Cyber News Roundup for January 17, 2025
This week’s cybersecurity news covers everything from high-profile investigations to critical vulnerabilities, shedding light on ongoing global threats and evolving defenses. From a major Chinese telecom investigation to a surge in cybersecurity enrollment for critical infrastructure, the landscape remains dynamic. Plus, stay informed about the ongoing debate surrounding the potential TikTok ban and its national security implications. Here’s a closer look at this week’s top stories:
US government investigates China-founded telecoms hardware firm
Reuters reports that the US Commerce Department and the FBI are investigating potential security risks posed by Baicells Technologies, a Chinese telecom hardware company with a Wisconsin-based North American operation. Baicells has provided routers and base stations for commercial mobile networks across every US state. The company was founded in China by senior Huawei veterans in 2014, opening its US operation in 2015. The US Federal Communications Commission (FCC) is advising the Commerce Department in its investigation. The focus of the FBI’s probe is unclear. The FBI and the Commerce Department both declined to comment on the reported investigations. Baicells’ chairman told Reuters that the company will cooperate with any US government inquiries, noting, “Baicells does not believe there are any security risks associated with its radio products.” (Reuters)
President Biden signs cybersecurity-focused executive order
President Biden this morning signed an executive order aimed at improving Federal cybersecurity defenses, the Washington Post reports. Anne Neuberger, deputy national security adviser for cyber and emerging threats at the White House, said in a press briefing that this is the Biden Administration’s “capstone” cyber order, which is “designed to put the country on a path to defensible networks across the government and private sector.”The 53-page EO includes measures for “[i]mproving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector.” The EO calls out China specifically, stating that “the People’s Republic of China [presents] the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks.” The order also gives the government greater authority to use sanctions against ransomware actors. While the Trump administration could decide to reverse the EO, Neuberger said she believes the incoming administration will keep many of the order’s objectives in place. Neuberger stated, “Our feeling is that securing the nation in cyberspace and making it harder for ransomware hackers are pretty nonpartisan goals. We wanted to put the incoming administration on the best foot forward as they did for us.” (White House)
US healthcare sector saw 585 breaches in 2024
That figure comes from an analysis by Security Week, pulling from the US Department of Health and Human Services Office for Civil Rights healthcare breach database. These attacks impacted roughly 180 million user records. The Change Healthcare breach accounted for approximately 100 million. 75% of attacks targeted healthcare providers, with 17% impacting healthcare business associates. “Hacking/IT incident,” which includes ransomware, was cited as the cause in most attacks, with unauthorized access a distant second. Healthcare organizations in Texas saw the most incidents last year, with 56. (Security Week)
Researchers uncover vulnerabilities in Windows 11 allowing attackers to bypass protections and execute code at the kernel level
Researchers from HN Security uncovered vulnerabilities in Windows 11’s Virtualization-based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI), allowing attackers to bypass protections and execute code at the kernel level. VBS isolates memory for OS security, while HVCI prevents unauthorized drivers from loading. An exploit transforms an arbitrary pointer dereference vulnerability into a read/write primitive, enabling attackers to manipulate kernel memory and execute data-only attacks without triggering security mechanisms.
The techniques allow privilege escalation, disabling of Endpoint Detection and Response (EDR), and manipulation of Protected Process Light (PPL) features. These vulnerabilities affect Windows 11 (21H2 and later) and Windows Server 2016–2022 across x86, x64, and ARM64 systems. While Microsoft has addressed some kernel vulnerabilities, others remain exploitable. Researchers emphasize the importance of layered security beyond built-in OS features, as sophisticated attackers can still bypass advanced protections. (Cyber Security News)
FBI deletes Chinese malware from over 4,200 computers
The US Justice Department has announced a multi-month operation that deleted Chinese PlugX malware from more than 4,200 computers in the United States. The Justice Department says the Chinese government paid the Mustang Panda threat actor to develop this strain of PlugX. The threat actor then used the malware to compromise “thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups.” Mustang Panda has been using the PlugX malware since at least 2014.
