Cyber News Roundup for for March 28, 2025
This week’s cyber news roundup highlights key incidents, including the exposure of over 150 U.S. government database servers, shifting cybersecurity responsibilities to states, and the risk to DNA records following 23andMe’s bankruptcy. We also cover the abuse of Microsoft’s Trust Signing service for malware and a China-linked APT that remained hidden in a telecom network for years.
Stay tuned for more on these evolving threats. At RedSeal, we help organizations manage cyber exposure proactively to stay ahead of these risks.
Over 150 government database servers are dangerously exposed to the internet
A recent investigation has revealed a major cybersecurity threat to U.S. government data. Over 150 government database servers—used by agencies like the Departments of Agriculture, Education, and Energy—are exposed to the internet, violating basic security protocols. These databases, hosted on Microsoft’s Azure Gov Cloud, have open ports vulnerable to brute-force attacks and known exploits. The report highlights over 655 unauthorized access attempts and more than 200 real-time data replications, suggesting serious flaws in authentication and data protection. Analysts believe the exposure stems from a rushed federal data centralization effort. Experts are calling for urgent action, including Congressional hearings and audits, to address what could become a catastrophic breach.
The White House is shifting cybersecurity responsibilities from federal agencies to states and local governments. A new executive order from President Trump introduces a National Resilience Strategy, aiming to give local entities more control over defending infrastructure and elections from cyber threats. This move follows cuts to federal cybersecurity teams and programs, leaving states without vital support like vulnerability alerts and free risk assessments. Experts warn this decentralization could lead to fragmented defenses, especially as many states lack the resources and intelligence centers to fill the gap. Cybersecurity professionals say the burden will hit underfunded sectors like schools and small municipalities hardest. Critics argue the shift, combined with federal workforce reductions, undermines national security and leaves states to manage growing cyber risks largely on their own. (GB Hackers)
Web service outage in Russia due to reported Cloudflare block
The outages were observed Thursday across numerous Russian regions, affecting platforms including “TikTok, Steam, Twitch, Epic Games, Duolingo and major Russian mobile operators.” Also impacted were banking and government services, and messaging apps such as Telegram and WhatsApp. Industry experts are suggesting the cause of the outage to be the Russian government’s blocking of U.S. based Cloudflare. Russian internet regulator Roskomnadzor recommended that local organizations switch to Russian hosting providers. (The Record)
Microsoft Trust Signing service abused to code-sign malware
Researchers at BleepingComputer and elsewhere are observing more incidences of threat actors using the Microsoft Trusted Signing service to “sign their malware with short-lived, three-day code-signing certificates.” Code-signing certificates make malware appear legitimate, potentially bypassing security filters that block unsigned executables. Extended Validation (EV) certificates are particularly sought after by threat actors due to the increased trust they confer from cybersecurity programs and their ability to help bypass alerts in SmartScreen. A cybersecurity researcher and developer with the wonderful name of Squiblydoo, told BleepingComputer that they believe threat actors are switching to Microsoft’s service out of convenience, especially given that recent changes to EV certificates are causing confusion for users – something threat actors are taking advantage of. (BleepingComputer)
FCC alleges Chinese telecom companies are making ‘end run’ around bans
The Federal Communications Commission’s newly created Council on National Security will conduct a “sweeping investigation of Chinese-made equipment in America’s telecommunications infrastructure,” according to an announcement made on Friday. The focus will be on Chinese companies like Huawei, ZTE, and others, who have been banned from doing business with U.S. companies, but who allegedly continue to exploit loopholes or simply massively underbid other competitors when dealing with smaller U.S. telecommunications providers. (Cyberscoop)
23andMe bankruptcy puts millions of DNA records at risk
23andMe filed for bankruptcy on Monday and many are asking the question, what’s going to happen to all of that personal information? Some have raised major concerns that its vast database of genetic data could be sold off to the highest bidder. While the company insists privacy protections will remain intact, court documents make it clear that all assets—including customer DNA records—are on the table. California’s Attorney General issued a release ahead of the announcement urging users to delete their data immediately, warning that unlike passwords, genetic information is permanent, instructions on how to delete that data can be found in today’s show notes. (The Record), (CyberScoop),(California Attorney General Release)
China-linked APT hid in telecom network for years
China-linked APT group Weaver Ant spent over four years inside an Asian telecom provider’s network, using compromised Zyxel routers to hide traffic and infrastructure. Researchers at Sygnia uncovered the intrusion, which relied on web shell tunneling—linking multiple web shells like China Chopper and the custom-built INMemory to move laterally and maintain persistence. The group exfiltrated credentials, access logs, and network configurations while evading detection through encryption, SMB lateral movement, and disabling security logs. (Dark Reading), (Sygnia), (Bleeping Computer)
NIST struggles to keep up
The National Institute of Standards and Technology (NIST) is struggling to clear a growing backlog of CVEs in the National Vulnerability Database (NVD), with a 32% increase in submissions last year exacerbating the issue. Despite maintaining processing rates, the backlog continues to grow, and NIST anticipates even higher submission volumes in 2025. The delays are impacting organizations’ ability to access timely vulnerability data, creating a gap between reported issues and actionable intelligence despite efforts in increasing staff. (Security Week)
A Pennsylvania union notifies over 517,000 individuals of a data breach
The Pennsylvania State Education Association (PSEA) is notifying over 517,000 individuals of a data breach from July 2024, where attackers stole personal, financial, and health data, including Social Security numbers and payment information. The Rhysida ransomware gang claimed responsibility, demanding a 20 BTC ransom. PSEA has not disclosed if it paid. Rhysida has previously attacked major institutions, including the British Library and Lurie Children’s Hospital. Affected individuals are offered free credit monitoring and urged to monitor their accounts. (Bleeping Computer)
Veeam patches backup and replication vulnerabilities
The defect, which has a CVE number and a CVSS score of 9.9, could allow for “remote code execution by authenticated domain users.” It affects numerous backup and replication versions in the 12.x range. According to cybersecurity firm watchTowr, which reported the vulnerability, it is “rooted in a broader issue within Veeam’s deserialization mechanism,” which, watchTowr says, the company has “failed to properly address.” watchTowr also points out that “while the exploitation of the new vulnerability requires for the attacker to be logged in, the authentication requirement is fairly weak.” (SecurityWeek)
Nation-state groups hit organizations with Microsoft Windows zero-day
Researchers at Trend Micro “discovered and reported this particular eight-year-old defect to Microsoft six months ago, but no remediations or fixes have arrived as of yet. The vulnerability does not yet have a CVE number but it “allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut .lnk files, also known as shell link files. According to the researchers’ report, a link to which is included in the show notes, state-sponsored groups have been exploiting the zero-day since 2017, targeting governments, think tanks and organizations in the finance, cryptocurrency, telecom, military and energy sectors, according to researchers. (Cyberscoop and Trend Micro)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.