A newly disclosed vulnerability in Orthanc, an open-source DICOM server widely used in healthcare, is raising serious alarms for the industry. If exploited, this vulnerability could allow attackers to gain unauthorized access to sensitive patient imaging records and even disrupt hospital operations. Given the critical nature of healthcare systems, this breach poses a significant threat to both medical data and operational continuity.

The cybersecurity challenge in healthcare

This vulnerability highlights one of the many cybersecurity challenges within the healthcare sector. Medical systems are prime targets for cybercriminals because of the invaluable data they handle. This breach is a reminder that healthcare organizations must remain vigilant in securing their networks and systems, as even a single vulnerability can lead to severe consequences.

As healthcare organizations continue to evolve to digitizing patient information and data, it’s more important than ever to prioritize network visibility and strong access controls. This proactive approach is essential in reducing the risk of unauthorized access and safeguarding patient data.

How RedSeal can help

RedSeal offers critical support to healthcare organizations looking to defend against such vulnerabilities:

• Identify unprotected medical devices and network gaps: By mapping your network and identifying unprotected devices, RedSeal ensures that vulnerabilities like the one in Orthanc are identified and mitigated before they can be exploited.
• Ensure proper segmentation to prevent unauthorized access: RedSeal provides the visibility needed to segment your network effectively, ensuring that sensitive data remains secure even if attackers breach one part of the system.
• Map attack paths to critical healthcare assets: RedSeal helps organizations map attack paths to critical healthcare assets, enabling them to close gaps in defense and strengthen overall resilience.

The time to act is now

The ongoing threat landscape demands a proactive cybersecurity posture, and RedSeal is here to help. If you’re looking to fortify your healthcare systems, now is the time to ensure they are equipped to withstand evolving cyber threats. Let RedSeal guide you toward a more secure, resilient future.

To learn more about how RedSeal supports the healthcare industry, download our white paper, Healthcare Cybersecurity: Proactive Strategies for Network Visualization and Compliance today.

This week’s roundup brings a mix of critical security warnings and notable cyber incidents affecting healthcare, tech, and infrastructure sectors. From the CISA and FDA’s alert about a backdoor vulnerability in patient monitors to ransomware attacks disrupting operations at key institutions, the cybersecurity landscape is as volatile as ever. We also highlight how threat actors are increasingly exploiting public-facing applications and how DARPA is pushing the envelope with self-healing firmware. Keep reading for the latest threats, strategic updates, and industry shifts shaping the cyber world.

CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors  

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts regarding critical vulnerabilities in Contec CMS8000 and Epsimed MN-120 patient monitors. The primary concern, identified as CVE-2025-0626 with a CVSS v4 score of 7.7, involves the devices sending remote access requests to a hard-coded IP address, bypassing existing network settings. This backdoor could allow malicious actors to upload and overwrite files on the device. Additionally, CVE-2024-12248 (CVSS v4 score: 9.3) is an out-of-bounds write vulnerability that could enable remote code execution, and CVE-2025-0683 (CVSS v4 score: 8.2) is a privacy leakage issue causing plain-text patient data to be transmitted to a hard-coded public IP address. Currently, there are no patches available for these vulnerabilities. CISA recommends that organizations disconnect and remove the affected devices from their networks and monitor for any unusual device behavior. As of now, there have been no reported incidents, injuries, or deaths related to these vulnerabilities. (The Hacker News)

Threat Actors Target Public-Facing Apps for Initial Access

Threat actors are increasingly using public-facing applications as an initial attack vector to infiltrate networks. Researchers have observed a rise in cybercriminals exploiting vulnerabilities in government websites and other public apps to conduct phishing attacks, credential harvesting, and malware distribution. By leveraging open redirects and other weaknesses, attackers can bypass secure email gateways and other security measures, making their phishing attempts more effective and harder to detect. This trend underscores the importance of securing public-sector applications, implementing stricter access controls, and continuously monitoring for potential exploitation by malicious actors. (Infosecurity Magazine)

New York Blood Center suffers ransomware attack

New York Blood Center Enterprises, one of the largest independent blood centers in the U.S., serving over 75 million people, discovered suspicious activity on its IT system on Sunday, and this was later confirmed as a ransomware incident by third-party cybersecurity experts. This has forced officials and staff to reschedule blood drives and implement other workarounds. No ransomware gang has yet taken credit for the attack, and the blood center itself, says it is still accepting blood donations. (The Record and New York Blood Center Enterprises)

CISA’s future unclear under new administration

At the conclusion of the second week of the new administration, there has been no one named to lead the Cybersecurity and Infrastructure Security Agency, also known as CISA, and “there are no plans for anyone in its leadership to address the annual gathering of the nation’s secretaries of state, which begins Thursday in Washington.” Homeland Security Secretary Kristi Noem had stated prior to her confirmation that the agency had strayed “far off mission.” A conservative blueprint for the Republican administration “recommended that CISA be moved to the Transportation Department and focused solely on protecting government networks and coordinating the security of critical infrastructure.” (Security Week)

