In this week’s cyber news roundup, we delve into a range of critical incidents and updates. From a massive data breach impacting over 500,000 individuals at the Pennsylvania State Education Association, to the active exploitation of vulnerabilities in Fortinet and Apache Tomcat, cyber threats continue to evolve. We’ll also touch on Google’s $32 billion acquisition of Wiz, the U.S. government’s warning on cybersecurity team layoffs, and a ransomware attack in the remote island nation of Yap. Stay tuned as we break down these stories and their implications for cybersecurity. At RedSeal, we’re dedicated to helping organizations proactively manage their cyber exposure and reduce risk, ensuring that threats like these don’t catch you off guard.

A Pennsylvania union notifies over 517,000 individuals of a data breach  

The Pennsylvania State Education Association (PSEA) is notifying over 517,000 individuals of a data breach from July 2024, where attackers stole personal, financial, and health data, including Social Security numbers and payment information. The Rhysida ransomware gang claimed responsibility, demanding a 20 BTC ransom. PSEA has not disclosed if it paid. Rhysida has previously attacked major institutions, including the British Library and Lurie Children’s Hospital. Affected individuals are offered free credit monitoring and urged to monitor their accounts. (Bleeping Computer)

Veeam patches backup and replication vulnerabilities  

The defect, which has a CVE number and a CVSS score of 9.9, could allow for “remote code execution by authenticated domain users.” It affects numerous backup and replication versions in the 12.x range. According to cybersecurity firm watchTowr, which reported the vulnerability, it is “rooted in a broader issue within Veeam’s deserialization mechanism,” which, watchTowr says, the company has “failed to properly address.” watchTowr also points out that “while the exploitation of the new vulnerability requires for the attacker to be logged in, the authentication requirement is fairly weak.” (SecurityWeek)

Nation-state groups hit organizations with Microsoft Windows zero-day  

Researchers at Trend Micro “discovered and reported this particular eight-year-old defect to Microsoft six months ago, but no remediations or fixes have arrived as of yet. The vulnerability does not yet have a CVE number but it “allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut .lnk files, also known as shell link files. According to the researchers’ report, a link to which is included in the show notes, state-sponsored groups have been exploiting the zero-day since 2017, targeting governments, think tanks and organizations in the finance, cryptocurrency, telecom, military and energy sectors, according to researchers. (Cyberscoop and Trend Micro)

CISA confirms active exploitation of a critical Fortinet vulnerability  

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical Fortinet vulnerability (CVE-2025-24472) in ransomware attacks. The flaw, affecting FortiOS and FortiProxy, allows attackers to gain super-admin privileges via crafted proxy requests. Linked to the Mora_00 ransomware group, it has been exploited to deploy a new strain called SuperBlack. Additionally, CISA flagged a supply chain vulnerability (CVE-2025-30066) in the tj-actions/changed-files GitHub Action, which impacted over 23,000 organizations. Attackers modified the code, exposing CI/CD secrets in GitHub Actions logs. Organizations are urged to patch Fortinet devices (FortiOS 7.0.17, 7.2.13, 7.0.20) and ensure they’re using a secure version of the GitHub Action to prevent further exploitation. (Infosecurity Magazine)

Attackers swipe data from Pennsylvania teachers union  

The Pennsylvania State Education Association (PSEA) reported to the Office of the Maine Attorney General that they suffered a breach impacting 517,487 people. The nonprofit said the attack occurred on July 6 and exposed sensitive financial and health information. Although PSEA’s disclosure didn’t explicitly mention ransomware or extortion, it did say that steps were taken to ensure the stolen data was deleted. The Rhysida ransomware gang publicly claimed responsibility for the attack back in September 2024. (The Record and Bleeping Computer)

IBM warns of critical vulnerabilities in AIX  

IBM’s Advanced Interactive eXecutive (AIX) operating system rarely makes the cyber news these days. But IBM is now urging its customers to apply patches after disclosing two critical vulnerabilities (CVE-2024-56346 and CVE-2024-56347), one of which carries a maximum severity score of 10. Both flaws are caused by improper process controls and allow remote attackers to execute arbitrary commands. Third-party sources suggest around 9,000 organizations still use the OS, which is generally deployed in critical applications powering high-value industries. IBM said AIX versions 7.2 and 7.3 are both vulnerable and should be updated immediately. (The Register)

An Apache Tomcat vulnerability is under active exploitation  

A critical remote code execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is being actively exploited. The flaw, disclosed on March 10, 2025, allows attackers to gain control of servers via a simple PUT request. Exploits appeared on GitHub just 30 hours after disclosure. Attackers upload base64-encoded payloads via a PUT request, then trigger execution with a GET request using a JSESSIONID cookie. Security tools struggle to detect this due to encoded payloads and multi-step execution. Apache urges immediate updates to Tomcat 11.0.3+, 10.1.35+, or 9.0.99+. Meanwhile, organizations should disable partial PUT support and restrict sensitive file storage. (Cyber Security News)

