Cyber News Roundup for January 31, 2025
This week’s roundup brings a mix of critical security warnings and notable cyber incidents affecting healthcare, tech, and infrastructure sectors. From the CISA and FDA’s alert about a backdoor vulnerability in patient monitors to ransomware attacks disrupting operations at key institutions, the cybersecurity landscape is as volatile as ever. We also highlight how threat actors are increasingly exploiting public-facing applications and how DARPA is pushing the envelope with self-healing firmware. Keep reading for the latest threats, strategic updates, and industry shifts shaping the cyber world.
CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts regarding critical vulnerabilities in Contec CMS8000 and Epsimed MN-120 patient monitors. The primary concern, identified as CVE-2025-0626 with a CVSS v4 score of 7.7, involves the devices sending remote access requests to a hard-coded IP address, bypassing existing network settings. This backdoor could allow malicious actors to upload and overwrite files on the device. Additionally, CVE-2024-12248 (CVSS v4 score: 9.3) is an out-of-bounds write vulnerability that could enable remote code execution, and CVE-2025-0683 (CVSS v4 score: 8.2) is a privacy leakage issue causing plain-text patient data to be transmitted to a hard-coded public IP address. Currently, there are no patches available for these vulnerabilities. CISA recommends that organizations disconnect and remove the affected devices from their networks and monitor for any unusual device behavior. As of now, there have been no reported incidents, injuries, or deaths related to these vulnerabilities. (The Hacker News)
Threat Actors Target Public-Facing Apps for Initial Access
Threat actors are increasingly using public-facing applications as an initial attack vector to infiltrate networks. Researchers have observed a rise in cybercriminals exploiting vulnerabilities in government websites and other public apps to conduct phishing attacks, credential harvesting, and malware distribution. By leveraging open redirects and other weaknesses, attackers can bypass secure email gateways and other security measures, making their phishing attempts more effective and harder to detect. This trend underscores the importance of securing public-sector applications, implementing stricter access controls, and continuously monitoring for potential exploitation by malicious actors. (Infosecurity Magazine)
New York Blood Center suffers ransomware attack
New York Blood Center Enterprises, one of the largest independent blood centers in the U.S., serving over 75 million people, discovered suspicious activity on its IT system on Sunday, and this was later confirmed as a ransomware incident by third-party cybersecurity experts. This has forced officials and staff to reschedule blood drives and implement other workarounds. No ransomware gang has yet taken credit for the attack, and the blood center itself, says it is still accepting blood donations. (The Record and New York Blood Center Enterprises)
CISA’s future unclear under new administration
At the conclusion of the second week of the new administration, there has been no one named to lead the Cybersecurity and Infrastructure Security Agency, also known as CISA, and “there are no plans for anyone in its leadership to address the annual gathering of the nation’s secretaries of state, which begins Thursday in Washington.” Homeland Security Secretary Kristi Noem had stated prior to her confirmation that the agency had strayed “far off mission.” A conservative blueprint for the Republican administration “recommended that CISA be moved to the Transportation Department and focused solely on protecting government networks and coordinating the security of critical infrastructure.” (Security Week)
DARPA seeks to create firmware that can respond and recover from cyberattacks
Red-C, is a new project from the Defense Advanced Research Projects Agency, which is seeking to give networks the ability to repair themselves after a cyberattack. As described in Cyberscoop, “the forensic sensors in your device’s firmware spring to life. They begin healing your network, restoring locked files, and communicating with other systems to collect forensic data. The firmware then analyzes the data to identify how the attackers entered and exploited system weaknesses, then blocks those vulnerabilities to prevent future breaches through the same entry points. The project “seeks to build new defenses into bus-based computer systems, which are firmware-level systems used in everything from personal computers to weapons systems to vehicles.” A more complete description of the project is available in the show notes to this episode. (Cyberscoop)
Tenable acquiring Israel’s Vulcan Cyber in $150 million deal
Tenable, a Nasdaq-listed cybersecurity company valued at $5.3 billion, is acquiring Israeli cybersecurity firm Vulcan Cyber for approximately $150 million, with the deal expected to close in Q1 of this year. The acquisition aims to enhance Tenable’s security exposure management platform by integrating Vulcan Cyber’s capabilities, unifying security visibility and risk mitigation. Vulcan Cyber was founded in 2018 and has raised $55 million and employs 100 people, though it is unclear how many will remain post-acquisition. (CalCalistech)
Chinese and Iranian Hackers Are Using U.S. AI Products to Bolster Cyberattacks
Hackers linked to China, Iran, Russia, and North Korea are using AI, including Google’s Gemini chatbot, to enhance cyberattacks, according to U.S. officials and Google security research. These groups utilize AI for tasks like writing malicious code, identifying vulnerabilities, and researching targets rather than developing advanced hacking techniques. Meanwhile, China’s DeepSeek AI has raised global concerns about Beijing’s progress in the AI arms race, adding uncertainty to the technology’s impact on security and warfare. (Wall Street Journal)
North Koreans clone open-source projects to plant backdoors, steal credentials
North Korea’s Lazarus Group carried out a large-scale supply chain attack, dubbed Phantom Circuit, compromising hundreds of victims by embedding backdoors in cloned open-source software, according to SecurityScorecard‘s latest report. The campaign began in late 2024 and targeted cryptocurrency developers and tech professionals by distributing malware-laced repositories on platforms like GitLab. Stolen data included credentials, authentication tokens, and system information, with the attackers using obfuscation techniques and VPNs. (The Register)
Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
Oasis Security discovered a critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA), allowing attackers to bypass it and gain unauthorized access to Office 365 accounts, including Outlook, OneDrive, and Azure. The flaw exploited session creation and TOTP code tolerance, enabling attackers to brute-force MFA codes undetected within 70 minutes. Oasis reported the issue to Microsoft, which implemented a stricter rate limit, permanently fixing the vulnerability by October 2024. The research highlights the importance of strong MFA implementations and improved alerting mechanisms for failed second-factor attempts.
