Cyber News Roundup for February 21, 2025

The cybersecurity landscape never rests, and this week’s high-impact stories highlight the ever-evolving nature of threats and vulnerabilities. We’ve got the latest on a penetration test that escalated from a simulated breach to real-life arrests, a $500,000 business email compromise, and the latest on a critical vulnerability affecting Juniper Networks. Plus, don’t miss how Russian hackers are targeting Signal users and the ongoing risks posed by Salt Typhoon.

At RedSeal, we protect your network by providing precise asset visibility and attack path analysis. Our solutions help you proactively manage risks, identify vulnerabilities before they turn into threats, and ensure your defense strategy stays one step ahead. Read on for the full breakdown of this week’s critical cyber news.

 

The pentesters’ breach was simulated — their arrest was not  

And finally, two penetration testers from Threat Spike Labs learned the hard way that miscommunication can be more dangerous than actual hacking. During a simulated breach at a corporate office in Malta, the duo successfully gained unauthorized access, stole a master key card, and retrieved sensitive data—all part of an approved security assessment.

But then, things took a turn. The general manager who authorized the test panicked and called the police, convinced that real criminals were at work. Despite waving their authorization documents like a backstage pass at a concert, the testers were arrested and hauled in for questioning. Later, Curt Hems reflected on the experience: “Penetration tests don’t always end with a report—sometimes they end with flashing lights and handcuffs.”

Lesson learned? Tell law enforcement about security tests before they happen. Ironically, the security test worked—the company’s response was swift, even if it resulted in unnecessary arrests. (Cyber Security News)

 

Minerals company loses $500,000 to BEC scam  

NioCorp Developments, a company that operates a minerals project in southeast Nebraska focusing on the production of niobium, scandium, and titanium, has alerted regulators to a break-in that occurred on February 14. Threat actors allegedly “broke into its information systems, including portions of its email systems,” and misdirected a half-million dollars intended to be sent to a vendor. The company is taking steps to remediate the incident and to search for any additional damage. (The Register)

 

Microsoft working on fix for Windows 11 SSH connections bug  

Following up on a story we covered last November, Microsoft is now testing a fix for an issue that has been around since November which is breaking SSH connections on some Windows 11 22H2 and 23H2 systems. A fix has been included in the Windows 11 Build 26100 in its Release Preview Channel. When the problem first emerged in November, Microsoft said that only a limited number of devices running Windows 11 enterprise, IOT, and education editions were affected but the company is now investigating whether consumer customers using Windows 11 Home or Pro editions may also be at risk. (BleepingComputer)

 

Credential theft puts sensitive corporate and military networks at risk  

Hudson Rock has published an analysis of compromised credentials for sale on criminal marketplaces, finding hundreds of credentials belonging to US military agencies and contractors, Infosecurity Magazine reports. The credentials were likely stolen by infostealer malware delivered via social engineering. The researchers identified credentials belonging to accounts at Lockheed Martin, Boeing, and Honeywell, as well as the US Army and Navy, the FBI, and the Government Accountability Office. Some of the logs also included active session cookies that could allow attackers to bypass multifactor authentication. (infostealers)

 

Russian hackers tap into Signal conversations  

Russian state-backed hackers are exploiting Signal’s “linked devices” feature to hijack accounts by tricking targets—often Ukrainian military personnel—into scanning malicious QR codes. Once linked, attackers can intercept messages in real time without fully compromising the victim’s device. Google researchers identified multiple threat groups using this technique, with some embedding QR codes in phishing pages disguised as military applications or security alerts. Signal has rolled out security updates to counter these threats but urging users to take extra precautions when scanning QR codes.(Bleeping Computer), (The Record), (The Hacker News)

 

FBI official provides more detail on Salt Typhoon attack  

A top official at the FBI painted a clearer picture as to the sheer impact of the Salt Typhoon attack, speaking at the 2025 Zero Trust Summit, FBI deputy assistant director Cynthia Kaiser, emphasized the scale and indiscriminate nature of China’s data collection from major telecom providers. Officials say the breach compromised every group of people including, law enforcement information, call records, and even data on American children—raising concerns over its long-term impact. Kaiser asked the crowd, “Can any of you imagine a world in which China would have been stealing information about you as a 13-year-old? That’s precisely what American children are facing. And that’s going to follow them in the future.” Since being exposed last year, the U.S. has since sanctioned a Chinese national and a cybersecurity firm linked to the operation but Salt Typhoon remains active, with ongoing attacks on global networks.  (CyberScoop)

 

Juniper Networks has issued a critical security advisory for an API authentication bypass vulnerability  

Juniper Networks has issued a critical security advisory for CVE-2025-21589, an API authentication bypass vulnerability affecting Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router products. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to gain full administrative control by injecting spoofed JWTs, bypassing authentication checks.