Google acquires cybersecurity firm Wiz for $32 billion  

Alphabet’s Google Cloud has acquired cloud-based cybersecurity firm Wiz for $32 billion. Wiz was founded in Israel and was valued at $16 billion in 2024 while preparing for an IPO. This more than doubles Alphabet’s acquisition of Motorola Mobility for $12.5 billion in 2012. The Financial Times’ sources say that Wiz and Alphabet have agreed to a $3.2B termination fee, which lets Wiz run like an independent company, if the deal falls through or is significantly delayed. (The Verge)

Google doesn’t deny receiving a secret legal order from the UK government  

Google has refused to deny receiving a secret legal order from the UK government, raising concerns among U.S. lawmakers. A bipartisan group in Congress fears that British authorities may be demanding access to encrypted messages from U.S. tech companies. This follows reports that Apple received a similar order, known as a Technical Capability Notice (TCN), which it is reportedly contesting in a closed court hearing. Lawmakers criticized the secrecy surrounding these orders, arguing it hinders congressional oversight and threatens Americans’ privacy. Under the UK’s Investigatory Powers Act, companies that receive a TCN are barred from confirming it. Experts, including from Britain’s intelligence community, have called for more transparency, with academics warning that the government’s refusal to clarify the situation is unsustainable and unjustifiable. (The Record)

The White House is urging federal agencies not to lay off cybersecurity teams  

The White House is urging federal agencies not to lay off cybersecurity teams as they submit budget cut plans. U.S. federal CIO Greg Barbaccia emphasized in an email that cybersecurity is national security and should be protected. The warning comes amid concerns that deep budget cuts mandated by President Trump and adviser Elon Musk could weaken national cyber defenses. Former NSA cybersecurity director Rob Joyce warned that mass layoffs would be “devastating.” The Musk-led Department of Government Efficiency (DOGE) has also drawn criticism for granting unusually broad access to sensitive government data. At the Social Security Administration, officials raised alarms about the security risks posed by DOGE. Meanwhile, the Department of Homeland Security’s CISA has already lost over 130 positions as of mid-February.

Elon Musk reportedly visited the NSA on Wednesday, meeting with leadership to discuss staff cuts and operations. The NSA, a key player in U.S. cybersecurity and home to Cyber Command, is under Musk’s scrutiny as he pushes for government downsizing. His visit signals potential changes to intelligence and cyber operations. While Musk recently called for an NSA overhaul, he hasn’t detailed specific reforms. Intelligence officials are bracing for swift changes that could impact national cybersecurity. (Reuters)

Denmark warns of Europe telecom threat  

The cybersecurity agency of Denmark made this warning in a threat assessment published last Thursday warning of “an increase in state-sponsored cyber espionage activities targeting the telecommunications sector in Europe.” Although no direct mention of Salt Typhoon’s activities in the U.S. was made in the statement, nor has there been any confirmation of Salt Typhoon activity in Europe, the Danish agency stated “there have been several attempts at cyber espionage against the European telecommunications sector in the past few years,” and it worries that European governments may “lack the political incentives to make a public attribution even if China is identified as responsible.” (The Record)

Micronesian island suffers cyberattack  

To show that nowhere on earth is safe from cybercrime, the tiny island nation of Yap has suffered a ransomware attack, forcing the shutdown of all computers in its government health agency. Yap is one of the four states of the Federated States of Micronesia (FSM) and is located in the middle of the Pacific Ocean equidistant between the Philippines and Guam. Health officials from the island announced the attack, which occurred on March 11, on Facebook, stating that health services are still continuing, but are slower due to systems having been taken offline. (Security Affairs)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

The growing speed of cybercriminal attacks is moving faster than ever. In this week’s roundup, we cover critical cybersecurity updates, including vulnerabilities in the popular ESP32 Bluetooth chip and a new House bill requiring federal contractors to implement vulnerability disclosure policies. Plus, we discuss the cyberattack impacting X, a breach in the U.S. electric grid by Chinese hackers, and the latest zero-day vulnerabilities. Stay informed with these important cybersecurity developments.

Undocumented commands found in Bluetooth chip used by a popular Wi-Fi and Bluetooth devices  

As described in BleepingComputer, “the ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023, contains undocumented commands that could be leveraged for attacks. The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.” Researchers from Tarlogic Security, speaking at RootedCON in Madrid point out that ESP32 is “one of the world’s most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk is significant.”  (BleepingComputer)

House bill requires federal contractors to implement vulnerability disclosure policies  

The bill is named the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 and it “instructs the Office of Management and Budget (OMB) to consult with CISA, the Office of the National Cyber Director, NIST, and other relevant departments, and require federal contractors to have a VDP that is consistent with NIST guidelines.” The same is required of the Defense Department. A letter signed by representatives of proponents of the bill including HackerOne, Bugcrowd, Microsoft, Infoblox, Rapid7, Trend Micro, Tenable, and Schneider Electric, state that “contractors, given the vast amount of sensitive data they handle, are prime targets for cyber threats. As a result, the bill ensures all companies contracting with the federal government adhere to security best practices.” (Security Week)

