Cyber News Roundup for February 28, 2025

In recent cybersecurity news, several high-profile incidents highlight growing threats and vulnerabilities across sectors. Belgium’s State Security Service is investigating a cyber-espionage operation allegedly linked to Chinese hackers, who compromised the agency’s email system. Meanwhile, the PolarEdge botnet is exploiting vulnerabilities in critical edge devices from Cisco, ASUS, and others, while reports reveal a significant increase in the time it takes to patch software vulnerabilities, now averaging eight and a half months. These incidents highlight the urgent need for robust cybersecurity measures to protect both government and private sector infrastructure.

 

A cybersecurity veteran takes CISA’s lead  

Karen Evans, a seasoned federal IT and cybersecurity expert, has been appointed as the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). In this prominent role, she will lead efforts to protect federal civilian agencies and the nation’s critical infrastructure against cyber threats. Evans brings extensive experience from her previous positions, including Chief Information Officer at the Department of Homeland Security, Assistant Secretary for Cybersecurity, Energy Security, and Emergency Response at the Department of Energy, and Administrator of E-Government and Information Technology at the Office of Management and Budget. Her appointment fills a key leadership position within CISA, which has been without a permanent director since January 2025. (Cyberscoop)

 

A Belgium spy agency is hacked  

Belgium has initiated a judicial investigation into an alleged Chinese cyber-espionage operation that compromised the email system of its State Security Service (VSSE). Between 2021 and 2023, unidentified Chinese state-sponsored hackers reportedly siphoned off 10% of the agency’s incoming and outgoing emails. The attackers exploited a vulnerability in an email security product from Barracuda Networks, deploying malware strains Saltwater, SeaSpy, and Seaside to establish backdoors into compromised systems. While classified internal communications remained secure, the breach affected an external server handling communications with government ministries and law enforcement, potentially exposing personal data of nearly half the VSSE’s staff and past applicants. Belgian officials have refrained from commenting on the specifics, citing the ongoing nature of the investigation. (The Record)

 

PolarEdge botnet exploits Cisco ASUS, QNAP, and Synology  

According to French cybersecurity company Sekoia, this is a new malware campaign which targets edge devices from Cisco, ASUS, QNAP, and Synology to pull them into a botnet named PolarEdge. It has been operating since at least the end of 2023. The campaign leverages an unpatched end of life CVE-numbered critical security flaw (CVE-2023-20118) that impacts Cisco Small Business routers that could result in arbitrary command execution on susceptible devices. The vulnerability is said to have been used to deliver a TLS backdoor that incorporates the ability to listen for incoming client connections and execute commands. (The Hacker News)

 

Software vulnerabilities take almost nine months to patch  

A State of Software Security report released by Veracode shows the average fix time for software security vulnerabilities has “risen to eight and a half months, a 47% increase over the past five years.” This is also 327% higher than 15 years ago, “largely as a result of increased reliance on third-party code and use of AI generated code.” Furthermore, the report says, “half of all organizations have critical security debt – defined as accumulated high severity vulnerabilities left open for longer than a year, and 70 percent of this critical security debt comes from third-party code and the software supply chain. (InfoSecurity Magazine)

 

Thousands of exposed GitHub repositories, now private, can still be accessed through Copilot  

Security researchers at Israeli cybersecurity company Lasso found that Microsoft Copilot retains access to thousands of once-public GitHub repositories, even after they’ve been set to  private. Using Bing’s cache, Lasso identified over 20,000 affected repositories, exposing sensitive data from major companies like Google, IBM, and Microsoft. Microsoft classified the issue as “low severity.”  (TechCrunch)

 