The Justice Department explains, “The international operation was led by French law enforcement and Sekoia.io, a France-based private cybersecurity company, which had identified and reported on the capability to send commands to delete the PlugX version from infected devices. Working with these partners, the FBI tested the commands, confirmed their effectiveness, and determined that they did not otherwise impact the legitimate functions of, or collect content information from, infected computers. In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX from U.S.-based computers. The last of these warrants expired on Jan. 3, 2025, thereby concluding the U.S. portions of the operation. In total, this court-authorized operation deleted PlugX malware from approximately 4,258 U.S.-based computers and networks.” The FBI is working with internet service providers to notify owners of computers affected by the operation. (DOJ)
TikTok could possibly stay alive after Sunday’s upcoming ban
“Americans shouldn’t expect to see TikTok suddenly banned on Sunday,” said an administration official. Officials aim to implement the law without immediately shutting down the app, deferring the issue to Donald Trump’s incoming administration. Trump said he wants to preserve its use. And Trump’s pick for attorney general, Pam Bondi, didn’t say she would enforce the ban when asked about it at her Senate confirmation hearing. The ban, part of a national security law, mandates ByteDance, TikTok’s Chinese parent company, to divest ownership. Legal challenges cite free speech concerns. During his first term, Trump tried to implement a TikTok ban, but during his 2024 Presidential campaign, vowed to “save TikTok.” (NBC News)
DJI will no longer block US users from flying drones in restricted areas
DJI announced in a blog post it’s removed geofencing restrictions in the U.S., letting users fly drones in previously restricted areas like airports, nuclear plants, and wildfires, though its app will still issue warnings. The company argues the responsibility should lie with the drone operators, citing tools like Remote ID for enforcement, though concerns remain about safety, especially after a sub-250-gram DJI drone damaged a firefighting plane in Los Angeles. Critics, including DJI’s former policy head, argue the decision undermines aviation safety, shifting all accountability to users. (Engadget)
Researchers identify a “mass exploitation campaign” targeting Fortinet firewalls.
Arctic Wolf warns that an attack campaign is likely exploiting an unknown zero-day to compromise internet-exposed Fortinet FortiGate firewall devices. The researchers state, “In early December, Arctic Wolf Labs began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations.
In compromised environments, threat actors were observed extracting credentials using DCSync. While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected.” Arctic Wolf says organizations “should urgently disable firewall management access on public interfaces as soon as possible.” The researchers notified Fortinet of the attacks last month, and the company confirmed that “the activity was known and under investigation.” (ArcticWolf)
Baltic sea cable cuts can’t be accident, says EU tech chief
Henna Virkkunen, the European Union’s new digital chief with the title of the European Commission’s executive vice president for technological sovereignty, security and democracy, has told Bloomberg News that incidents resulting in damage to undersea data and power cables are happening too frequently to be purely accidental. As leaders from the Baltic region prepare to gather for a NATO summit devoted to the topic, he echoes the sentiments of Lithuanian President Gitanas Nauseda who said “there is a very high probability that those are deliberate actions of hostile countries.” Last week we reported on the tanker Eagle S, whose anchor has been recovered from the sea bed by Finnish authorities. This ship, and others are believed to be part of a Russian shadow fleet that transports Russian petroleum products despite sanctions and other restrictions. (Yahoo News, quoting Bloomberg)
CISA warns of second BeyondTrust vulnerability
CISA is “urging federal agencies to patch a second vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) enterprise solutions, based on evidence of active exploitation.” This new flaw, which has a CVE number, is described as a medium-severity command injection issue that was discovered during the investigation into the U.S. Department of Treasury incident disclosed on December 31, and attributed to Chinese hackers Silk Typhoon. This second flaw “can be exploited by an attacker with existing administrative privileges to upload a malicious file.” It has now been added to CISA’s KEV catalog, giving federal agencies until February 3 to patch it. (Security Week)
Draft of second cybersecurity EO on President Biden’s desk
According to Cyberscoop who obtained a copy of the draft executive order, it ranges from cyber defenses in space to the U.S. federal bureaucracy, to its contractors, and “addresses security risks embedded in subjects like cybercrime, artificial intelligence and quantum computers.” The document is a follow-up to one published in the first year of the Biden presidency, and gives agencies 53 deadlines, stretching in length from 30 days to three years. (Cyberscoop)
Juniper Networks releases security updates for Junos OS
Juniper Networks started 2025 by releasing security updates for Junos OS, addressing dozens of vulnerabilities, including several high-severity flaws. These include CVE-2025-21598, an out-of-bounds read bug in the routing protocol daemon (RPD) that can cause denial-of-service (DoS) via malformed BGP packets, and CVE-2025-21599, a kernel memory exhaustion flaw triggered by malformed IPv6 packets. Fixes were also issued for high-severity OpenSSH vulnerabilities and critical flaws in third-party components like Expat. No exploits have been reported, but users are urged to apply patches promptly. (SecurityWeek)
Ransomware campaign abuses AWS encryption service to encrypt S3 buckets
Researchers at Halcyon warn that a new ransomware campaign is abusing AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. The attacks don’t exploit any AWS vulnerabilities; the threat actors simply use stolen or publicly disclosed AWS keys with permission to write and read S3 objects. The attacker then generates a local encryption key and encrypts the victim’s data. Halcyon notes, “AWS CloudTrail logs only an HMAC of the encryption key, which is insufficient for recovery or forensic analysis.” In the cases observed by Halcyon, the attackers mark the encrypted files for deletion in seven days, and place a ransom note with a Bitcoin address in the affected directory.