Cybercriminals sped up their attacks last year  

Two security companies, CrowdStrike and ReliaQuest, are reporting separately that “in the past year ransomware groups achieved lateral movement within an average of 48 minutes after gaining initial access to targeted environments,” with the fastest breakout time recorded being 51 seconds. This is an improvement – for the threat actors – from 2023 when the average breakout time for interactive cybercrime intrusions was 62 minutes. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, in making his company’s announcement, added, “not only are these adversaries using different techniques, different capabilities, they’re doing it faster, and they’re iterating faster than many of the enterprises that they’re targeting.” (Cyberscoop)

Cyber attack allegedly behind X outages  

Elon Musk blamed a “massive cyberattack” on multiple X outages on Monday, while hacking group Dark Storm Team claimed responsibility. According to Downdetector, reports of outages spiked throughout the morning, with peaks at 6 a.m., 10 a.m., and 11:30 a.m. ET, impacting tens of thousands of users. Newsweek and other outlets report that Dark Storm Team, a pro-Palestinian hacking group known for targeting NATO countries and Israel, took credit for the attack via Telegram. While Musk suggested a large, coordinated group or nation-state may be involved, X is still dealing with intermittent issues as of this recording. (ZDNet)

CISA warns of critical Ivanti and VeraCode vulnerabilities  

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three critical Ivanti Endpoint Management vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161) to its Known Exploited Vulnerabilities (KEV) catalog. These path traversal flaws (CVSS 9.8) allow unauthenticated attackers to leak sensitive information remotely. CISA also flagged two VeraCode vulnerabilities, including CVE-2024-57968 (CVSS 9.9), an unrestricted file upload flaw, and CVE-2025-25181, an SQL injection vulnerability. The agency urges all organizations to immediately patch these issues to prevent cyberattacks. Ivanti software has faced multiple exploitations in 2025, with previous Connect Secure and Cloud Service Appliance vulnerabilities actively targeted by threat actors. (Infosecurity Magazine)

Researchers report increased activity from the SideWinder APT group  

Researchers at Securelist report increased activity from the SideWinder APT group in 2024, with enhanced malware, expanded targets, and global reach. Traditionally focused on military and government entities, the group now targets maritime, logistics, and nuclear sectors across South Asia, Southeast Asia, the Middle East, and Africa. Using spear-phishing emails, SideWinder exploits the CVE-2017-11882 vulnerability to deploy StealerBot, a post-exploitation toolkit. Their malware, disguised as legitimate DLL files, includes advanced evasion techniques like Control Flow Flattening. SideWinder rapidly adapts, modifying malware within five hours of detection. Their continued reliance on old vulnerabilities underscores the importance of patching outdated systems to defend against sophisticated threats targeting critical infrastructure worldwide. (Cyber Security News)

Ballista Botnet hits TP-Link devices  

A new report from the Cato CTRL team details how threat actors exploit a high-severity command injected vulnerability to execute code on TP-Link Archer AX-21 routers to deploy the botnet ultimately. This flaw isn’t new, the first evidence of exploitation dates back to April 2023. The researchers saw the Ballista campaign using the flaw in January 2025. The attackers use a shell script to execute a malware binary across various system architectures, which opens the door to remote code execution or a denial of service. The researchers noted the malware can erase itself once execution begins, covering its tracks while spreading to other routers. Newer Ballista variants use TOR network domains rather than hardcoded IP addresses, indicating its under active development. Research by Censys found that Ballista infected over 6,000 devices across Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. (The Hacker News)

Apple issues emergency updates for a zero-day WebKit vulnerability  

Apple has issued emergency security updates to patch CVE-2025-24201, a zero-day WebKit vulnerability actively exploited in targeted attacks. The flaw, an out-of-bounds write issue, allows malicious web content to escape the Web Content sandbox, potentially enabling unauthorized actions. The update affects iOS, iPadOS, macOS, Safari, visionOS, and tvOS. Apple warns that the vulnerability was used in sophisticated attacks on older iOS versions. This is Apple’s third zero-day fix in 2025, following similar patches in January and February. Users should update immediately to mitigate risks, as Apple has not disclosed attacker details or targets. (Cyber Security News)

Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days 

Microsoft released patches for 57 security flaws, including 6 actively exploited zero-days affecting Windows Kernel, NTFS, FAT File System, and Microsoft Management Console. Exploits involve use-after-free, integer overflow, and heap-based buffer overflow, with PipeMagic malware used in targeted attacks. Threat actors can chain vulnerabilities to execute remote code via malicious VHD files. The U.S. Cybersecurity and Infrastructure Security Agency – or CISA – has ordered federal agencies to apply fixes by April 1, 2025. (The Hacker News)