HaveIBeenPwned Adds 244 Million Passwords Stolen By Infostealers  

HaveIBeenPwned has added 244 million stolen passwords and 284 million compromised email accounts to its database, sourced from 1.5TB of infostealer logs shared on Telegram. The data was linked to a major distribution channel called “Alien Textbase,” which published the logs in 744 files. HIBP also introduced two new APIs allowing domain owners to check for compromised credentials. Infostealers, increasingly used in cyberattacks, spread through phishing, malicious ads, and pirated software, with stolen data fueling major breaches like those affecting Ticketmaster and AT&T. (Infosecurity)

 

CISA adds an Oracle Agile PLM flaw to its Known Exploited Vulnerabilities (KEV) catalog

CISA has added CVE-2024-20953, an Oracle Agile PLM flaw, to its Known Exploited Vulnerabilities (KEV) catalog. The high-severity deserialization vulnerability, patched in January 2024, allows low-privileged attackers to execute arbitrary code. While no public reports confirm active exploitation, experts believe attackers likely use it post-initial access. Oracle vulnerabilities, particularly WebLogic flaws, remain frequent attack targets. (Security Week)

 

A sophisticated macOS malware campaign is distributing Poseidon Stealer  

A sophisticated macOS malware campaign is distributing Poseidon Stealer via a fake DeepSeek AI website, according to cybersecurity researchers. The malware bypasses macOS Gatekeeper and harvests sensitive data, including browser credentials, cryptocurrency wallets, and system keychains. Attackers use malvertising to lure victims to a counterfeit site, delivering the malicious DMG file. Poseidon employs anti-analysis techniques and exfiltrates stolen data via curl POST requests. Security experts recommend restricting osascript execution, using next-gen antivirus (NGAV), and educating users on Terminal-based threats to mitigate the risk.

Meanwhile, a privilege escalation vulnerability in Parallels Desktop remains unpatched, with two exploits publicly disclosed, allowing attackers to gain root access on Macs. Security researcher Mickey Jin bypassed Parallels’ previous fix for CVE-2024-34331, a flaw stemming from missing code signature verification. Despite seven months of warnings, Parallels has not addressed the issue, leaving all known versions vulnerable. Jin urges users to take proactive security measures as attackers could exploit this in the wild. (Bleepingcomputer)

 

Chinese group Silver Fox is spoofing medical software  

A Chinese government-backed hacking group, Silver Fox, is spoofing medical software to infect hospital patients’ computers with backdoors, keyloggers, and cryptominers, according to Forescout’s Vedere Labs. The malware mimics Philips DICOM image viewers and other healthcare applications, tricking victims into installing ValleyRAT, a remote access tool. The attack uses PowerShell commands to evade detection and downloads encrypted payloads from Alibaba Cloud. While targeting individuals, the malware could spread into hospital networks through infected patient devices, posing a major cybersecurity risk to healthcare organizations. (The Register)

 

Cyberattacks targeting ICS and OT surged dramatically last year  

Cyberattacks targeting industrial control systems (ICS) and operational technology (OT) surged dramatically by 87% in 2024, according to cybersecurity firm Dragos. Ransomware attacks on industrial infrastructure also increased by 60%, reflecting heightened geopolitical tensions involving conflicts like Russia-Ukraine and China-Taiwan. Experts warn that state-sponsored groups, such as China’s Volt Typhoon, are infiltrating critical infrastructure, preparing potential future disruptions. Volt Typhoon has notably identified strategic U.S. targets, including power substations critical for military deployments. Alarmingly, non-state cybercriminals are gaining ICS expertise through collaboration with state actors, broadening attack capabilities and risks to critical infrastructure. This shift threatens more frequent, indiscriminate attacks as cybercriminal groups increasingly target industrial systems for financial or disruptive objectives. (Cyberscoop)

 

Linux backdoor used in the wild  

Researchers at Palo Alto Networks’ Unit 42 discovered an undocumented Linux backdoor called Auto-Color, used by threat actors against government and university targets in North America and Asia from November to December 2024. Researchers don’t know the initial attack vector. If run with root privileges, it installs a malicious library implant, copies itself to the system directory, and modifies files to ensure it executes before other system libraries. Without root access, the malware can still provide remote access to threat actors but lacks persistence. Once running, it uses a custom encryption algorithm to talk with C2 servers. (Bleeping Computer)