DARPA seeks to create firmware that can respond and recover from cyberattacks

Red-C, is a new project from the Defense Advanced Research Projects Agency, which is seeking to give networks the ability to repair themselves after a cyberattack. As described in Cyberscoop, “the forensic sensors in your device’s firmware spring to life. They begin healing your network, restoring locked files, and communicating with other systems to collect forensic data. The firmware then analyzes the data to identify how the attackers entered and exploited system weaknesses, then blocks those vulnerabilities to prevent future breaches through the same entry points. The project “seeks to build new defenses into bus-based computer systems, which are firmware-level systems used in everything from personal computers to weapons systems to vehicles.” A more complete description of the project is available in the show notes to this episode. (Cyberscoop)

Tenable acquiring Israel’s Vulcan Cyber in $150 million deal

Tenable, a Nasdaq-listed cybersecurity company valued at $5.3 billion, is acquiring Israeli cybersecurity firm Vulcan Cyber for approximately $150 million, with the deal expected to close in Q1 of this year. The acquisition aims to enhance Tenable’s security exposure management platform by integrating Vulcan Cyber’s capabilities, unifying security visibility and risk mitigation. Vulcan Cyber was founded in 2018 and has raised $55 million and employs 100 people, though it is unclear how many will remain post-acquisition. (CalCalistech)

Chinese and Iranian Hackers Are Using U.S. AI Products to Bolster Cyberattacks

Hackers linked to China, Iran, Russia, and North Korea are using AI, including Google’s Gemini chatbot, to enhance cyberattacks, according to U.S. officials and Google security research. These groups utilize AI for tasks like writing malicious code, identifying vulnerabilities, and researching targets rather than developing advanced hacking techniques. Meanwhile, China’s DeepSeek AI has raised global concerns about Beijing’s progress in the AI arms race, adding uncertainty to the technology’s impact on security and warfare. (Wall Street Journal)

North Koreans clone open-source projects to plant backdoors, steal credentials

North Korea’s Lazarus Group carried out a large-scale supply chain attack, dubbed Phantom Circuit, compromising hundreds of victims by embedding backdoors in cloned open-source software, according to SecurityScorecard‘s latest report. The campaign began in late 2024 and targeted cryptocurrency developers and tech professionals by distributing malware-laced repositories on platforms like GitLab. Stolen data included credentials, authentication tokens, and system information, with the attackers using obfuscation techniques and VPNs. (The Register)

Oasis Security Research Team Discovers Microsoft Azure MFA Bypass

Oasis Security discovered a critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA), allowing attackers to bypass it and gain unauthorized access to Office 365 accounts, including Outlook, OneDrive, and Azure. The flaw exploited session creation and TOTP code tolerance, enabling attackers to brute-force MFA codes undetected within 70 minutes. Oasis reported the issue to Microsoft, which implemented a stricter rate limit, permanently fixing the vulnerability by October 2024. The research highlights the importance of strong MFA implementations and improved alerting mechanisms for failed second-factor attempts.

(Cloud Security Alliance)

A large-scale phishing campaign exploits users’ trust in PDF files and the USPS

A large-scale phishing campaign exploits users’ trust in PDF files and the USPS to steal credentials and sensitive data, according to Zimperium researchers. Attackers send SMS messages with malicious PDFs mimicking USPS communications, embedding hidden phishing links to bypass security tools. Victims are directed to fake USPS sites, where they provide personal and payment information under the guise of resolving delivery issues.

Zimperium found over 20 malicious PDFs and 630 phishing pages targeting users across 50 countries. This tactic leverages the assumption that PDFs are safe, exploiting their widespread use in business. Attackers also impersonate other delivery services like UPS and FedEx. Experts warn that inadequate mobile security and limited visibility into file contents make such campaigns effective. (Security Boulevard)

Apple patches a zero-day affecting many of their products

Apple has patched CVE-2025-24085, a zero-day vulnerability exploited in the wild affecting iPhones, iPads, Macs, and other devices. The flaw, a use-after-free() issue in the CoreMedia component, could allow rogue apps to elevate privileges and gain system control. While details of the exploitation remain sparse, Apple confirmed it targeted older iOS versions before iOS 17.2. The fix is available in updates for iOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3. Affected devices include iPhone XS and later, various iPad models, Apple Vision Pro, and Apple Watch Series 6 or newer. Additional vulnerabilities patched include issues allowing unauthorized code execution via AirPlay, privilege escalation, and Safari address bar spoofing. Users are strongly advised to update to protect against potential exploits targeting unpatched devices. (The Register)

CISA issues a critical warning about a SonicWall vulnerability actively exploited

CISA has issued a critical warning about CVE-2025-23006, a vulnerability in SonicWall SMA 1000 appliances that allows remote attackers to execute commands without authentication. With a CVSS score of 9.8, this flaw, exploited in the wild, impacts versions 12.4.3-02804 and earlier. SonicWall has released a hotfix (version 12.4.3-02854) to address the issue and advises immediate updates. Organizations unable to patch should restrict AMC and CMC access to trusted IPs. The flaw’s exploitation risks full system compromise, emphasizing urgent mitigation. (Cyber Security News)