China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days  

Security firm Dragos published a case study revealing that the Chinese hacker group Volt Typhoon infiltrated the U.S. electric grid through a breach at Littleton Electric Light and Water Departments (LELWD) in Massachusetts. The hackers had access to the utility’s network for over 300 days, collecting sensitive operational technology (OT) data, including information on energy grid operations. This data could be used for future targeted attacks. Volt Typhoon, linked to the Chinese government, has been previously associated with espionage and attacks on U.S. critical infrastructure. (Security Week)

In Memoriam: Mark Klein, AT&T Whistleblower Who Revealed NSA Mass Spying  

Mark Klein, the former AT&T technician who exposed a secret NSA surveillance program, has died. Klein revealed that the NSA had installed a secret room at AT&T’s San Francisco office, where internet data was copied and routed to the government. In 2006, he brought over 100 pages of evidence to the Electronic Frontier Foundation, which led to lawsuits against the NSA and increased public awareness of mass surveillance. Despite threats from AT&T, Klein stood by his claims, inspiring reforms and greater scrutiny of government spying. (EFF)

A UK hospital finds thousands of unwelcome guests on their network  

Our device inventory desk tells us that the Princess Alexandra Hospital in the UK) recently discovered that PlayStations, coffee machines, and even passing electric cars were connecting to its network. Deputy director of ICT Jeffery Wood admitted, “Our attack surface was much bigger than we thought,” after finding 5,000–10,000 unknown devices lurking in their system. This alarming revelation came during a trial of a cyber exposure platform, part of a broader tech modernization effort.

With no dedicated cybersecurity team, the hospital’s infrastructure staff handles security, integrating automated tools, XDR, and AI-driven protections. Network segmentation has even freed the marketing team to use Apple devices—previously banned. However, zero-trust security remains a distant dream. Deputy Director Wood says the hospital is embracing a “one NHS” partnership model rather than siloed vendor relationships, but warns: “This isn’t just cyber risk. This is risk. Attacks could harm our patients.”

Nothing like a cybersecurity audit to find out your MRI machine shares a network with someone’s PS5. (Computing)

Medusa ransomware continues to attack infrastructure  

In a joint alert released March 12, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are warning that as of February of this year, “Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing.” The group, which is unrelated to MedusaLocker, engages in double extortion, and use phishing and unpatched vulnerabilities for initial access. The group’s practices include “disabling security software, terminating processes related to backups, security, data sharing, and communication, and erasing shadow copies to prevent file recovery.” A link to the alert is available in the show notes to this episode. (Security Week and CISA)

DoJ seeks to break up Google  

As posted in The Cyberwire, “on Friday, the Department of Justice (DOJ) submitted a request that would aim to break up Google by forcing the company to sell Chrome. In its filing, the DOJ stated that Google’s illegal conduct has created an economic goliath, one that wreaks havoc over the marketplace to ensure that no matter what occurs, Google always wins.” These filings follow a 2023 antitrust case in which “Google was found guilty of monopolistic practices regarding the company’s search engine services,” as well as a second antitrust lawsuit from 2024 that is “examining whether the company has also engaged in monopolistic behaviors related to its advertising business.” The ruling, expected this summer, “has the potential to significantly impact how Google operates, how users interact with its services, and the overall landscape of the search engine business.” (The Cyberwire)

Chinese spy group exploits Juniper Networks routers  

Researchers at Mandiant are warning of a state-backed espionage group operating out of China, UNC3886, targeting routers made by Juniper Networks. This is a group we reported on in June 2023, when they were exploiting a VMware ESXi zero-day. In this latest report Mandiant says the group was involved in a project to deploy custom backdoors on Junos OS routers and that the group’s focus is “mainly on defense, technology, and telecommunication organizations located in the U.S. and Asia.” They pointed out that the affected routers were running end-of-life hardware and software, but also that the malware deployed on the Juniper routers “demonstrates that UNC3886 has in-depth knowledge of advanced system internals.” (The Record

In recent cybersecurity news, several high-profile incidents highlight growing threats and vulnerabilities across sectors. Belgium’s State Security Service is investigating a cyber-espionage operation allegedly linked to Chinese hackers, who compromised the agency’s email system. Meanwhile, the PolarEdge botnet is exploiting vulnerabilities in critical edge devices from Cisco, ASUS, and others, while reports reveal a significant increase in the time it takes to patch software vulnerabilities, now averaging eight and a half months. These incidents highlight the urgent need for robust cybersecurity measures to protect both government and private sector infrastructure.

