting cybersecurity responsibilities to states, and the risk to DNA records following 23andMe’s bankruptcy. We also cover the abuse of Microsoft’s Trust Signing service for malware and a China-linked APT that remained hidden in a telecom network for years.

Stay tuned for more on these evolving threats. At RedSeal, we help organizations manage cyber exposure proactively to stay ahead of these risks.

Over 150 government database servers are dangerously exposed to the internet

A recent investigation has revealed a major cybersecurity threat to U.S. government data. Over 150 government database servers—used by agencies like the Departments of Agriculture, Education, and Energy—are exposed to the internet, violating basic security protocols. These databases, hosted on Microsoft’s Azure Gov Cloud, have open ports vulnerable to brute-force attacks and known exploits. The report highlights over 655 unauthorized access attempts and more than 200 real-time data replications, suggesting serious flaws in authentication and data protection. Analysts believe the exposure stems from a rushed federal data centralization effort. Experts are calling for urgent action, including Congressional hearings and audits, to address what could become a catastrophic breach.

The White House is shifting cybersecurity responsibilities from federal agencies to states and local governments. A new executive order from President Trump introduces a National Resilience Strategy, aiming to give local entities more control over defending infrastructure and elections from cyber threats. This move follows cuts to federal cybersecurity teams and programs, leaving states without vital support like vulnerability alerts and free risk assessments. Experts warn this decentralization could lead to fragmented defenses, especially as many states lack the resources and intelligence centers to fill the gap. Cybersecurity professionals say the burden will hit underfunded sectors like schools and small municipalities hardest. Critics argue the shift, combined with federal workforce reductions, undermines national security and leaves states to manage growing cyber risks largely on their own. (GB Hackers)

Web service outage in Russia due to reported Cloudflare block

The outages were observed Thursday across numerous Russian regions, affecting platforms including “TikTok, Steam, Twitch, Epic Games, Duolingo and major Russian mobile operators.” Also impacted were banking and government services, and messaging apps such as Telegram and WhatsApp. Industry experts are suggesting the cause of the outage to be the Russian government’s blocking of U.S. based Cloudflare. Russian internet regulator Roskomnadzor recommended that local organizations switch to Russian hosting providers. (The Record)

Microsoft Trust Signing service abused to code-sign malware   

Researchers at BleepingComputer and elsewhere are observing more incidences of threat actors using the Microsoft Trusted Signing service to “sign their malware with short-lived, three-day code-signing certificates.” Code-signing certificates make malware appear legitimate, potentially bypassing security filters that block unsigned executables. Extended Validation (EV) certificates are particularly sought after by threat actors due to the increased trust they confer from cybersecurity programs and their ability to help bypass alerts in SmartScreen. A cybersecurity researcher and developer with the wonderful name of Squiblydoo, told BleepingComputer that they believe threat actors are switching to Microsoft’s service out of convenience, especially given that recent changes to EV certificates are causing confusion for users – something threat actors are taking advantage of. (BleepingComputer)

FCC alleges Chinese telecom companies are making ‘end run’ around bans   

The Federal Communications Commission’s newly created Council on National Security will conduct a “sweeping investigation of Chinese-made equipment in America’s telecommunications infrastructure,” according to an announcement made on Friday. The focus will be on Chinese companies like Huawei, ZTE, and others, who have been banned from doing business with U.S. companies, but who allegedly continue to exploit loopholes or simply massively underbid other competitors when dealing with smaller U.S. telecommunications providers. (Cyberscoop)

23andMe bankruptcy puts millions of DNA records at risk   

23andMe filed for bankruptcy on Monday and many are asking the question, what’s going to happen to all of that personal information? Some have raised major concerns that its vast database of genetic data could be sold off to the highest bidder. While the company insists privacy protections will remain intact, court documents make it clear that all assets—including customer DNA records—are on the table. California’s Attorney General issued a release ahead of the announcement urging users to delete their data immediately, warning that unlike passwords, genetic information is permanent, instructions on how to delete that data can be found in today’s show notes. (The Record), (CyberScoop),(California Attorney General Release)