Most ransomware victims shut down operations

A new report from the Ponemon Institute found that 58% of organizations hit by ransomware last year were forced to shut down operations as part of their recovery process, up from 45% of victims in 2021. The report also found organizations seeing significant revenue lost due to an attack up from 22% to 40% in the same span, while those experiencing brand damage jumped from 21% to 35%. While those metrics are trending in the wrong direction, the report also found that the average time to recover from ransomware decreased 30% to 132 hours, while the average recovery cost fell 13%. 51% of respondents paid a ransom. For paying victims, 32% said attackers demanded further payment. (Infosecurity Magazine)

PowerSchool starts notifying victims

The education SaaS giant disclosed a cyberattack earlier this month but only began alerting impacted school districts. Now, the company has begun notifying affected individuals in the US and Canada who have had personal data stolen, including past and current students, parents, and guardians. We know the breach impacted 6,505 school districts, but the exact number of affected individuals and a detailed breach report has not been released. PowerSchool did notify Maine’s Attorney General’s office that 33,488 people were affected in that state. (Bleeping Computer)

Chinese AI app DeepSeek rattles US tech stocks

US tech stocks dropped sharply today due to investor worries over the popularity of Chinese AI app DeepSeek, the Washington Post reports. The Nasdaq index lost nearly 4 percent this morning, with US chipmaker Nvidia dropping 12 percent. DeepSeek was founded in 2023 and released its mobile app earlier this month. It’s since overtaken ChatGPT as the top free app in Apple’s App Store. (Reuters notes that the app is currently experiencing outages, which the company has attributed to “a large-scale malicious attack.”) The company’s open-source LLM “DeepSeek-R1” is comparable to OpenAI’s “o1” LLM, but is up to 95% more affordable, according to VentureBeat. The company claims to have trained the model for just $5.6 million. The US government has banned the sale of high-end GPUs to China in an attempt to curb the country’s AI development. Bloomberg notes, “While it remains unclear how much advanced AI-training hardware DeepSeek has had access to, the company’s demonstrated enough to suggest the trade restrictions have not been entirely effective in stymieing China’s progress.” (WAPO, Reuters, Venture Beat, Yahoo)

Stealthy backdoor targets Juniper routers

Lumen Technologies’ Black Lotus Labs has published a report on a backdoor campaign dubbed “J-Magic” targeting enterprise-grade Juniper routers. The researchers haven’t determined the initial access technique, but they note that “once in place [the backdoor] installs the agent – a variant of cd00r – which passively scans for five different predefined parameters before activating. If any of these parameters or ‘magic packets’ are received, the agent sends back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software.” The campaign was active from mid-2023 until at least mid-2024, targeting organizations in the semiconductor, energy, manufacturing, and IT sectors. (Lumen)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

This week’s cybersecurity news covers everything from high-profile investigations to critical vulnerabilities, shedding light on ongoing global threats and evolving defenses. From a major Chinese telecom investigation to a surge in cybersecurity enrollment for critical infrastructure, the landscape remains dynamic. Plus, stay informed about the ongoing debate surrounding the potential TikTok ban and its national security implications. Here’s a closer look at this week’s top stories:

US government investigates China-founded telecoms hardware firm 

Reuters reports that the US Commerce Department and the FBI are investigating potential security risks posed by Baicells Technologies, a Chinese telecom hardware company with a Wisconsin-based North American operation. Baicells has provided routers and base stations for commercial mobile networks across every US state. The company was founded in China by senior Huawei veterans in 2014, opening its US operation in 2015. The US Federal Communications Commission (FCC) is advising the Commerce Department in its investigation. The focus of the FBI’s probe is unclear. The FBI and the Commerce Department both declined to comment on the reported investigations. Baicells’ chairman told Reuters that the company will cooperate with any US government inquiries, noting, “Baicells does not believe there are any security risks associated with its radio products.” (Reuters)

President Biden signs cybersecurity-focused executive order 

President Biden this morning signed an executive order aimed at improving Federal cybersecurity defenses, the Washington Post reports. Anne Neuberger, deputy national security adviser for cyber and emerging threats at the White House, said in a press briefing that this is the Biden Administration’s “capstone” cyber order, which is “designed to put the country on a path to defensible networks across the government and private sector.”The 53-page EO includes measures for “[i]mproving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector.” The EO calls out China specifically, stating that “the People’s Republic of China [presents] the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks.” The order also gives the government greater authority to use sanctions against ransomware actors. While the Trump administration could decide to reverse the EO, Neuberger said she believes the incoming administration will keep many of the order’s objectives in place. Neuberger stated, “Our feeling is that securing the nation in cyberspace and making it harder for ransomware hackers are pretty nonpartisan goals. We wanted to put the incoming administration on the best foot forward as they did for us.” (White House)

US healthcare sector saw 585 breaches in 2024 

That figure comes from an analysis by Security Week, pulling from the US Department of Health and Human Services Office for Civil Rights healthcare breach database. These attacks impacted roughly 180 million user records. The Change Healthcare breach accounted for approximately 100 million. 75% of attacks targeted healthcare providers, with 17% impacting healthcare business associates. “Hacking/IT incident,” which includes ransomware, was cited as the cause in most attacks, with unauthorized access a distant second. Healthcare organizations in Texas saw the most incidents last year, with 56. (Security Week)

Researchers uncover vulnerabilities in Windows 11 allowing attackers to bypass protections and execute code at the kernel level 

Researchers from HN Security uncovered vulnerabilities in Windows 11’s Virtualization-based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI), allowing attackers to bypass protections and execute code at the kernel level. VBS isolates memory for OS security, while HVCI prevents unauthorized drivers from loading. An exploit transforms an arbitrary pointer dereference vulnerability into a read/write primitive, enabling attackers to manipulate kernel memory and execute data-only attacks without triggering security mechanisms.