A cybersecurity veteran takes CISA’s lead  

Karen Evans, a seasoned federal IT and cybersecurity expert, has been appointed as the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). In this prominent role, she will lead efforts to protect federal civilian agencies and the nation’s critical infrastructure against cyber threats. Evans brings extensive experience from her previous positions, including Chief Information Officer at the Department of Homeland Security, Assistant Secretary for Cybersecurity, Energy Security, and Emergency Response at the Department of Energy, and Administrator of E-Government and Information Technology at the Office of Management and Budget. Her appointment fills a key leadership position within CISA, which has been without a permanent director since January 2025. (Cyberscoop)

A Belgium spy agency is hacked  

Belgium has initiated a judicial investigation into an alleged Chinese cyber-espionage operation that compromised the email system of its State Security Service (VSSE). Between 2021 and 2023, unidentified Chinese state-sponsored hackers reportedly siphoned off 10% of the agency’s incoming and outgoing emails. The attackers exploited a vulnerability in an email security product from Barracuda Networks, deploying malware strains Saltwater, SeaSpy, and Seaside to establish backdoors into compromised systems. While classified internal communications remained secure, the breach affected an external server handling communications with government ministries and law enforcement, potentially exposing personal data of nearly half the VSSE’s staff and past applicants. Belgian officials have refrained from commenting on the specifics, citing the ongoing nature of the investigation. (The Record)

PolarEdge botnet exploits Cisco ASUS, QNAP, and Synology  

According to French cybersecurity company Sekoia, this is a new malware campaign which targets edge devices from Cisco, ASUS, QNAP, and Synology to pull them into a botnet named PolarEdge. It has been operating since at least the end of 2023. The campaign leverages an unpatched end of life CVE-numbered critical security flaw (CVE-2023-20118) that impacts Cisco Small Business routers that could result in arbitrary command execution on susceptible devices. The vulnerability is said to have been used to deliver a TLS backdoor that incorporates the ability to listen for incoming client connections and execute commands. (The Hacker News)

Software vulnerabilities take almost nine months to patch  

A State of Software Security report released by Veracode shows the average fix time for software security vulnerabilities has “risen to eight and a half months, a 47% increase over the past five years.” This is also 327% higher than 15 years ago, “largely as a result of increased reliance on third-party code and use of AI generated code.” Furthermore, the report says, “half of all organizations have critical security debt – defined as accumulated high severity vulnerabilities left open for longer than a year, and 70 percent of this critical security debt comes from third-party code and the software supply chain. (InfoSecurity Magazine)

Thousands of exposed GitHub repositories, now private, can still be accessed through Copilot  

Security researchers at Israeli cybersecurity company Lasso found that Microsoft Copilot retains access to thousands of once-public GitHub repositories, even after they’ve been set to  private. Using Bing’s cache, Lasso identified over 20,000 affected repositories, exposing sensitive data from major companies like Google, IBM, and Microsoft. Microsoft classified the issue as “low severity.”  (TechCrunch)

HaveIBeenPwned Adds 244 Million Passwords Stolen By Infostealers  

HaveIBeenPwned has added 244 million stolen passwords and 284 million compromised email accounts to its database, sourced from 1.5TB of infostealer logs shared on Telegram. The data was linked to a major distribution channel called “Alien Textbase,” which published the logs in 744 files. HIBP also introduced two new APIs allowing domain owners to check for compromised credentials. Infostealers, increasingly used in cyberattacks, spread through phishing, malicious ads, and pirated software, with stolen data fueling major breaches like those affecting Ticketmaster and AT&T. (Infosecurity)

CISA adds an Oracle Agile PLM flaw to its Known Exploited Vulnerabilities (KEV) catalog

CISA has added CVE-2024-20953, an Oracle Agile PLM flaw, to its Known Exploited Vulnerabilities (KEV) catalog. The high-severity deserialization vulnerability, patched in January 2024, allows low-privileged attackers to execute arbitrary code. While no public reports confirm active exploitation, experts believe attackers likely use it post-initial access. Oracle vulnerabilities, particularly WebLogic flaws, remain frequent attack targets. (Security Week)

A sophisticated macOS malware campaign is distributing Poseidon Stealer  

A sophisticated macOS malware campaign is distributing Poseidon Stealer via a fake DeepSeek AI website, according to cybersecurity researchers. The malware bypasses macOS Gatekeeper and harvests sensitive data, including browser credentials, cryptocurrency wallets, and system keychains. Attackers use malvertising to lure victims to a counterfeit site, delivering the malicious DMG file. Poseidon employs anti-analysis techniques and exfiltrates stolen data via curl POST requests. Security experts recommend restricting osascript execution, using next-gen antivirus (NGAV), and educating users on Terminal-based threats to mitigate the risk.