China-linked APT hid in telecom network for years   

China-linked APT group Weaver Ant spent over four years inside an Asian telecom provider’s network, using compromised Zyxel routers to hide traffic and infrastructure. Researchers at Sygnia uncovered the intrusion, which relied on web shell tunneling—linking multiple web shells like China Chopper and the custom-built INMemory to move laterally and maintain persistence. The group exfiltrated credentials, access logs, and network configurations while evading detection through encryption, SMB lateral movement, and disabling security logs. (Dark Reading), (Sygnia), (Bleeping Computer)

NIST struggles to keep up   

The National Institute of Standards and Technology (NIST) is struggling to clear a growing backlog of CVEs in the National Vulnerability Database (NVD), with a 32% increase in submissions last year exacerbating the issue. Despite maintaining processing rates, the backlog continues to grow, and NIST anticipates even higher submission volumes in 2025. The delays are impacting organizations’ ability to access timely vulnerability data, creating a gap between reported issues and actionable intelligence despite efforts in increasing staff. (Security Week)

A Pennsylvania union notifies over 517,000 individuals of a data breach   

The Pennsylvania State Education Association (PSEA) is notifying over 517,000 individuals of a data breach from July 2024, where attackers stole personal, financial, and health data, including Social Security numbers and payment information. The Rhysida ransomware gang claimed responsibility, demanding a 20 BTC ransom. PSEA has not disclosed if it paid. Rhysida has previously attacked major institutions, including the British Library and Lurie Children’s Hospital. Affected individuals are offered free credit monitoring and urged to monitor their accounts. (Bleeping Computer)

Veeam patches backup and replication vulnerabilities   

The defect, which has a CVE number and a CVSS score of 9.9, could allow for “remote code execution by authenticated domain users.” It affects numerous backup and replication versions in the 12.x range. According to cybersecurity firm watchTowr, which reported the vulnerability, it is “rooted in a broader issue within Veeam’s deserialization mechanism,” which, watchTowr says, the company has “failed to properly address.” watchTowr also points out that “while the exploitation of the new vulnerability requires for the attacker to be logged in, the authentication requirement is fairly weak.” (SecurityWeek)

Nation-state groups hit organizations with Microsoft Windows zero-day   

Researchers at Trend Micro “discovered and reported this particular eight-year-old defect to Microsoft six months ago, but no remediations or fixes have arrived as of yet. The vulnerability does not yet have a CVE number but it “allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut .lnk files, also known as shell link files. According to the researchers’ report, a link to which is included in the show notes, state-sponsored groups have been exploiting the zero-day since 2017, targeting governments, think tanks and organizations in the finance, cryptocurrency, telecom, military and energy sectors, according to researchers. (Cyberscoop and Trend Micro)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

In this week’s cyber news roundup, we delve into a range of critical incidents and updates. From a massive data breach impacting over 500,000 individuals at the Pennsylvania State Education Association, to the active exploitation of vulnerabilities in Fortinet and Apache Tomcat, cyber threats continue to evolve. We’ll also touch on Google’s $32 billion acquisition of Wiz, the U.S. government’s warning on cybersecurity team layoffs, and a ransomware attack in the remote island nation of Yap. Stay tuned as we break down these stories and their implications for cybersecurity. At RedSeal, we’re dedicated to helping organizations proactively manage their cyber exposure and reduce risk, ensuring that threats like these don’t catch you off guard.

A Pennsylvania union notifies over 517,000 individuals of a data breach  

The Pennsylvania State Education Association (PSEA) is notifying over 517,000 individuals of a data breach from July 2024, where attackers stole personal, financial, and health data, including Social Security numbers and payment information. The Rhysida ransomware gang claimed responsibility, demanding a 20 BTC ransom. PSEA has not disclosed if it paid. Rhysida has previously attacked major institutions, including the British Library and Lurie Children’s Hospital. Affected individuals are offered free credit monitoring and urged to monitor their accounts. (Bleeping Computer)

Veeam patches backup and replication vulnerabilities  

The defect, which has a CVE number and a CVSS score of 9.9, could allow for “remote code execution by authenticated domain users.” It affects numerous backup and replication versions in the 12.x range. According to cybersecurity firm watchTowr, which reported the vulnerability, it is “rooted in a broader issue within Veeam’s deserialization mechanism,” which, watchTowr says, the company has “failed to properly address.” watchTowr also points out that “while the exploitation of the new vulnerability requires for the attacker to be logged in, the authentication requirement is fairly weak.” (SecurityWeek)