The techniques allow privilege escalation, disabling of Endpoint Detection and Response (EDR), and manipulation of Protected Process Light (PPL) features. These vulnerabilities affect Windows 11 (21H2 and later) and Windows Server 2016–2022 across x86, x64, and ARM64 systems. While Microsoft has addressed some kernel vulnerabilities, others remain exploitable. Researchers emphasize the importance of layered security beyond built-in OS features, as sophisticated attackers can still bypass advanced protections. (Cyber Security News)

FBI deletes Chinese malware from over 4,200 computers 

The US Justice Department has announced a multi-month operation that deleted Chinese PlugX malware from more than 4,200 computers in the United States. The Justice Department says the Chinese government paid the Mustang Panda threat actor to develop this strain of PlugX. The threat actor then used the malware to compromise “thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups.” Mustang Panda has been using the PlugX malware since at least 2014.

The Justice Department explains, “The international operation was led by French law enforcement and Sekoia.io, a France-based private cybersecurity company, which had identified and reported on the capability to send commands to delete the PlugX version from infected devices. Working with these partners, the FBI tested the commands, confirmed their effectiveness, and determined that they did not otherwise impact the legitimate functions of, or collect content information from, infected computers. In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX from U.S.-based computers. The last of these warrants expired on Jan. 3, 2025, thereby concluding the U.S. portions of the operation. In total, this court-authorized operation deleted PlugX malware from approximately 4,258 U.S.-based computers and networks.” The FBI is working with internet service providers to notify owners of computers affected by the operation. (DOJ)

TikTok could possibly stay alive after Sunday’s upcoming ban 

“Americans shouldn’t expect to see TikTok suddenly banned on Sunday,” said an administration official. Officials aim to implement the law without immediately shutting down the app, deferring the issue to Donald Trump’s incoming administration. Trump said he wants to preserve its use. And Trump’s pick for attorney general, Pam Bondi, didn’t say she would enforce the ban when asked about it at her Senate confirmation hearing. The ban, part of a national security law, mandates ByteDance, TikTok’s Chinese parent company, to divest ownership. Legal challenges cite free speech concerns. During his first term, Trump tried to implement a TikTok ban, but during his 2024 Presidential campaign, vowed to “save TikTok.” (NBC News)

DJI will no longer block US users from flying drones in restricted areas 

DJI announced in a blog post it’s removed geofencing restrictions in the U.S., letting users fly drones in previously restricted areas like airports, nuclear plants, and wildfires, though its app will still issue warnings. The company argues the responsibility should lie with the drone operators, citing tools like Remote ID for enforcement, though concerns remain about safety, especially after a sub-250-gram DJI drone damaged a firefighting plane in Los Angeles. Critics, including DJI’s former policy head, argue the decision undermines aviation safety, shifting all accountability to users. (Engadget)

Researchers identify a “mass exploitation campaign” targeting Fortinet firewalls. 

Arctic Wolf warns that an attack campaign is likely exploiting an unknown zero-day to compromise internet-exposed Fortinet FortiGate firewall devices. The researchers state, “In early December, Arctic Wolf Labs began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations.

In compromised environments, threat actors were observed extracting credentials using DCSync. While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected.” Arctic Wolf says organizations “should urgently disable firewall management access on public interfaces as soon as possible.” The researchers notified Fortinet of the attacks last month, and the company confirmed that “the activity was known and under investigation.” (ArcticWolf)

Baltic sea cable cuts can’t be accident, says EU tech chief 

Henna Virkkunen, the European Union’s new digital chief with the title of the European Commission’s executive vice president for technological sovereignty, security and democracy, has told Bloomberg News that incidents resulting in damage to undersea data and power cables are happening too frequently to be purely accidental. As leaders from the Baltic region prepare to gather for a NATO summit devoted to the topic, he echoes the sentiments of Lithuanian President Gitanas Nauseda who said “there is a very high probability that those are deliberate actions of hostile countries.” Last week we reported on the tanker Eagle S, whose anchor has been recovered from the sea bed by Finnish authorities. This ship, and others are believed to be part of a Russian shadow fleet that transports Russian petroleum products despite sanctions and other restrictions. (Yahoo News, quoting Bloomberg)

CISA warns of second BeyondTrust vulnerability 

CISA is “urging federal agencies to patch a second vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) enterprise solutions, based on evidence of active exploitation.” This new flaw, which has a CVE number, is described as a medium-severity command injection issue that was discovered during the investigation into the U.S. Department of Treasury incident disclosed on December 31, and attributed to Chinese hackers Silk Typhoon. This second flaw “can be exploited by an attacker with existing administrative privileges to upload a malicious file.” It has now been added to CISA’s KEV catalog, giving federal agencies until February 3 to patch it. (Security Week)