Meanwhile, a privilege escalation vulnerability in Parallels Desktop remains unpatched, with two exploits publicly disclosed, allowing attackers to gain root access on Macs. Security researcher Mickey Jin bypassed Parallels’ previous fix for CVE-2024-34331, a flaw stemming from missing code signature verification. Despite seven months of warnings, Parallels has not addressed the issue, leaving all known versions vulnerable. Jin urges users to take proactive security measures as attackers could exploit this in the wild. (Bleepingcomputer)

Chinese group Silver Fox is spoofing medical software  

A Chinese government-backed hacking group, Silver Fox, is spoofing medical software to infect hospital patients’ computers with backdoors, keyloggers, and cryptominers, according to Forescout’s Vedere Labs. The malware mimics Philips DICOM image viewers and other healthcare applications, tricking victims into installing ValleyRAT, a remote access tool. The attack uses PowerShell commands to evade detection and downloads encrypted payloads from Alibaba Cloud. While targeting individuals, the malware could spread into hospital networks through infected patient devices, posing a major cybersecurity risk to healthcare organizations. (The Register)

Cyberattacks targeting ICS and OT surged dramatically last year  

Cyberattacks targeting industrial control systems (ICS) and operational technology (OT) surged dramatically by 87% in 2024, according to cybersecurity firm Dragos. Ransomware attacks on industrial infrastructure also increased by 60%, reflecting heightened geopolitical tensions involving conflicts like Russia-Ukraine and China-Taiwan. Experts warn that state-sponsored groups, such as China’s Volt Typhoon, are infiltrating critical infrastructure, preparing potential future disruptions. Volt Typhoon has notably identified strategic U.S. targets, including power substations critical for military deployments. Alarmingly, non-state cybercriminals are gaining ICS expertise through collaboration with state actors, broadening attack capabilities and risks to critical infrastructure. This shift threatens more frequent, indiscriminate attacks as cybercriminal groups increasingly target industrial systems for financial or disruptive objectives. (Cyberscoop)

Linux backdoor used in the wild  

Researchers at Palo Alto Networks’ Unit 42 discovered an undocumented Linux backdoor called Auto-Color, used by threat actors against government and university targets in North America and Asia from November to December 2024. Researchers don’t know the initial attack vector. If run with root privileges, it installs a malicious library implant, copies itself to the system directory, and modifies files to ensure it executes before other system libraries. Without root access, the malware can still provide remote access to threat actors but lacks persistence. Once running, it uses a custom encryption algorithm to talk with C2 servers. (Bleeping Computer)

Researchers uncover zero-day vulnerabilities in a widely used cloud logging utility  

Security researchers at Tenable uncovered zero-day vulnerabilities in Fluent Bit, a widely used logging utility embedded in cloud platforms like AWS, Google Cloud, and Microsoft Azure. The flaws, CVE-2024-50608 and CVE-2024-50609 (CVSS 8.9), exploit null pointer dereference weaknesses in the Prometheus Remote Write and OpenTelemetry plugins, exposing billions of production environments to cyber threats. Attackers can crash Fluent Bit servers or leak sensitive data using simple HTTP requests. These vulnerabilities affect Kubernetes deployments, enterprise logging systems, and compliance workflows, with major users including Cisco, Splunk, and VMware. Patches are available in v3.0.4 and v2.2.3, but unpatched systems remain at high risk. Experts urge immediate updates, API access restrictions, and security audits to prevent widespread service disruptions and data leaks. (Cyber Security News)

Researchers uncover a LockBit ransomware attack exploiting a Windows Confluence server  

Security researchers at The DFIR Report have uncovered a LockBit ransomware attack that exploited CVE-2023-22527 in a Windows Confluence server. The attackers gained initial access through a remote code execution (RCE) vulnerability, quickly deploying Mimikatz, Metasploit, and AnyDesk to escalate privileges and move laterally across the network via RDP. They used Rclone to exfiltrate data to MEGA.io before executing the ransomware. PDQ Deploy was leveraged to automate the spread of LockBit across critical systems, ensuring widespread encryption. The entire attack—from initial compromise to ransomware deployment—was completed in just two hours.The researchers emphasize the importance of patching Confluence vulnerabilities, monitoring network activity, and restricting remote access to prevent similar intrusions. This case underscores the growing sophistication and speed of ransomware operations targeting unpatched enterprise applications. (The DFIR Report)

Retired Gen. Paul Nakasone warns the U.S. is falling behind in cyberspace  

Retired Gen. Paul Nakasone warned that the U.S. is falling behind in cyberspace, with adversaries expanding their capabilities. Speaking over the weekend at DistrictCon in Washington DC, he cited Chinese-backed breaches and ransomware attacks as evidence of weak cybersecurity. He also expressed concern about cyber operations causing physical damage, predicting future attacks could disable platforms through digital means. Nakasone, now at Vanderbilt University, highlighted AI’s role in cyber offense, including autonomous targeting by AI-powered drones. He questioned the limits of AI-driven cyber weapons and their ability to bypass defenses.

