Cyber News Roundup for February 7, 2025
As cyber threats continue to evolve, this week’s roundup highlights several urgent vulnerabilities and incidents making headlines. From CISA’s warning on a critical Linux kernel flaw to growing concerns about SVG file-based phishing attacks, we explore the latest risks impacting organizations across sectors.
Staying ahead of emerging threats is crucial—especially with increasing exploitation of unpatched vulnerabilities. Read on for the latest updates, including cybersecurity guidelines, new malware variants, and trends in ransomware payments.
CISA directs federal agencies to patch a high-severity Linux kernel flaw
CISA has ordered U.S. federal agencies to patch a high-severity Linux kernel flaw (CVE-2024-53104) within three weeks due to active exploitation. The vulnerability, found in the USB Video Class (UVC) driver, enables privilege escalation on unpatched devices. Google patched it for Android users, warning of limited, targeted attacks. Security experts believe forensic tools may be exploiting this flaw. CISA also flagged critical vulnerabilities in Microsoft .NET and Apache OFBiz, urging manufacturers to enhance network forensic visibility to aid cyber defense. (Bleepingcomputer)
Cybercriminals exploit SVG files in phishing attacks
Researchers at Sophos say cybercriminals are exploiting Scalable Vector Graphics files in phishing attacks to bypass email security filters. SVG files, unlike typical image formats, can contain embedded links and scripts that direct victims to phishing sites. Attackers disguise these files as legal documents, voicemails, or invoices, using familiar brands like DocuSign and Microsoft SharePoint. Once opened, the file redirects users to fraudulent login pages that steal credentials. Some attacks also deliver malware or leverage CAPTCHA gates to evade detection. Researchers identified evolving tactics, including localized phishing pages and embedded keystroke loggers. Security experts recommend setting SVG files to open in Notepad instead of a browser and carefully checking URLs for legitimacy. Sophos suggests organizations should update email security solutions to detect malicious SVG attachments and prevent credential theft. (Sophos)
Cisco patches multiple vulnerabilities
Cisco has released patches for multiple vulnerabilities, including two critical flaws in its Identity Services Engine (ISE). Tracked as CVE-2025-20124 and CVE-2025-20125, these bugs could allow authenticated attackers to execute arbitrary commands and tamper with device configurations. Patches are available in ISE versions 3.1P10, 3.2P7, and 3.3P4, with no workarounds. Additionally, Cisco warned of high-severity SNMP vulnerabilities in IOS, IOS XE, and IOS XR, which could cause denial-of-service (DoS) attacks. Patches are expected by March. Medium-severity flaws affecting various Cisco products were also addressed. No active exploits have been reported. (SecurityWeek)
Five Eyes agencies issue security guidance for network edge devices
Cybersecurity agencies from Australia, Canada, New Zealand, the UK, and the US have shared security guidance for producers of network devices and appliances. The guidance, produced by the UK’s National Cyber Security Centre (NCSC), “outlines expectations for the minimum requirement for forensic visibility, to help network defenders secure organisational networks both before and after a compromise.” The guidance includes requirements for secure logging and data collection. The advisory notes, “Devices and appliances should support near-real-time log transfer using a standards- based protocol, protected using transport layer security (TLS) encryption in a recognised secure configuration. Log formats should be fully documented to allow third-party platforms and tools to ingest them and be machine readable using a standardised format.” (NCSC)
Critical RCE bug in Microsoft Outlook now exploited in attacks
CISA is warning federal agencies in the U.S. to secure their systems against ongoing attacks targeting a critical Microsoft Outlook remote code execution (RCE) vulnerability. This vulnerability, discovered by researchers at Check Point, and which has a CVE number, is caused by “improper input validation when opening emails with malicious links using vulnerable Outlook versions.” As a result, attackers can gain remote code execution capabilities because “the flaw lets them bypass the Protected View (which should block harmful content embedded in Office files by opening them in read-only mode) and open malicious Office files in editing mode.” Yesterday (Thursday) CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, meaning that federal agencies must secure their networks by February 27. (BleepingComputer)
Spain arrests hacker of U.S. and Spanish military agencies
Spanish police arrested a suspect for allegedly conducting 40 cyberattacks targeting critical organizations and universities. The police said the suspect accessed internal data and personal info of employees and customers and used BreachForums to sell and leak the data. Leaks for NATO, the U.S. military, and Spain’s Guardia Civil and Ministry of Defence were listed as most successfully sold. During a raid of the suspect’s residence, police found and seized multiple computers, electronic devices, and 50 cryptocurrency accounts. The hacker could face a maximum sentence of 20 years in prison under Spanish law. (Bleeping Computer)
Ransomware payments decreased 35% year-over-year
According to a new report from Chainalysis, in 2024, ransomware attackers racked up $813.55 million in victim payments, a 35% decrease from 2023’s record-setting year of $1.25 billion. The drop is attributed to increased law enforcement actions, improved international collaboration, and a growing refusal by victims to pay. The report highlighted ransomware gang disruption including the LockBit takedown in February 2024 and BlackCat’s apparent ‘exit scam’ following its attack on Change Healthcare. While LockBit has rebranded and made a comeback, payments to the group fell by around 79% in H2 2024 compared to H1. Chainalysis observed many attackers shifting tactics, with new ransomware strains and also getting quicker with ransom negotiations, often beginning within hours of data exfiltration. (Chainalysis and Infosecurity Magazine)
North Korean threat actors drop new variants of the FERRET malware family
SentinelOne is tracking several new variants of macOS malware attributed to North Korean threat actors. Apple, which tracks the malware family as “FERRET,” last week pushed a signature update to its built-in antivirus tool XProtect to block three new variants of the malware. SentinelOne also discovered a variant dubbed “FlexibleFerret” which is still undetected by XProtect.