Draft of second cybersecurity EO on President Biden’s desk 

According to Cyberscoop who obtained a copy of the draft executive order, it ranges from cyber defenses in space to the U.S. federal bureaucracy, to its contractors, and “addresses security risks embedded in subjects like cybercrime, artificial intelligence and quantum computers.” The document is a follow-up to one published in the first year of the Biden presidency, and gives agencies 53 deadlines, stretching in length from 30 days to three years. (Cyberscoop)

Juniper Networks releases security updates for Junos OS 

Juniper Networks started 2025 by releasing security updates for Junos OS, addressing dozens of vulnerabilities, including several high-severity flaws. These include CVE-2025-21598, an out-of-bounds read bug in the routing protocol daemon (RPD) that can cause denial-of-service (DoS) via malformed BGP packets, and CVE-2025-21599, a kernel memory exhaustion flaw triggered by malformed IPv6 packets. Fixes were also issued for high-severity OpenSSH vulnerabilities and critical flaws in third-party components like Expat. No exploits have been reported, but users are urged to apply patches promptly. (SecurityWeek)

Ransomware campaign abuses AWS encryption service to encrypt S3 buckets

Researchers at Halcyon warn that a new ransomware campaign is abusing AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. The attacks don’t exploit any AWS vulnerabilities; the threat actors simply use stolen or publicly disclosed AWS keys with permission to write and read S3 objects. The attacker then generates a local encryption key and encrypts the victim’s data. Halcyon notes, “AWS CloudTrail logs only an HMAC of the encryption key, which is insufficient for recovery or forensic analysis.” In the cases observed by Halcyon, the attackers mark the encrypted files for deletion in seven days, and place a ransom note with a Bitcoin address in the affected directory.

AWS provided the following statement in response to Halcyon’s findings: “AWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment. We encourage all customers to follow security, identity, and compliance best practices. In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post.” (Halcyon, AWS, [1,2]

Telefonica breach exposes internal data and employee credentials 

A massive breach for telco giant Telefonica as hackers with the Hellcat ransomware group were able to steal over 236,000 lines of customer data, 469,000 lines of internal Jira ticketing data, and 24,000 employee emails. The group leveraged infostealer malware to compromise credentials from 15 employees, including two with administrative privileges, resulting in an estimated 2.3GB of data stolen. One cybersecurity vendor called the breach “imminent,” noting that 531 employee computers were infected by infostealers last year. (Dark Reading), (Infosecurity Magazine)

Nominet confirms breach using Ivanti zero-day 

Nominet, the .UK domain registry managing over 11 million domains, has confirmed a breach exploiting an Ivanti VPN zero-day vulnerability (CVE-2025-0282). According to a statement to Bleeping Computer “the entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely.” While no data theft or backdoors have been identified, Nominet is the first organization to publicly confirm an attack using this specific exploit. (The Register), (Bleeping Computer)

New version of the Banshee macOS stealer 

Researchers at Check Point are tracking a new version of Banshee, a strain of macOS malware designed to steal browser credentials, cryptocurrency wallets, passwords, and other sensitive data. The new version of Banshee surfaced in late September 2024, using a string encryption algorithm from Apple’s XProtect antivirus engine that allowed it to evade detection for more than two months. Banshee’s malware-as-a-surface operation shut down after its source code was leaked in November 2024, but Check Point notes that multiple phishing campaigns are still distributing the malware. (Checkpoint)

Suspected Chinese threat actor exploits Ivanti Connect Secure vulnerability 

Mandiant has published an analysis of the ongoing exploitation of a recently disclosed vulnerability (CVE-2025-0282) affecting Ivanti Connect Secure VPNs. The vulnerability, which received a patch on Wednesday, is an unauthenticated stack-based buffer overflow that could lead to unauthenticated remote code execution.

Mandiant attributes the exploitation to the China-aligned espionage actor UNC5221. The researchers write, “In at least one of the appliances undergoing analysis, Mandiant observed the deployment of the previously observed SPAWN ecosystem of malware (which includes the SPAWNANT installer, SPAWNMOLE tunneler, and the SPAWNSNAIL SSH backdoor). The deployment of the SPAWN ecosystem of malware following the targeting of Ivanti Secure Connect appliances has been attributed to UNC5337, a cluster of activity assessed with moderate confidence to be part of UNC5221….Mandiant has also identified previously unobserved malware families from additional compromised appliances, tracked as DRYHOOK and PHASEJAM that are currently not yet linked to a known group.”