He endorsed a more aggressive U.S. cyber strategy, citing past Cyber Command operations against Russian and Iranian hackers. He emphasized “persistent engagement” to keep cyber enemies in check. Nakasone stressed the need for top cyber talent, warning of recruitment challenges due to past government actions. He acknowledged ongoing Cyber Command reforms but avoided direct criticism of political leadership changes, stating that presidents choose their own advisers. (Cyberscoop)

Australia bans Kaspersky over security concerns  

Australia has joined the growing list of countries to ban Kaspersky products from government systems. Citing national security risks and concerns over potential Russian government influence, Australian agencies must remove the software by April 1, though limited exemptions may apply for national security or law enforcement functions. In a statement to multiple outlets, Kaspersky criticized the decision, arguing it lacked technical justification and was driven by geopolitical tensions. This move follows similar bans by the U.S., U.K., and Canada within the last year. (Security Week) , (The Hacker News), (Bleeping Computer), (The Record)

At RedSeal, we protect your network by providing precise asset visibility and attack path analysis. Our solutions help you proactively manage risks, identify vulnerabilities before they turn into threats, and ensure your defense strategy stays one step ahead. Read on for the full breakdown of this week’s critical cyber news.

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

The cybersecurity landscape never rests, and this week’s high-impact stories highlight the ever-evolving nature of threats and vulnerabilities. We’ve got the latest on a penetration test that escalated from a simulated breach to real-life arrests, a $500,000 business email compromise, and the latest on a critical vulnerability affecting Juniper Networks. Plus, don’t miss how Russian hackers are targeting Signal users and the ongoing risks posed by Salt Typhoon.

At RedSeal, we protect your network by providing precise asset visibility and attack path analysis. Our solutions help you proactively manage risks, identify vulnerabilities before they turn into threats, and ensure your defense strategy stays one step ahead. Read on for the full breakdown of this week’s critical cyber news.

The pentesters’ breach was simulated — their arrest was not  

And finally, two penetration testers from Threat Spike Labs learned the hard way that miscommunication can be more dangerous than actual hacking. During a simulated breach at a corporate office in Malta, the duo successfully gained unauthorized access, stole a master key card, and retrieved sensitive data—all part of an approved security assessment.

But then, things took a turn. The general manager who authorized the test panicked and called the police, convinced that real criminals were at work. Despite waving their authorization documents like a backstage pass at a concert, the testers were arrested and hauled in for questioning. Later, Curt Hems reflected on the experience: “Penetration tests don’t always end with a report—sometimes they end with flashing lights and handcuffs.”

Lesson learned? Tell law enforcement about security tests before they happen. Ironically, the security test worked—the company’s response was swift, even if it resulted in unnecessary arrests. (Cyber Security News)

Minerals company loses $500,000 to BEC scam  

NioCorp Developments, a company that operates a minerals project in southeast Nebraska focusing on the production of niobium, scandium, and titanium, has alerted regulators to a break-in that occurred on February 14. Threat actors allegedly “broke into its information systems, including portions of its email systems,” and misdirected a half-million dollars intended to be sent to a vendor. The company is taking steps to remediate the incident and to search for any additional damage. (The Register)

Microsoft working on fix for Windows 11 SSH connections bug  

Following up on a story we covered last November, Microsoft is now testing a fix for an issue that has been around since November which is breaking SSH connections on some Windows 11 22H2 and 23H2 systems. A fix has been included in the Windows 11 Build 26100 in its Release Preview Channel. When the problem first emerged in November, Microsoft said that only a limited number of devices running Windows 11 enterprise, IOT, and education editions were affected but the company is now investigating whether consumer customers using Windows 11 Home or Pro editions may also be at risk. (BleepingComputer)

Credential theft puts sensitive corporate and military networks at risk  

Hudson Rock has published an analysis of compromised credentials for sale on criminal marketplaces, finding hundreds of credentials belonging to US military agencies and contractors, Infosecurity Magazine reports. The credentials were likely stolen by infostealer malware delivered via social engineering. The researchers identified credentials belonging to accounts at Lockheed Martin, Boeing, and Honeywell, as well as the US Army and Navy, the FBI, and the Government Accountability Office. Some of the logs also included active session cookies that could allow attackers to bypass multifactor authentication. (infostealers)

Russian hackers tap into Signal conversations  

Russian state-backed hackers are exploiting Signal’s “linked devices” feature to hijack accounts by tricking targets—often Ukrainian military personnel—into scanning malicious QR codes. Once linked, attackers can intercept messages in real time without fully compromising the victim’s device. Google researchers identified multiple threat groups using this technique, with some embedding QR codes in phishing pages disguised as military applications or security alerts. Signal has rolled out security updates to counter these threats but urging users to take extra precautions when scanning QR codes.(Bleeping Computer), (The Record), (The Hacker News)

FBI official provides more detail on Salt Typhoon attack  

A top official at the FBI painted a clearer picture as to the sheer impact of the Salt Typhoon attack, speaking at the 2025 Zero Trust Summit, FBI deputy assistant director Cynthia Kaiser, emphasized the scale and indiscriminate nature of China’s data collection from major telecom providers. Officials say the breach compromised every group of people including, law enforcement information, call records, and even data on American children—raising concerns over its long-term impact. Kaiser asked the crowd, “Can any of you imagine a world in which China would have been stealing information about you as a 13-year-old? That’s precisely what American children are facing. And that’s going to follow them in the future.” Since being exposed last year, the U.S. has since sanctioned a Chinese national and a cybersecurity firm linked to the operation but Salt Typhoon remains active, with ongoing attacks on global networks.  (CyberScoop)

Juniper Networks has issued a critical security advisory for an API authentication bypass vulnerability  

Juniper Networks has issued a critical security advisory for CVE-2025-21589, an API authentication bypass vulnerability affecting Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router products. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to gain full administrative control by injecting spoofed JWTs, bypassing authentication checks.