A large-scale phishing campaign exploits users’ trust in PDF files and the USPS
A large-scale phishing campaign exploits users’ trust in PDF files and the USPS to steal credentials and sensitive data, according to Zimperium researchers. Attackers send SMS messages with malicious PDFs mimicking USPS communications, embedding hidden phishing links to bypass security tools. Victims are directed to fake USPS sites, where they provide personal and payment information under the guise of resolving delivery issues.
Zimperium found over 20 malicious PDFs and 630 phishing pages targeting users across 50 countries. This tactic leverages the assumption that PDFs are safe, exploiting their widespread use in business. Attackers also impersonate other delivery services like UPS and FedEx. Experts warn that inadequate mobile security and limited visibility into file contents make such campaigns effective. (Security Boulevard)
Apple patches a zero-day affecting many of their products
Apple has patched CVE-2025-24085, a zero-day vulnerability exploited in the wild affecting iPhones, iPads, Macs, and other devices. The flaw, a use-after-free() issue in the CoreMedia component, could allow rogue apps to elevate privileges and gain system control. While details of the exploitation remain sparse, Apple confirmed it targeted older iOS versions before iOS 17.2. The fix is available in updates for iOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3. Affected devices include iPhone XS and later, various iPad models, Apple Vision Pro, and Apple Watch Series 6 or newer. Additional vulnerabilities patched include issues allowing unauthorized code execution via AirPlay, privilege escalation, and Safari address bar spoofing. Users are strongly advised to update to protect against potential exploits targeting unpatched devices. (The Register)
CISA issues a critical warning about a SonicWall vulnerability actively exploited
CISA has issued a critical warning about CVE-2025-23006, a vulnerability in SonicWall SMA 1000 appliances that allows remote attackers to execute commands without authentication. With a CVSS score of 9.8, this flaw, exploited in the wild, impacts versions 12.4.3-02804 and earlier. SonicWall has released a hotfix (version 12.4.3-02854) to address the issue and advises immediate updates. Organizations unable to patch should restrict AMC and CMC access to trusted IPs. The flaw’s exploitation risks full system compromise, emphasizing urgent mitigation. (Cyber Security News)
Most ransomware victims shut down operations
A new report from the Ponemon Institute found that 58% of organizations hit by ransomware last year were forced to shut down operations as part of their recovery process, up from 45% of victims in 2021. The report also found organizations seeing significant revenue lost due to an attack up from 22% to 40% in the same span, while those experiencing brand damage jumped from 21% to 35%. While those metrics are trending in the wrong direction, the report also found that the average time to recover from ransomware decreased 30% to 132 hours, while the average recovery cost fell 13%. 51% of respondents paid a ransom. For paying victims, 32% said attackers demanded further payment. (Infosecurity Magazine)
PowerSchool starts notifying victims
The education SaaS giant disclosed a cyberattack earlier this month but only began alerting impacted school districts. Now, the company has begun notifying affected individuals in the US and Canada who have had personal data stolen, including past and current students, parents, and guardians. We know the breach impacted 6,505 school districts, but the exact number of affected individuals and a detailed breach report has not been released. PowerSchool did notify Maine’s Attorney General’s office that 33,488 people were affected in that state. (Bleeping Computer)
Chinese AI app DeepSeek rattles US tech stocks
US tech stocks dropped sharply today due to investor worries over the popularity of Chinese AI app DeepSeek, the Washington Post reports. The Nasdaq index lost nearly 4 percent this morning, with US chipmaker Nvidia dropping 12 percent. DeepSeek was founded in 2023 and released its mobile app earlier this month. It’s since overtaken ChatGPT as the top free app in Apple’s App Store. (Reuters notes that the app is currently experiencing outages, which the company has attributed to “a large-scale malicious attack.”) The company’s open-source LLM “DeepSeek-R1” is comparable to OpenAI’s “o1” LLM, but is up to 95% more affordable, according to VentureBeat. The company claims to have trained the model for just $5.6 million. The US government has banned the sale of high-end GPUs to China in an attempt to curb the country’s AI development. Bloomberg notes, “While it remains unclear how much advanced AI-training hardware DeepSeek has had access to, the company’s demonstrated enough to suggest the trade restrictions have not been entirely effective in stymieing China’s progress.” (WAPO, Reuters, Venture Beat, Yahoo)
Stealthy backdoor targets Juniper routers
Lumen Technologies’ Black Lotus Labs has published a report on a backdoor campaign dubbed “J-Magic” targeting enterprise-grade Juniper routers. The researchers haven’t determined the initial access technique, but they note that “once in place [the backdoor] installs the agent – a variant of cd00r – which passively scans for five different predefined parameters before activating. If any of these parameters or ‘magic packets’ are received, the agent sends back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software.” The campaign was active from mid-2023 until at least mid-2024, targeting organizations in the semiconductor, energy, manufacturing, and IT sectors. (Lumen)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