Nation-state groups hit organizations with Microsoft Windows zero-day  

Researchers at Trend Micro “discovered and reported this particular eight-year-old defect to Microsoft six months ago, but no remediations or fixes have arrived as of yet. The vulnerability does not yet have a CVE number but it “allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut .lnk files, also known as shell link files. According to the researchers’ report, a link to which is included in the show notes, state-sponsored groups have been exploiting the zero-day since 2017, targeting governments, think tanks and organizations in the finance, cryptocurrency, telecom, military and energy sectors, according to researchers. (Cyberscoop and Trend Micro)

CISA confirms active exploitation of a critical Fortinet vulnerability  

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical Fortinet vulnerability (CVE-2025-24472) in ransomware attacks. The flaw, affecting FortiOS and FortiProxy, allows attackers to gain super-admin privileges via crafted proxy requests. Linked to the Mora_00 ransomware group, it has been exploited to deploy a new strain called SuperBlack. Additionally, CISA flagged a supply chain vulnerability (CVE-2025-30066) in the tj-actions/changed-files GitHub Action, which impacted over 23,000 organizations. Attackers modified the code, exposing CI/CD secrets in GitHub Actions logs. Organizations are urged to patch Fortinet devices (FortiOS 7.0.17, 7.2.13, 7.0.20) and ensure they’re using a secure version of the GitHub Action to prevent further exploitation. (Infosecurity Magazine)

Attackers swipe data from Pennsylvania teachers union  

The Pennsylvania State Education Association (PSEA) reported to the Office of the Maine Attorney General that they suffered a breach impacting 517,487 people. The nonprofit said the attack occurred on July 6 and exposed sensitive financial and health information. Although PSEA’s disclosure didn’t explicitly mention ransomware or extortion, it did say that steps were taken to ensure the stolen data was deleted. The Rhysida ransomware gang publicly claimed responsibility for the attack back in September 2024. (The Record and Bleeping Computer)

IBM warns of critical vulnerabilities in AIX  

IBM’s Advanced Interactive eXecutive (AIX) operating system rarely makes the cyber news these days. But IBM is now urging its customers to apply patches after disclosing two critical vulnerabilities (CVE-2024-56346 and CVE-2024-56347), one of which carries a maximum severity score of 10. Both flaws are caused by improper process controls and allow remote attackers to execute arbitrary commands. Third-party sources suggest around 9,000 organizations still use the OS, which is generally deployed in critical applications powering high-value industries. IBM said AIX versions 7.2 and 7.3 are both vulnerable and should be updated immediately. (The Register)

An Apache Tomcat vulnerability is under active exploitation  

A critical remote code execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is being actively exploited. The flaw, disclosed on March 10, 2025, allows attackers to gain control of servers via a simple PUT request. Exploits appeared on GitHub just 30 hours after disclosure. Attackers upload base64-encoded payloads via a PUT request, then trigger execution with a GET request using a JSESSIONID cookie. Security tools struggle to detect this due to encoded payloads and multi-step execution. Apache urges immediate updates to Tomcat 11.0.3+, 10.1.35+, or 9.0.99+. Meanwhile, organizations should disable partial PUT support and restrict sensitive file storage. (Cyber Security News)

Google acquires cybersecurity firm Wiz for $32 billion  

Alphabet’s Google Cloud has acquired cloud-based cybersecurity firm Wiz for $32 billion. Wiz was founded in Israel and was valued at $16 billion in 2024 while preparing for an IPO. This more than doubles Alphabet’s acquisition of Motorola Mobility for $12.5 billion in 2012. The Financial Times’ sources say that Wiz and Alphabet have agreed to a $3.2B termination fee, which lets Wiz run like an independent company, if the deal falls through or is significantly delayed. (The Verge)

Google doesn’t deny receiving a secret legal order from the UK government  

Google has refused to deny receiving a secret legal order from the UK government, raising concerns among U.S. lawmakers. A bipartisan group in Congress fears that British authorities may be demanding access to encrypted messages from U.S. tech companies. This follows reports that Apple received a similar order, known as a Technical Capability Notice (TCN), which it is reportedly contesting in a closed court hearing. Lawmakers criticized the secrecy surrounding these orders, arguing it hinders congressional oversight and threatens Americans’ privacy. Under the UK’s Investigatory Powers Act, companies that receive a TCN are barred from confirming it. Experts, including from Britain’s intelligence community, have called for more transparency, with academics warning that the government’s refusal to clarify the situation is unsustainable and unjustifiable. (The Record)