AWS provided the following statement in response to Halcyon’s findings: “AWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment. We encourage all customers to follow security, identity, and compliance best practices. In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post.” (Halcyon, AWS, [1,2]
Telefonica breach exposes internal data and employee credentials
A massive breach for telco giant Telefonica as hackers with the Hellcat ransomware group were able to steal over 236,000 lines of customer data, 469,000 lines of internal Jira ticketing data, and 24,000 employee emails. The group leveraged infostealer malware to compromise credentials from 15 employees, including two with administrative privileges, resulting in an estimated 2.3GB of data stolen. One cybersecurity vendor called the breach “imminent,” noting that 531 employee computers were infected by infostealers last year. (Dark Reading), (Infosecurity Magazine)
Nominet confirms breach using Ivanti zero-day
Nominet, the .UK domain registry managing over 11 million domains, has confirmed a breach exploiting an Ivanti VPN zero-day vulnerability (CVE-2025-0282). According to a statement to Bleeping Computer “the entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely.” While no data theft or backdoors have been identified, Nominet is the first organization to publicly confirm an attack using this specific exploit. (The Register), (Bleeping Computer)
New version of the Banshee macOS stealer
Researchers at Check Point are tracking a new version of Banshee, a strain of macOS malware designed to steal browser credentials, cryptocurrency wallets, passwords, and other sensitive data. The new version of Banshee surfaced in late September 2024, using a string encryption algorithm from Apple’s XProtect antivirus engine that allowed it to evade detection for more than two months. Banshee’s malware-as-a-surface operation shut down after its source code was leaked in November 2024, but Check Point notes that multiple phishing campaigns are still distributing the malware. (Checkpoint)
Suspected Chinese threat actor exploits Ivanti Connect Secure vulnerability
Mandiant has published an analysis of the ongoing exploitation of a recently disclosed vulnerability (CVE-2025-0282) affecting Ivanti Connect Secure VPNs. The vulnerability, which received a patch on Wednesday, is an unauthenticated stack-based buffer overflow that could lead to unauthenticated remote code execution.
Mandiant attributes the exploitation to the China-aligned espionage actor UNC5221. The researchers write, “In at least one of the appliances undergoing analysis, Mandiant observed the deployment of the previously observed SPAWN ecosystem of malware (which includes the SPAWNANT installer, SPAWNMOLE tunneler, and the SPAWNSNAIL SSH backdoor). The deployment of the SPAWN ecosystem of malware following the targeting of Ivanti Secure Connect appliances has been attributed to UNC5337, a cluster of activity assessed with moderate confidence to be part of UNC5221….Mandiant has also identified previously unobserved malware families from additional compromised appliances, tracked as DRYHOOK and PHASEJAM that are currently not yet linked to a known group.”
Mandiant concludes that “defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access.” (Mandiant)
CISA sees enrollment surge in cyber hygiene for critical infrastructure
A report released by CISA on Friday says that after analyzing “7,791 critical infrastructure organizations enrolled in the agency’s vulnerability scanning service from Aug. 1, 2022, through Aug. 31, 2024,” there were “significant increases in enrollment in the agency’s Cyber Hygiene (CyHy) service enrollment,” a program that helps organizations reduce their exposure to threats through proactive monitoring and attack mitigation plans. Organizations from communications, emergency services, critical manufacturing, and water and wastewater systems registered in large numbers. As a result, CISA says, it has found improvements across its six cybersecurity performance goals: mitigating known vulnerabilities, no exploitable services on the internet, strong and agile encryption, limit OT connections on the public internet, deploy a security.txt file, and email security. (Cyberscoop)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