Attackers can exploit this flaw to modify routing policies, intercept encrypted traffic, and move laterally across networks. The vulnerability affects multiple software versions and requires network adjacency but no user interaction. Juniper discovered the issue through internal testing, with no known exploitation as of February 18, 2025. Patches are available, and cloud-managed WAN Assurance routers received automatic fixes. Organizations must apply updates immediately, audit configurations, monitor API requests, and implement network segmentation to mitigate risks. Unpatched systems pose serious threats to SD-WAN and 5G infrastructure. (Cyber Security News)

 

CISA warns of an actively exploited iOS vulnerability  

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about CVE-2025-24200, a zero-day vulnerability in Apple iOS and iPadOS, actively exploited in targeted attacks. The flaw, an authorization bypass in Apple’s USB Restricted Mode, allows attackers with physical access to disable security protections on locked devices, potentially exposing sensitive data.

Apple confirmed the exploit has been used in highly sophisticated attacks against high-value individuals, possibly by state-sponsored groups. The vulnerability affects a wide range of Apple devices, including iPhone XS and later models. Emergency patches were released on February 10, 2025, and CISA urges users to update before March 5. While no specific surveillance vendors are named, the attack methods resemble those used by firms like NSO Group. Users should update immediately and enforce physical security measures. (Cyber Security News)

 

Palo Alto Networks confirms a recently patched firewall vulnerability is being actively exploited  

Palo Alto Networks has confirmed that CVE-2025-0108, a recently patched firewall vulnerability, is being actively exploited. The flaw, disclosed on February 12, allows unauthenticated attackers to bypass authentication and execute PHP scripts via the PAN-OS management interface. Threat intelligence firm GreyNoise detected exploit attempts starting February 13, with attacks originating from nearly 30 unique IPs. The vulnerability can be chained with CVE-2024-9474 for remote code execution, posing a serious risk to unpatched systems.

A proof-of-concept (PoC) exploit is publicly available, and researchers warn that roughly 3,500 PAN-OS management interfaces remain exposed. Palo Alto urges immediate patching, emphasizing that securing external-facing management interfaces is critical. Assetnote, which discovered the flaw, coordinated disclosure with Palo Alto, arguing transparency helps defenders track attacks rather than leaving organizations vulnerable in the dark. (Security Week)

 

New OpenSSH Flaws Enable Man-in-the-Middle and DoS Attacks — Patch Now  

Two security vulnerabilities have been discovered in OpenSSH that could enable man-in-the-middle (MitM) attacks and denial-of-service (DoS) attacks. The MitM vulnerability affects versions 6.8p1 to 9.9p1 when the VerifyHostKeyDNS option is enabled, letting attackers impersonate legitimate servers. The DoS vulnerability affects versions 9.5p1 to 9.9p1, leading to resource exhaustion. Both issues are fixed in OpenSSH 9.9p2, which was released Tuesday. (The Hacker News)

 

Hackers waste no time exploiting a SonicWall proof-of-concept vulnerability  

Hackers are actively exploiting CVE-2024-53704, a high-severity authentication bypass in SonicWall firewalls, after a proof-of-concept (PoC) exploit was published. This vulnerability allows attackers to bypass multi-factor authentication (MFA), access private data, and disrupt VPN sessions. SonicWall released patches in January 2025, but as of February 7, around 4,500 devices remain unpatched. Arctic Wolf warns that cybercriminals often exploit firewall and VPN vulnerabilities for ransomware attacks, citing past incidents involving Akira ransomware. Organizations should immediately update SonicWall firewalls or follow mitigation steps to prevent attacks. Disabling SSLVPN is recommended if patching is not possible, as the public PoC increases the risk of exploitation. (Security Week)

 

Russian threat actors target Microsoft 365 accounts  

Volexity and Microsoft have published separate reports warning that multiple Russian threat actors are launching spearphishing attacks designed to compromise Microsoft 365 accounts. The threat actors are impersonating individuals from the US State Department, the Ukrainian Ministry of Defense, the European Union Parliament, and prominent research institutions. Volexity attributes the campaigns to at least three different Russian groups, including CozyLarch (which overlaps with Cozy Bear). Microsoft describes attacks from a Russian threat actor the company tracks as “Storm-2372.”

Notably, the attacks involve a lesser-known technique called “device code phishing,” in which users are tricked into granting access via the Microsoft Device Code OAuth workflow. Microsoft explains, “In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors.” Volexity says “this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.” (Volexity, Microsoft)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.