The White House is urging federal agencies not to lay off cybersecurity teams  

The White House is urging federal agencies not to lay off cybersecurity teams as they submit budget cut plans. U.S. federal CIO Greg Barbaccia emphasized in an email that cybersecurity is national security and should be protected. The warning comes amid concerns that deep budget cuts mandated by President Trump and adviser Elon Musk could weaken national cyber defenses. Former NSA cybersecurity director Rob Joyce warned that mass layoffs would be “devastating.” The Musk-led Department of Government Efficiency (DOGE) has also drawn criticism for granting unusually broad access to sensitive government data. At the Social Security Administration, officials raised alarms about the security risks posed by DOGE. Meanwhile, the Department of Homeland Security’s CISA has already lost over 130 positions as of mid-February.

Elon Musk reportedly visited the NSA on Wednesday, meeting with leadership to discuss staff cuts and operations. The NSA, a key player in U.S. cybersecurity and home to Cyber Command, is under Musk’s scrutiny as he pushes for government downsizing. His visit signals potential changes to intelligence and cyber operations. While Musk recently called for an NSA overhaul, he hasn’t detailed specific reforms. Intelligence officials are bracing for swift changes that could impact national cybersecurity. (Reuters)

Denmark warns of Europe telecom threat  

The cybersecurity agency of Denmark made this warning in a threat assessment published last Thursday warning of “an increase in state-sponsored cyber espionage activities targeting the telecommunications sector in Europe.” Although no direct mention of Salt Typhoon’s activities in the U.S. was made in the statement, nor has there been any confirmation of Salt Typhoon activity in Europe, the Danish agency stated “there have been several attempts at cyber espionage against the European telecommunications sector in the past few years,” and it worries that European governments may “lack the political incentives to make a public attribution even if China is identified as responsible.” (The Record)

Micronesian island suffers cyberattack  

To show that nowhere on earth is safe from cybercrime, the tiny island nation of Yap has suffered a ransomware attack, forcing the shutdown of all computers in its government health agency. Yap is one of the four states of the Federated States of Micronesia (FSM) and is located in the middle of the Pacific Ocean equidistant between the Philippines and Guam. Health officials from the island announced the attack, which occurred on March 11, on Facebook, stating that health services are still continuing, but are slower due to systems having been taken offline. (Security Affairs)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

The growing speed of cybercriminal attacks is moving faster than ever. In this week’s roundup, we cover critical cybersecurity updates, including vulnerabilities in the popular ESP32 Bluetooth chip and a new House bill requiring federal contractors to implement vulnerability disclosure policies. Plus, we discuss the cyberattack impacting X, a breach in the U.S. electric grid by Chinese hackers, and the latest zero-day vulnerabilities. Stay informed with these important cybersecurity developments.

Undocumented commands found in Bluetooth chip used by a popular Wi-Fi and Bluetooth devices  

As described in BleepingComputer, “the ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023, contains undocumented commands that could be leveraged for attacks. The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.” Researchers from Tarlogic Security, speaking at RootedCON in Madrid point out that ESP32 is “one of the world’s most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk is significant.”  (BleepingComputer)

House bill requires federal contractors to implement vulnerability disclosure policies  

The bill is named the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 and it “instructs the Office of Management and Budget (OMB) to consult with CISA, the Office of the National Cyber Director, NIST, and other relevant departments, and require federal contractors to have a VDP that is consistent with NIST guidelines.” The same is required of the Defense Department. A letter signed by representatives of proponents of the bill including HackerOne, Bugcrowd, Microsoft, Infoblox, Rapid7, Trend Micro, Tenable, and Schneider Electric, state that “contractors, given the vast amount of sensitive data they handle, are prime targets for cyber threats. As a result, the bill ensures all companies contracting with the federal government adhere to security best practices.” (Security Week)