Attackers can exploit this flaw to modify routing policies, intercept encrypted traffic, and move laterally across networks. The vulnerability affects multiple software versions and requires network adjacency but no user interaction. Juniper discovered the issue through internal testing, with no known exploitation as of February 18, 2025. Patches are available, and cloud-managed WAN Assurance routers received automatic fixes. Organizations must apply updates immediately, audit configurations, monitor API requests, and implement network segmentation to mitigate risks. Unpatched systems pose serious threats to SD-WAN and 5G infrastructure. (Cyber Security News)

CISA warns of an actively exploited iOS vulnerability  

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about CVE-2025-24200, a zero-day vulnerability in Apple iOS and iPadOS, actively exploited in targeted attacks. The flaw, an authorization bypass in Apple’s USB Restricted Mode, allows attackers with physical access to disable security protections on locked devices, potentially exposing sensitive data.

Apple confirmed the exploit has been used in highly sophisticated attacks against high-value individuals, possibly by state-sponsored groups. The vulnerability affects a wide range of Apple devices, including iPhone XS and later models. Emergency patches were released on February 10, 2025, and CISA urges users to update before March 5. While no specific surveillance vendors are named, the attack methods resemble those used by firms like NSO Group. Users should update immediately and enforce physical security measures. (Cyber Security News)

Palo Alto Networks confirms a recently patched firewall vulnerability is being actively exploited  

Palo Alto Networks has confirmed that CVE-2025-0108, a recently patched firewall vulnerability, is being actively exploited. The flaw, disclosed on February 12, allows unauthenticated attackers to bypass authentication and execute PHP scripts via the PAN-OS management interface. Threat intelligence firm GreyNoise detected exploit attempts starting February 13, with attacks originating from nearly 30 unique IPs. The vulnerability can be chained with CVE-2024-9474 for remote code execution, posing a serious risk to unpatched systems.

A proof-of-concept (PoC) exploit is publicly available, and researchers warn that roughly 3,500 PAN-OS management interfaces remain exposed. Palo Alto urges immediate patching, emphasizing that securing external-facing management interfaces is critical. Assetnote, which discovered the flaw, coordinated disclosure with Palo Alto, arguing transparency helps defenders track attacks rather than leaving organizations vulnerable in the dark. (Security Week)

New OpenSSH Flaws Enable Man-in-the-Middle and DoS Attacks — Patch Now  

Two security vulnerabilities have been discovered in OpenSSH that could enable man-in-the-middle (MitM) attacks and denial-of-service (DoS) attacks. The MitM vulnerability affects versions 6.8p1 to 9.9p1 when the VerifyHostKeyDNS option is enabled, letting attackers impersonate legitimate servers. The DoS vulnerability affects versions 9.5p1 to 9.9p1, leading to resource exhaustion. Both issues are fixed in OpenSSH 9.9p2, which was released Tuesday. (The Hacker News)

Hackers waste no time exploiting a SonicWall proof-of-concept vulnerability  

Hackers are actively exploiting CVE-2024-53704, a high-severity authentication bypass in SonicWall firewalls, after a proof-of-concept (PoC) exploit was published. This vulnerability allows attackers to bypass multi-factor authentication (MFA), access private data, and disrupt VPN sessions. SonicWall released patches in January 2025, but as of February 7, around 4,500 devices remain unpatched. Arctic Wolf warns that cybercriminals often exploit firewall and VPN vulnerabilities for ransomware attacks, citing past incidents involving Akira ransomware. Organizations should immediately update SonicWall firewalls or follow mitigation steps to prevent attacks. Disabling SSLVPN is recommended if patching is not possible, as the public PoC increases the risk of exploitation. (Security Week)

Russian threat actors target Microsoft 365 accounts  

Volexity and Microsoft have published separate reports warning that multiple Russian threat actors are launching spearphishing attacks designed to compromise Microsoft 365 accounts. The threat actors are impersonating individuals from the US State Department, the Ukrainian Ministry of Defense, the European Union Parliament, and prominent research institutions. Volexity attributes the campaigns to at least three different Russian groups, including CozyLarch (which overlaps with Cozy Bear). Microsoft describes attacks from a Russian threat actor the company tracks as “Storm-2372.”

Notably, the attacks involve a lesser-known technique called “device code phishing,” in which users are tricked into granting access via the Microsoft Device Code OAuth workflow. Microsoft explains, “In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors.” Volexity says “this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.” (Volexity, Microsoft)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.