Cyber News Roundup for February 14, 2025
In this edition of our Cyber News Roundup, we cover the latest cybersecurity threats and critical updates from around the world. From vulnerabilities in the U.S. Coast Guard’s Maritime Transportation System to malicious mobile apps making their way into app stores, it’s clear that the threat landscape is growing more complex. RedSeal’s exposure management solutions are designed to help organizations stay ahead, providing a comprehensive view of potential vulnerabilities and attack paths.
The GAO identifies cybersecurity gaps in the U.S. Coast Guard’s efforts to secure the Maritime Transportation System
The Government Accountability Office (GAO) has identified cybersecurity gaps in the U.S. Coast Guard’s efforts to secure the Maritime Transportation System (MTS) and issued five recommendations. The Coast Guard must improve incident data accuracy, enhance cyber deficiency tracking, align its strategy with national goals, and address competency gaps in cybersecurity personnel. GAO’s findings, based on reports, inspections, and stakeholder interviews from 2019 to mid-2024, highlight threats from state-sponsored actors (China, Iran, North Korea, Russia) and cybercriminals. Past cyberattacks have disrupted port operations, and future incidents could have severe consequences.
The Coast Guard assists MTS operators with cybersecurity guidance, inspections, and technical support but lacks a complete cybersecurity incident tracking system. GAO also found gaps in its cyber strategy and workforce competencies. The Department of Homeland Security (DHS) concurred with GAO’s recommendations, emphasizing the need for urgent improvements to prevent cyberattacks on critical maritime infrastructure. (Security Week)
The White House plans to nominate a new national cyber director
President Donald Trump plans to nominate Sean Cairncross as the next national cyber director, despite his lack of cybersecurity leadership experience. Cairncross, a longtime GOP insider, previously served as CEO of the Millennium Challenge Corporation and held senior roles within the Republican National Committee. If confirmed, he would lead the White House’s Office of the National Cyber Director (ONCD), which was created in 2021 to oversee U.S. cyber strategy. The Biden administration’s approach to ONCD was marked by leadership turnover and concerns about competing power centers. Observers worry the Trump administration may downsize the office, even as the U.S. faces growing cyber threats from China-linked hacking campaigns. Cairncross would replace Harry Coker, who recently left for Maryland’s commerce secretary role. (The Record)
This Ad-Tech Company Is Powering Surveillance of US Military Personnel
WIRED and 404 Media jointly report Lithuanian ad-tech company Eskimi was the source of sensitive location data on U.S. military personnel overseas, which was sold by Florida-based data broker Datastream Group. The data included precise coordinates from devices at U.S. military sites in Germany and was collected through SDKs in mobile apps. U.S. Senator Ron Wyden’s office raised national security concerns, contacting Eskimi, Lithuania’s Data Protection Authority, and Google, which listed Eskimi as an Authorized Buyer. The Lithuanian DPA is assessing the situation, and Eskimi could face penalties under GDPR if found in violation. (Wired)
Apple and Google take down malicious mobile apps from their app stores
In a follow up from our reporting last week, Apple and Google both removed 20 apps from their app stores after security researchers at Kaspersky discovered they contained malware called SparkCat since March 2024. The malware has been downloaded over 242,000 times, used optical character recognition to scan image galleries for cryptocurrency wallet recovery phrases and other personal information. Google banned the developers and confirmed that its Play Protect feature safeguarded users from known malware versions. Apple did not comment. (TechCrunch)
U.S. adversaries increasingly turning to cybercriminals and their malware for help
According to a Google Threat Intelligence Group report, adversarial governments are increasingly leveraging cybercriminals and their tools to advance cyber-espionage goals, fueled by resource constraints and the operational demands of conflicts like the war in Ukraine. This trend is also observed in China, Iran, and North Korea, where state-sponsored hackers utilize malware and techniques commonly associated with cybercriminals to enhance deniability and cost-efficiency. Google and other cybersecurity firms warn that this growing overlap between state actors and cybercriminals poses a significant national security threat worldwide. (CyberScoop)
Elon Musk leads a group of investors making an unsolicited bid to acquire OpenAI
Elon Musk and a group of investors have made a $97.4 billion unsolicited bid to acquire OpenAI, escalating his ongoing feud with CEO Sam Altman. Altman dismissed the offer on X, jokingly offering to buy Twitter for $9.74 billion, to which Musk responded, “Swindler.” Musk’s consortium, which includes Baron Capital and Valor Management, seeks to restore OpenAI’s original open-source mission. Musk argues that OpenAI has strayed from its founding principles, while his own x.AI follows the values he was promised.
The bid complicates Altman’s efforts to take OpenAI private, as the for-profit arm must fairly value the nonprofit’s assets. Musk also urged California’s attorney general to open competitive bidding. Musk co-founded OpenAI in 2015 but left in 2018. His ongoing legal battles against OpenAI focus on its shift toward profit-driven AI. In other OpenAI news, a hacker named ‘emirking’ claimed on BreachForums to be selling 20 million OpenAI credentials, but experts believe the data originates from infostealer malware, not an OpenAI breach.
OpenAI investigated and found no evidence of a compromise. Threat intelligence firm Kela analyzed the data and confirmed it matches infostealer logs, likely collected from malware like Redline, RisePro, and Vidar. The hacker’s post was later deleted, reinforcing suspicions that the claim was exaggerated. BreachForums is known for hosting misleading data breach claims. (Techspot)
Apple patches actively exploited zero-day
Apple has issued emergency security updates for iOS 18 and iPadOS 18 to fix a zero-day flaw (CVE-2025-24200) that the company says “may have been exploited in an extremely sophisticated attack against specific targeted individuals.” The company explained, “A physical attack may disable USB Restricted Mode on a locked device.” USB Restricted Mode is designed to block forensic tools from accessing data on devices that have been locked for more than an hour. Apple credits the flaw’s discovery to Bill Marczak from the University of Toronto’s Citizen Lab. The company hasn’t shared specifics on the potential exploitation, but BleepingComputer notes that Citizen Lab often focuses on exploits used by commercial spyware tools. (Apple, Bleepingcomputer)
A peak at DeepSeek’s weak security
According to researchers at AppSOC, DeepSeek’s R1 large language model failed various security tests for business applications, largely due to a lack of comprehensive guardrails. They found that R1 could not prevent users from creating malware 93% of the time. They could also jailbreak away from system safeguards 91% of the time. The model showed stronger scores when it came to leaking training data, failing in 1.4% of attempts. But overall, the researchers found it extremely easy to cause the model to hallucinate and generate toxic or harmful content. (Dark Reading)
Sandworm targeting Ukraine with trojanized KMS
Researchers at EclecticIQ found signs that since late 2023, the Russian cyber-espionage group Sandworm began using fake Windows updates and a trojanized version of Microsoft Key Management Service activators to target victims in Ukraine. There was evidence of seven malware campaigns using these similar lures. The attack starts by attracting victims to typo-squatted domains to get the DcRAT trojan on their machine. From there, it presents a fake Windows activation interface, disables Windows Defender, and delivers a further payload. This approach appears effective due to the prominent use of pirated software in Ukraine, even in the government sector. (Bleeping Computer)
Google Tag Manager used to deploy card skimmers
Just when you thought it was safe to go shopping. A handful of sites were discovered to be using what looked like a typical Google Tag Manager and Google Analytics script for store analytics but included a containerized backdoor that allowed for persistent access, according to researchers at Sucuri. This was used to collect payment information during the checkout process. What vector is being used to get the script onto these sites is unclear. (The Hacker News)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