Mandiant concludes that “defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access.” (Mandiant)

CISA sees enrollment surge in cyber hygiene for critical infrastructure 

A report released by CISA on Friday says that after analyzing “7,791 critical infrastructure organizations enrolled in the agency’s vulnerability scanning service from Aug. 1, 2022, through Aug. 31, 2024,” there were “significant increases in enrollment in the agency’s Cyber Hygiene (CyHy) service enrollment,” a program that helps organizations reduce their exposure to threats through proactive monitoring and attack mitigation plans. Organizations from communications, emergency services, critical manufacturing, and water and wastewater systems registered in large numbers. As a result, CISA says, it has found improvements across its six cybersecurity performance goals: mitigating known vulnerabilities, no exploitable services on the internet, strong and agile encryption, limit OT connections on the public internet, deploy a security.txt file, and email security. (Cyberscoop)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

This week in cybersecurity news: critical vulnerabilities, ongoing data breaches, and new sanctions highlight the persistent threats facing industries worldwide. From massive outages at Proton and German airports to high-profile breaches by Chinese and Russian threat actors, organizations must remain vigilant. Meanwhile, regulatory updates like the new Cyber Trust label and Apple’s privacy settlement offer a glimpse into the evolving landscape of security and compliance. Let’s take a closer look at the latest developments:

Proton recovers from worldwide outage 

The privacy firm Proton is dealing with a massive outage that started at 10:00 a.m. eastern time yesterday, leaving members unable to access ProtonVPN, Mail, Calendar, Drive, Pass, and Wallet. Most services were restored quickly. Proton Mail was restored later at 1:09 p.m., and Calendar was still not available as of the time of this recording. Explanations about the cause of the outage have not yet been delivered. (BleepingComputer)

U.S. Treasury breach linked to Silk Typhoon group 

Following up on a story we have been watching these past few weeks, it has now been revealed that the Silk Typhoon APT group were responsible for the Treasury hack. Using stolen Remote Support SaaS API keys through third-party cybersecurity vendor BeyondTrust, it was able to steal data from workstations in the Office of Foreign Assets Control (OFAC), as well as the Treasury Department’s Office of Financial Research. Silk Typhoon’s actual name is Hafnium, is well known for hitting targets in education, healthcare, defense, and non-governmental organizations. The “Typhoon” appellation is a Microsoft convention for labelling Chinese APT groups, the same way Blizzard is used for Russian threat actors, Sleet for North Korean threat actors and Sandstorm for Iranian threat actors. (Dark Reading)

Russian ISP confirms Ukrainian hackers “destroyed” its network 

Hacktivists from the Ukrainian Cyber Alliance group, announced on Tuesday they had breached the network of Russian internet service provider Nodex and had wiped its systems after stealing sensitive documents, leaving only “empty equipment without backups.” The hackers showed off screenshots of the ISP’s VMware, Veeam backup, and Hewlett Packard Enterprise virtual infrastructure that were hacked during the breach. (BleepingComputer)

CISA adds Ivanti products and ZTA Gateways flaw to its KEV catalog 

The Ivanti Connect Secure Vulnerability, with a CVSS score of 9.0 was added to the agency’s Known Exploited Vulnerabilities catalog alongside ZTA Gateways, also manufactured by Ivanti. They stated, “successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution.” “CVE-2025-0283 could allow a local authenticated attacker to escalate privileges.” Although, as usual, private companies are also urged to update their systems, the KEV addition means that federal agencies must address this vulnerability by January 15. (Security Affairs)

Critical RCE Flaw in GFI KerioControl allows remote code execution 

GFI KerioControl is a network security solution that provides firewall functionality and unified threat management capabilities such as threat detection and blocking, traffic control, intrusion prevention, and VPN features. Security researcher Egidio Romano published a writeup of the vulnerability on December 16, and explained that the reflected XSS attack vector can be exploited to perform one-click RCE attacks. Threat intelligence firm Censys says it has observed “almost 24,000 GFI KerioControl instances accessible from the internet, many of which are in Iran. However, it is unclear how many of these are vulnerable.” (Security Week)

Cyber Trust marks to roll out in 2025 

In 2023, the White House launched an initiative to add Cyber Trust labels to retail packaging for connected devices. This was compared to the equivalent of Energy Star certification to indicate a consumer baseline of cybersecurity best practices. The FCC unanimously approved the label in March. Now, White House officials say the label will start appearing on consumer devices this year. Deputy National Security Adviser for Cyber Anne Neuberger said an upcoming executive order will mandate that the federal government only purchase devices with the Cyber Trust label as of 2027. The program will go off NIST cybersecurity criteria and inform users how long companies plan to provide software updates at the point of purchase. CISA, the FCC, and the Department of Justice will collaborate to oversee and enforce the program. (The Record)

CISA says government hack limited to Treasury 

Last week, the US Treasury Department informed lawmakers that state-sponsored Chinese threat actors breached its systems in a “major cybersecurity incident” through its remote support provider BeyondTrust.” After an investigation, CISA announced it found no signs of the breach impacting any other federal agencies. CISA said it will continue to monitor the response to the attack and coordinate with “relevant federal authorities” as needed. Investigators are still looking into the full scope of the Treasury attack but said there was no evidence the threat actors maintained access after the Treasury terminated its BeyondTrust instance. (Bleeping Computer)

Philippines targeted by Chinese threat actors 

Bloomberg’s sources say Chinese state-sponsored actors orchestrated a yearlong campaign to penetrate systems of the Philippines’ executive branch, stealing “sensitive” data. However, Department of Information and Communications Technology Secretary Ivan Uy said the attacks did not compromise current data but did obtain “old data from many years ago.” Uy said his department deals with thousands of breach attempts against the government daily and challenges the threat actors to publish details if they obtained relevant data. (Bloomberg, PhilStar)

