In this week’s roundup, we highlight some critical cybersecurity developments. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about multiple Apple 0-day vulnerabilities being actively exploited in the wild. Meanwhile, researchers have uncovered the real IP address behind the Medusa Ransomware Group, offering an unprecedented look into their infrastructure. Additionally, Mustang Panda, the Chinese espionage-focused APT, continues to evolve its tactics, with new tools and backdoors being deployed in targeted attacks.
Stay tuned as we break down the latest insights and what they mean for your security posture.
CISA Warns of Multiple Apple 0-day Vulnerabilities Actively Exploited in Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory concerning two actively exploited zero-day vulnerabilities affecting Apple devices, including iPhones, iPads, and Macs . The first vulnerability, CVE-2025-31200, is a memory corruption flaw in the CoreAudio framework that can be triggered by processing maliciously crafted audio files, potentially allowing attackers to execute arbitrary code on the device. The second, CVE-2025-31201, involves a flaw that permits arbitrary read and write operations on system memory, effectively bypassing Apple’s Pointer Authentication security mechanism. These vulnerabilities pose significant risks, enabling attackers to gain unauthorized access and control over affected devices. CISA recommends that users apply the latest security updates provided by Apple promptly and, if necessary, consider temporarily discontinuing the use of affected products until patches are available. (Cyber Security News)
Researchers unmask IP addresses behind the Medusa Ransomware Group
Researchers have unmasked the real IP address behind the Medusa Ransomware Group, a notorious operation long hidden on the Tor network. Covsec security experts exploited a severe vulnerability in Medusa’s blog platform, used to post stolen data, bypassing Tor’s anonymity protections. Using a server-side request forgery (SSRF) attack, they ran a simple command that revealed the server’s public IP: 95.143.191.148. Hosted via SELECTEL in Russia, the server runs Ubuntu and exposes insecure services including open SSH with password login. Medusa Locker, active since 2019, has targeted healthcare, education, and manufacturing sectors with double-extortion tactics. This rare technical breakthrough into a Tor-hidden ransomware group offers unprecedented visibility into its infrastructure, demonstrating how poor server security can undermine even the most elusive cybercriminal operations. (Cyber Security News)
SonicWall warns of old vulnerability now actively exploited
This warning refers to a security advisory for an SMA 100 series vulnerability that was patched in 2021. It is described as an authenticated arbitrary command execution vulnerability. According to Security Week, “when the patches were announced in September 2021, the vulnerability went largely unnoticed, likely because it was assigned a ‘medium severity’ rating (CVSS of 5.5) and due to its exploitation requiring authentication.” It now turns out that the flaw has been exploited in the wild, forcing Sonic Wall to assign a new CVSS score of 7.2, making it ‘high severity’. (Security Week)
Mustang Panda sallies forth
According to a report from Zscaler, the Chinese espionage-focused APT has used an updated backdoor and several new tools in a recent attack. Already proficient in using Windows zero-days, Zscaler says, “the APT is relying on DLL sideloading to execute its malicious payloads and evade detection, deploying all tools as libraries within archives that also contain a vulnerable executable to load them.” The group is “known for targeting government and military entities, as well as NGOs and minority groups, mainly in East Asia, but also in Europe.” (Security Week)
MITRE gets last-minute bailout from CISA
The CVE program, short for Common Vulnerabilities and Exposures, is a publicly available list of known cybersecurity vulnerabilities. Each vulnerability gets a unique ID (like CVE-2025-12345) that helps security professionals, software vendors, and researchers talk about the same issue using the same name—kind of like a universal language for bugs.
Managed by MITRE Corporation and funded by the U.S. government, the program plays a critical role in threat intelligence, patch management, and security automation. It’s the backbone for many tools and databases, including the National Vulnerability Database (NVD), and it helps defenders prioritize which issues to fix first. Think of it as the Dewey Decimal System of cybersecurity flaws.
In a critical development for global cybersecurity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended funding for the Common Vulnerabilities and Exposures (CVE) program, reportedly for eleven months, preventing an imminent lapse in this essential service.
The funding extension comes just hours before the program’s contract was set to expire. MITRE had warned that a break in service could lead to significant disruptions, including the deterioration of national vulnerability databases, challenges for tool vendors, and impediments to incident response operations.
Amid these developments, a group of CVE Board members announced the formation of the CVE Foundation, a non-profit organization aimed at ensuring the long-term stability and independence of the CVE program. The Foundation seeks to mitigate the risks associated with reliance on a single government sponsor by establishing a dedicated entity focused on maintaining the integrity and availability of CVE data for defenders worldwide.
Concurrently, MITRE Corporation is facing significant organizational changes, announcing plans to lay off 442 employees at its McLean, Virginia location by June 3, 2025. These layoffs are attributed to the cancellation of contracts by the Department of Energy, reflecting broader challenges in the federal contracting landscape.