The FERRET malware family was identified in December 2024 as part of a North Korean campaign targeting job seekers. SentinelOne says the threat actors are currently attempting to spread the malware by opening fake issues on legitimate developers’ repositories. (SentinelOne, PaloAlto)
Abandoned cloud infrastructure creates major security risks
Researchers at watchTowr have published a report on the security risks posed by abandoned cloud infrastructure. The researchers focused on AWS S3 buckets, but noted that the same issues can apply to any cloud storage provider.
watchTowr discovered and took control of 150 neglected Amazon S3 buckets—some of which had once been used by governments, Fortune 500 companies, cybersecurity firms, and major open-source projects—that were still being pinged by organizations worldwide for software updates, system configurations, and critical files. One of the buckets was owned by the US Cybersecurity and Infrastructure Security Agency (CISA), which the researchers note “is an incredible example of how this challenge is ubiquitous and not limited to only the unenlightened.” The report stresses that a threat actor could have abused these assets to launch devastating supply chain attacks.
The buckets discovered by watchTowr have since been sinkholed. An AWS spokesperson told CyberScoop in response to the research, “[T]he issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications,” adding that customers should follow best practices, including “using unique identifiers when creating bucket names to prevent unintended reuse, and ensuring applications are properly configured to reference only customer-owned buckets.” (Watchtower, Cyberscoop)
Meta says it may stop development of AI systems it deems too risky
Meta CEO Mark Zuckerberg has pledged to make artificial general intelligence (AGI) openly available, but Meta’s new Frontier AI Framework outlines scenarios where it may withhold highly capable AI systems due to safety concerns. Meta classifies such systems as “high risk” or “critical risk,” based on their potential to aid in cybersecurity breaches or biological attacks, with critical-risk systems posing catastrophic, unmitigable threats. The framework, guided by expert input rather than strict empirical tests, reflects Meta’s attempt to balance openness with security, especially amid criticism of its open AI strategy. (TechCrunch)
Google describes APTs using Gemini AI
Researchers at Google’s Threat Intelligence Group say they have detected government-linked APT groups that are using Gemini primarily for what they call “productivity gains” rather than to develop new AI-enabled cyberattacks. As an example, Google says, Gemini can help them shorten the preparation period in “coding tasks for developing tools and scripts, research on publicly disclosed vulnerabilities…finding details on target organizations, and searching for methods to evade detection, escalate privileges, or run internal reconnaissance in a compromised network. Google has identified APT groups from more than 20 countries that are using this technique, with the top four being Iran, China, North Korea and Russia.(BleepingComputer)
Two regional healthcare systems report data breaches
Connecticut’s Community Health Center Inc. and California’s NorthBay Healthcare Corporation have both filed notifications regarding breaches that occurred last year which exposed large amounts of troves of patient data. Community Health Center, “which runs dozens of facilities and clinics across Connecticut, said just over one million current and former patients had data stolen during a cyberattack discovered on January 2.” The NorthBay attack, which occurred between January and April of last year and which was claimed by the Embargo group in April, had impacted just over half a million people through health-related data theft.(The Record)
Exploited vulnerabilities up significantly from previous year
The number of exploited vulnerabilities surged in 2024, with 768 CVEs actively targeted, that’s a 20% increase from the year before. Nearly a quarter of these were weaponized on or before their public disclosure. Chinese threat actors remain a major player, with 15 groups linked to exploiting top vulnerabilities, including Log4j. These security shortcomings are linked to the exploitation of Citrix, Cisco, Zoho, and Microsoft to name a few. (The Hacker News)
First U.S. state to declare ban on DeepSeek
Texas is the first state to take a public stand against Chinese AI company DeepSeek and social media app Xiaohongshu (RedNote) banning the apps from state-issued devices. Governor Greg Abbott cited security concerns and the threat of data harvesting for the ban. Meanwhile, across the pond, Italy’s Data Protection Authority has also blocked DeepSeek’s chatbot service and demanded details on its data collection practices amid mounting privacy concerns, even as the company denies operating in Italy.
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