Cybercriminals sped up their attacks last year  

Two security companies, CrowdStrike and ReliaQuest, are reporting separately that “in the past year ransomware groups achieved lateral movement within an average of 48 minutes after gaining initial access to targeted environments,” with the fastest breakout time recorded being 51 seconds. This is an improvement – for the threat actors – from 2023 when the average breakout time for interactive cybercrime intrusions was 62 minutes. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, in making his company’s announcement, added, “not only are these adversaries using different techniques, different capabilities, they’re doing it faster, and they’re iterating faster than many of the enterprises that they’re targeting.” (Cyberscoop)

Cyber attack allegedly behind X outages  

Elon Musk blamed a “massive cyberattack” on multiple X outages on Monday, while hacking group Dark Storm Team claimed responsibility. According to Downdetector, reports of outages spiked throughout the morning, with peaks at 6 a.m., 10 a.m., and 11:30 a.m. ET, impacting tens of thousands of users. Newsweek and other outlets report that Dark Storm Team, a pro-Palestinian hacking group known for targeting NATO countries and Israel, took credit for the attack via Telegram. While Musk suggested a large, coordinated group or nation-state may be involved, X is still dealing with intermittent issues as of this recording. (ZDNet)

CISA warns of critical Ivanti and VeraCode vulnerabilities  

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three critical Ivanti Endpoint Management vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161) to its Known Exploited Vulnerabilities (KEV) catalog. These path traversal flaws (CVSS 9.8) allow unauthenticated attackers to leak sensitive information remotely. CISA also flagged two VeraCode vulnerabilities, including CVE-2024-57968 (CVSS 9.9), an unrestricted file upload flaw, and CVE-2025-25181, an SQL injection vulnerability. The agency urges all organizations to immediately patch these issues to prevent cyberattacks. Ivanti software has faced multiple exploitations in 2025, with previous Connect Secure and Cloud Service Appliance vulnerabilities actively targeted by threat actors. (Infosecurity Magazine)

Researchers report increased activity from the SideWinder APT group  

Researchers at Securelist report increased activity from the SideWinder APT group in 2024, with enhanced malware, expanded targets, and global reach. Traditionally focused on military and government entities, the group now targets maritime, logistics, and nuclear sectors across South Asia, Southeast Asia, the Middle East, and Africa. Using spear-phishing emails, SideWinder exploits the CVE-2017-11882 vulnerability to deploy StealerBot, a post-exploitation toolkit. Their malware, disguised as legitimate DLL files, includes advanced evasion techniques like Control Flow Flattening. SideWinder rapidly adapts, modifying malware within five hours of detection. Their continued reliance on old vulnerabilities underscores the importance of patching outdated systems to defend against sophisticated threats targeting critical infrastructure worldwide. (Cyber Security News)

Ballista Botnet hits TP-Link devices  

A new report from the Cato CTRL team details how threat actors exploit a high-severity command injected vulnerability to execute code on TP-Link Archer AX-21 routers to deploy the botnet ultimately. This flaw isn’t new, the first evidence of exploitation dates back to April 2023. The researchers saw the Ballista campaign using the flaw in January 2025. The attackers use a shell script to execute a malware binary across various system architectures, which opens the door to remote code execution or a denial of service. The researchers noted the malware can erase itself once execution begins, covering its tracks while spreading to other routers. Newer Ballista variants use TOR network domains rather than hardcoded IP addresses, indicating its under active development. Research by Censys found that Ballista infected over 6,000 devices across Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. (The Hacker News)

Apple issues emergency updates for a zero-day WebKit vulnerability  

Apple has issued emergency security updates to patch CVE-2025-24201, a zero-day WebKit vulnerability actively exploited in targeted attacks. The flaw, an out-of-bounds write issue, allows malicious web content to escape the Web Content sandbox, potentially enabling unauthorized actions. The update affects iOS, iPadOS, macOS, Safari, visionOS, and tvOS. Apple warns that the vulnerability was used in sophisticated attacks on older iOS versions. This is Apple’s third zero-day fix in 2025, following similar patches in January and February. Users should update immediately to mitigate risks, as Apple has not disclosed attacker details or targets. (Cyber Security News)

Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days 

Microsoft released patches for 57 security flaws, including 6 actively exploited zero-days affecting Windows Kernel, NTFS, FAT File System, and Microsoft Management Console. Exploits involve use-after-free, integer overflow, and heap-based buffer overflow, with PipeMagic malware used in targeted attacks. Threat actors can chain vulnerabilities to execute remote code via malicious VHD files. The U.S. Cybersecurity and Infrastructure Security Agency – or CISA – has ordered federal agencies to apply fixes by April 1, 2025. (The Hacker News)

China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days  

Security firm Dragos published a case study revealing that the Chinese hacker group Volt Typhoon infiltrated the U.S. electric grid through a breach at Littleton Electric Light and Water Departments (LELWD) in Massachusetts. The hackers had access to the utility’s network for over 300 days, collecting sensitive operational technology (OT) data, including information on energy grid operations. This data could be used for future targeted attacks. Volt Typhoon, linked to the Chinese government, has been previously associated with espionage and attacks on U.S. critical infrastructure. (Security Week)

In Memoriam: Mark Klein, AT&T Whistleblower Who Revealed NSA Mass Spying  

Mark Klein, the former AT&T technician who exposed a secret NSA surveillance program, has died. Klein revealed that the NSA had installed a secret room at AT&T’s San Francisco office, where internet data was copied and routed to the government. In 2006, he brought over 100 pages of evidence to the Electronic Frontier Foundation, which led to lawsuits against the NSA and increased public awareness of mass surveillance. Despite threats from AT&T, Klein stood by his claims, inspiring reforms and greater scrutiny of government spying. (EFF)

A UK hospital finds thousands of unwelcome guests on their network  

Our device inventory desk tells us that the Princess Alexandra Hospital in the UK) recently discovered that PlayStations, coffee machines, and even passing electric cars were connecting to its network. Deputy director of ICT Jeffery Wood admitted, “Our attack surface was much bigger than we thought,” after finding 5,000–10,000 unknown devices lurking in their system. This alarming revelation came during a trial of a cyber exposure platform, part of a broader tech modernization effort.

With no dedicated cybersecurity team, the hospital’s infrastructure staff handles security, integrating automated tools, XDR, and AI-driven protections. Network segmentation has even freed the marketing team to use Apple devices—previously banned. However, zero-trust security remains a distant dream. Deputy Director Wood says the hospital is embracing a “one NHS” partnership model rather than siloed vendor relationships, but warns: “This isn’t just cyber risk. This is risk. Attacks could harm our patients.”

Nothing like a cybersecurity audit to find out your MRI machine shares a network with someone’s PS5. (Computing)

Medusa ransomware continues to attack infrastructure  

In a joint alert released March 12, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are warning that as of February of this year, “Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing.” The group, which is unrelated to MedusaLocker, engages in double extortion, and use phishing and unpatched vulnerabilities for initial access. The group’s practices include “disabling security software, terminating processes related to backups, security, data sharing, and communication, and erasing shadow copies to prevent file recovery.” A link to the alert is available in the show notes to this episode. (Security Week and CISA)

DoJ seeks to break up Google  

As posted in The Cyberwire, “on Friday, the Department of Justice (DOJ) submitted a request that would aim to break up Google by forcing the company to sell Chrome. In its filing, the DOJ stated that Google’s illegal conduct has created an economic goliath, one that wreaks havoc over the marketplace to ensure that no matter what occurs, Google always wins.” These filings follow a 2023 antitrust case in which “Google was found guilty of monopolistic practices regarding the company’s search engine services,” as well as a second antitrust lawsuit from 2024 that is “examining whether the company has also engaged in monopolistic behaviors related to its advertising business.” The ruling, expected this summer, “has the potential to significantly impact how Google operates, how users interact with its services, and the overall landscape of the search engine business.” (The Cyberwire)

Chinese spy group exploits Juniper Networks routers  

Researchers at Mandiant are warning of a state-backed espionage group operating out of China, UNC3886, targeting routers made by Juniper Networks. This is a group we reported on in June 2023, when they were exploiting a VMware ESXi zero-day. In this latest report Mandiant says the group was involved in a project to deploy custom backdoors on Junos OS routers and that the group’s focus is “mainly on defense, technology, and telecommunication organizations located in the U.S. and Asia.” They pointed out that the affected routers were running end-of-life hardware and software, but also that the malware deployed on the Juniper routers “demonstrates that UNC3886 has in-depth knowledge of advanced system internals.” (The Record