The swift action by CISA to extend funding underscores the critical importance of the CVE program in maintaining national and global cybersecurity infrastructure. The establishment of the CVE Foundation represents a proactive step toward ensuring the program’s resilience and independence in the face of funding uncertainties. (Bleeping Computer and The Verge)
Texas votes to spin up their very own Cyber Command
The Trump administration has voiced its intentions to shift responsibilities from the federal government to the states. The Texas House has passed legislation to create a new state cybersecurity agency, the Texas Cyber Command, aimed at defending against growing cyber threats. Backed by $135 million over two years, the command would operate through the University of Texas System, based at UT San Antonio. It will focus on cyber threat response, forensics, and training, while centralizing efforts previously handled by the Department of Information Resources. Governor Abbott has called the bill an emergency priority amid rising cyberattacks on Texas infrastructure. (Texarkana Gazette)
Krebs exits SentinelOne after security clearance pulled
Following up on a story we brought to you Friday on Cyber Security Headlines, Chris Krebs has resigned as SentineOne’s Chief Intelligence and Public Policy Officer, effective immediately. This follows a presidential order that revoked Krebs’ security clearance and ordered a review of CISA’s conduct under his leadership. In a farewell note to SentialOne staff, Krebs said, “I want to be clear: this is my decision, and mine alone. This is my fight, not the company’s. This will require my complete focus and energy. It’s a fight for democracy, for freedom of speech, and for the rule of law. I’m prepared to give it everything I’ve got.” (SecurityWeek)
CISA warns of potential data breaches caused by legacy Oracle Cloud leak
In another follow-up to a story we covered last week, Federal officials at CISA on Wednesday warned of the potential fallout of a data breach impacting Oracle. The incident surfaced when the alleged hacker boasted on social media that they were selling Oracle’s stolen data on cybercriminal forums. The claims were substantiated by CloudSEK, CybelAngel and several other cybersecurity firms. Last week, Oracle admitted that credential data was stolen “from two obsolete servers” but not from its Oracle Cloud Infrastructure (OCI). CISA said, “The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risk to enterprise environments.” The agency urged organizations to reset passwords for affected services, review source code for potential issues, monitor authentication logs, and report any incidents to authorities. (The Record)
Government CVE funding set to end today
MITRE confirmed to Reuters that its contract to fund the Common Vulnerabilities and Exposures, the familiar CVE database, expires on April 16, today. CISA confirmed the status of the contract, saying “we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.” Reuters did not receive comment from CISA or MITRE as to why the contract lapsed. (Yahoo)
China accuses US of launching ‘advanced’ cyberattacks, names alleged NSA agents
China has accused three alleged U.S. operatives of conducting cyberattacks during February’s Asian Games in Harbin. According to Chinese authorities, the individuals, reportedly linked to the NSA, targeted event management systems holding sensitive personal data. The cyberattacks allegedly disrupted Games operations and extended to critical infrastructure in Heilongjiang province, including energy, telecom, and defense institutions, as well as tech giant Huawei. China claims the attacks caused serious national harm and has urged the U.S. to stop its alleged cyber operations. While offering no concrete evidence, China says it will take further steps to protect its cybersecurity. The U.S. has not responded to the accusations. Both countries routinely blame each other for cyber espionage, fueling ongoing tensions in cyberspace. (Reuters)
Hertz confirms customer info, drivers’ licenses stolen in data breach
Hertz has confirmed a data breach affecting customers of its Hertz, Thrifty, and Dollar brands, stemming from zero-day vulnerabilities in Cleo’s file transfer platform exploited by the Clop ransomware gang. Stolen data may include names, contact details, driver’s license and credit card information, and, in some cases, Social Security and government IDs. Though no misuse has been reported yet, leaked data has appeared on Clop’s extortion site, and Hertz is offering affected individuals two years of free identity monitoring. (BleepingComputer)
Major banks limit information sharing following breach of Treasury Department’s OCC
Several major U.S. banks, including JPMorgan Chase and BNY Mellon, have paused electronic communications with the Office of the Comptroller of the Currency (OCC) following a major breach of the agency’s email system, Bloomberg reports. Hackers accessed over 100 accounts for more than a year, prompting fears that sensitive data—such as banks’ cybersecurity reports and even National Security Letters—may have been exposed. The OCC is working with Microsoft, CrowdStrike, and Mandiant to investigate. Though on-site examiners still have access, banks worry the compromised data could aid future cyberattacks. The incident, now deemed a “major” breach, has triggered congressional scrutiny and raised serious concerns about the OCC’s cybersecurity safeguards, with experts warning that trust between banks and regulators has been fundamentally shaken. (Bloomberg)
Chinese espionage group leans on open-source tools to mask intrusions
In a new campaign observed by researchers at Sysdig, Chinese espionage group UNC5174 has been using open-source tools like VShell and WebSockets to mask its presence in recent campaigns. Researchers note the group’s use of these tools to communicate with command-and-control infrastructure and perform post-exploitation tasks, which point to a shift away from custom-built malware. This marks a new approach for UNC5174, which has historically relied on bespoke malware for attacks targeting Western governments, technology companies, and research institutions. (CyberScoop)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