U.S. sanctions China’s Integrity Technology for role in Flax Typhoon attacks 

Following up on a story we covered last September, U.S. officials are now confirming that the Beijing-based Integrity Technology Group provided China’s Ministry of State Security and several Chinese state-backed hacking groups “with infrastructure that allows them to attack multiple victims based in the U.S.” “China-based hackers working for Integrity Tech, known to the private sector as Flax Typhoon, successfully targeted universities, government agencies, telecommunications providers and media organizations in the U.S. and elsewhere,” State Department spokesperson Matthew Miller said on Friday. “The sanctions freeze all U.S. assets of the company and limit the amount of interaction financial institutions can have with it.” (The Record)

German airports hit by IT outage 

As reported in Reuters, “German airports were hit by a nationwide IT outage affecting police systems at border control on Friday, causing disruption and longer immigration queues for passengers from outside the European Union’s Schengen travel zone. The Schengen zone consists of 29 European countries that have officially abolished border controls at their mutual borders and placed them under single jurisdiction. The cause of the IT outage is not yet known but major airports including Berlin, Frankfurt, and Dusseldorf report longer waiting times at immigration for non-Schengen passengers. (Reuters)

Vulnerability discovered in Nuclei vulnerability scanner 

A high-severity security flaw has been disclosed in ProjectDiscovery’s Nuclei, “a widely used open-source vulnerability scanner that, if successfully exploited, could allow attackers to bypass signature checks and potentially execute malicious code.” Nuclei is designed to “probe modern applications, infrastructure, cloud platforms, and networks to identify security flaws.” According to cloud security firm Wiz, which made the discovery the vulnerability is “rooted in the template signature verification process, which is used to ensure the integrity of the templates made available in the official templates repository.” (The Hacker News)

Apple to pay Siri users $20 per device in settlement over privacy violations 

The outcome of a class action suit against Apple sees the company agreeing to pay $95 million to settle accusations that the iPhone maker invaded users’ privacy through its Siri assistant. According to Reuters, the settlement applies “to U.S.-based individuals [who are] current or former owners or purchasers of a Siri-enabled device who had their confidential voice communications with the assistant “obtained by Apple and/or were shared with third-parties as a result of an unintended Siri activation” between September 17, 2014, and December 31, 2024. Eligible individuals can submit claims for up to five Siri devices. Valid claims can receive $20 per device. (The Hacker News)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

In this week’s roundup, we’re seeing significant cybersecurity threats making headlines across the globe. APT29, linked to Russia’s SVR, has launched a widespread spearphishing campaign, while CISA is advising high-risk individuals on securing their communications in the face of ongoing Chinese espionage activities. We also dive into rising risks from Mirai malware infections, the latest on the TikTok ban challenge, and emerging vulnerabilities in devices ranging from routers to cameras. Stay ahead of the curve with the latest cyber developments.

Juniper routers with default passwords are attracting Mirai infections, says manufacturer

According to an advisory from Juniper, customers last week started reporting “suspicious behavior” on their Session Smart Routers. What the customers all had in common was that they were still using the factory-set passwords on the devices. Investigation found a variant of Mirai malware that had been scanning for such vulnerable routers. Once infected, the devices were “subsequently used as a DDOS attack source” attempting to disrupt websites with junk traffic, Juniper says. The company does not mention how many devices were infected or where the attacks were directed. Juniper recommends that customers with Session Smart Routers “immediately apply strong, unique passwords and continue to monitor for suspicious network activity such as unusual port scanning, increased login attempts and spikes in outbound internet traffic.” (The Record)

CISA issues a Binding Operational Directive requiring federal agencies to enhance cloud security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, requiring federal agencies to enhance cloud security by adopting secure configuration baselines. The directive aims to mitigate risks from misconfigurations and weak controls by mandating compliance with CISA’s Secure Cloud Business Applications (SCuBA) standards. Agencies must identify cloud tenants and create an inventory by February 21, 2025, deploy SCuBA assessment tools by April 25, 2025, and implement mandatory SCuBA policies, including Microsoft Office 365 baselines, by June 20, 2025. Annual updates to cloud tenant inventories and continuous reporting are also required. CISA plans to maintain and update policies, assist agencies, and monitor compliance. While directed at federal agencies, CISA encourages broader adoption to bolster collective cybersecurity resilience.

Meanwhile, the Office of the National Cyber Director and CISA released a playbook to guide federal grant managers and recipients on integrating cybersecurity into critical infrastructure projects. The “Playbook for Strengthening Cybersecurity in Federal Grant Programs” offers model language and recommendations for incorporating cybersecurity into grant-making processes and project assessments. Reflecting Biden administration priorities like the Investing in America initiative, the playbook emphasizes secure-by-design principles and critical infrastructure resilience. While advisory, it encourages agencies and grant recipients to prioritize cybersecurity in upcoming infrastructure upgrades. (SecuityWeek, CISA)

HiatusRAT malware operators are scanning for vulnerable web cameras and DVRs

The US FBI has issued an alert warning that HiatusRAT malware operators are conducting scanning campaigns against Chinese-branded web cameras and DVRs across the US, Australia, Canada, New Zealand, and the United Kingdom. The Bureau states, “The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords. Many of these vulnerabilities have not yet been mitigated by the vendors. In particular, the actors targeted Xiongmai and Hikvision devices with telnet access.” The FBI recommends limiting the use of these devices or isolating them from the rest of the network. (FBI)