 

Researchers uncover zero-day vulnerabilities in a widely used cloud logging utility  

Security researchers at Tenable uncovered zero-day vulnerabilities in Fluent Bit, a widely used logging utility embedded in cloud platforms like AWS, Google Cloud, and Microsoft Azure. The flaws, CVE-2024-50608 and CVE-2024-50609 (CVSS 8.9), exploit null pointer dereference weaknesses in the Prometheus Remote Write and OpenTelemetry plugins, exposing billions of production environments to cyber threats. Attackers can crash Fluent Bit servers or leak sensitive data using simple HTTP requests. These vulnerabilities affect Kubernetes deployments, enterprise logging systems, and compliance workflows, with major users including Cisco, Splunk, and VMware. Patches are available in v3.0.4 and v2.2.3, but unpatched systems remain at high risk. Experts urge immediate updates, API access restrictions, and security audits to prevent widespread service disruptions and data leaks. (Cyber Security News)

 

Researchers uncover a LockBit ransomware attack exploiting a Windows Confluence server  

Security researchers at The DFIR Report have uncovered a LockBit ransomware attack that exploited CVE-2023-22527 in a Windows Confluence server. The attackers gained initial access through a remote code execution (RCE) vulnerability, quickly deploying Mimikatz, Metasploit, and AnyDesk to escalate privileges and move laterally across the network via RDP. They used Rclone to exfiltrate data to MEGA.io before executing the ransomware. PDQ Deploy was leveraged to automate the spread of LockBit across critical systems, ensuring widespread encryption. The entire attack—from initial compromise to ransomware deployment—was completed in just two hours.The researchers emphasize the importance of patching Confluence vulnerabilities, monitoring network activity, and restricting remote access to prevent similar intrusions. This case underscores the growing sophistication and speed of ransomware operations targeting unpatched enterprise applications. (The DFIR Report)

 

Retired Gen. Paul Nakasone warns the U.S. is falling behind in cyberspace  

Retired Gen. Paul Nakasone warned that the U.S. is falling behind in cyberspace, with adversaries expanding their capabilities. Speaking over the weekend at DistrictCon in Washington DC, he cited Chinese-backed breaches and ransomware attacks as evidence of weak cybersecurity. He also expressed concern about cyber operations causing physical damage, predicting future attacks could disable platforms through digital means. Nakasone, now at Vanderbilt University, highlighted AI’s role in cyber offense, including autonomous targeting by AI-powered drones. He questioned the limits of AI-driven cyber weapons and their ability to bypass defenses.

He endorsed a more aggressive U.S. cyber strategy, citing past Cyber Command operations against Russian and Iranian hackers. He emphasized “persistent engagement” to keep cyber enemies in check. Nakasone stressed the need for top cyber talent, warning of recruitment challenges due to past government actions. He acknowledged ongoing Cyber Command reforms but avoided direct criticism of political leadership changes, stating that presidents choose their own advisers. (Cyberscoop)

 

Australia bans Kaspersky over security concerns  

Australia has joined the growing list of countries to ban Kaspersky products from government systems. Citing national security risks and concerns over potential Russian government influence, Australian agencies must remove the software by April 1, though limited exemptions may apply for national security or law enforcement functions. In a statement to multiple outlets, Kaspersky criticized the decision, arguing it lacked technical justification and was driven by geopolitical tensions. This move follows similar bans by the U.S., U.K., and Canada within the last year. (Security Week) , (The Hacker News), (Bleeping Computer), (The Record)

 

At RedSeal, we protect your network by providing precise asset visibility and attack path analysis. Our solutions help you proactively manage risks, identify vulnerabilities before they turn into threats, and ensure your defense strategy stays one step ahead. Read on for the full breakdown of this week’s critical cyber news.

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.