Supreme Court to hear TikTok ban challenge

The long road to a TikTok ban in the US might be approaching a final stop. As a refresher, Congress passed a law in April requiring ByteDance to divest TikTok or see the app cut off from app stores and web-hosting services in the US. That law is set to go into effect on January 19th. On December 6th, a DC Circuit appeals court ruled that Americans saw concerns over the Chinese government’s ability to gather data and potentially manipulate content as “well-founded” and represented a “compelling national security interest.” Now, the US Supreme Court will hear TikTok’s challenge to that ruling on January 10th. The outgoing Biden administration will present the government’s case. (CBS)

US weighs TP-Link ban

The Wall Street Journal reports that the U.S. government is considering a ban on TP-Link routers amid rising security concerns. Investigations by the Commerce, Defense, and Justice Departments suggest TP-Link routers, made by a China-based company, may pose national security risks. A Microsoft report linked TP-Link devices to a Chinese hacking network targeting Western organizations. The devices dominate the U.S. home and small-business router segment with a 65% market share TP-Link routers are often shipped with unresolved security flaws, and the company reportedly doesn’t cooperate with security researchers. The Justice Department is also probing whether TP-Link’s low pricing strategy violates antitrust laws. The potential ban could disrupt the router market, which TP-Link has dominated due to affordability and partnerships with over 300 U.S. internet providers.

TP-Link denies selling products below cost and insists on compliance with U.S. laws. While U.S. officials haven’t disclosed evidence of deliberate collusion with Chinese state-sponsored hackers, concerns persist. TP-Link’s founders remain connected to Chinese institutions conducting military cyber research. Despite efforts to rebrand as U.S.-centric, including announcing a California headquarters, critics see the company’s ties to China as inseparable. If enacted, the ban would mark the largest removal of Chinese telecom equipment in the U.S. since Huawei in 2019. Similar bans have been enacted in Taiwan and India, citing security risks. The move underscores the broader challenges of securing the telecommunications supply chain, with U.S. officials acknowledging systemic vulnerabilities across the router market, including domestic brands. (WSJ)

Cisco data leaked

In October, the threat actor IntelBroker claimed they had obtained data from Cisco in a breach, including source code and encryption keys. A company investigation found this data was obtained from a public-facing DevHub environment. This ordinarily hosts source code and other materials meant for public consumption, but Cisco said a configuration error caused some private data to be inadvertently published. This week, IntelBroker published 2.9 gigabytes of data obtained from DevHub, claiming they obtained a total of 4.5 terabytes. Since its initial incident reports on the leaked data, Cisco removed a statement saying it found no evidence that personal information or financial data was compromised. (Security Week)

Microsoft quietly patches two potentially critical vulnerabilities

Microsoft announced the patching of two potentially critical vulnerabilities in Update Catalog and Windows Defender. These flaws, tracked as CVE-2024-49071 and CVE-2024-49147, have been fully mitigated and require no user action. The Windows Defender flaw, rated medium-severity based on CVSS scores, could have allowed unauthorized disclosure of sensitive file content over a network due to improper index authorization. The Update Catalog vulnerability, involving deserialization of untrusted data, was a privilege escalation issue on the webserver. Microsoft emphasized that neither flaw was disclosed publicly nor exploited before patching. The company is now assigning CVE identifiers to cloud service vulnerabilities for transparency, following industry trends. Similar measures have been adopted by Google Cloud, reflecting growing emphasis on proactive security and communication about server-side vulnerabilities. (SecurityWeek)

Iran-linked threat actor deploys new ICS malware

Researchers at Claroty have discovered a new strain of IoT/OT malware “IOCONTROL” used by Iran-affiliated attackers to target devices in Israel and the US. The researchers state, “IOCONTROL has been used to attack IoT and SCADA/OT devices of various types including IP cameras, routers, PLCs, HMIs, firewalls, and more. Some of the affected vendors include: Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and others.” Notably, Claroty says, “One particular IOCONTROL attack wave involved the compromise of several hundred Israel-made Orpak Systems and U.S.-made Gasboy fuel management systems in Israel and the United States. The malware is essentially custom built for IoT devices but also has a direct impact on OT such as the fuel pumps that are heavily used in gas stations.” The malware has been deployed by a threat actor tracked as the “CyberAv3ngers,” which is believed to have ties to Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). (Claroty)

South Carolina credit union suffers cyberattack

SRP Federal Credit Union, one of the largest credit unions in South Carolina, filed breach notification documents with regulators in Maine and Texas on Friday following suspicious activity detected on its network. Initial investigations show that threat actors accessed the network at times between September 5 and November 4, of this year, and “potentially acquired certain files…during that time.” The Texas filing stated that the stolen data included names, Social Security numbers, driver’s license numbers, dates of birth and financial information like account numbers as well as credit or debit card number. The Nitrogen ransomware gang has claimed responsibility for the attack and for the theft of 650GB of customer data. The credit union company has not yet confirmed that it was a ransomware attack.(The Record)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.