Cyber News Roundup for March 14, 2025

The growing speed of cybercriminal attacks is moving faster than ever. In this week’s roundup, we cover critical cybersecurity updates, including vulnerabilities in the popular ESP32 Bluetooth chip and a new House bill requiring federal contractors to implement vulnerability disclosure policies. Plus, we discuss the cyberattack impacting X, a breach in the U.S. electric grid by Chinese hackers, and the latest zero-day vulnerabilities. Stay informed with these important cybersecurity developments.

 

Undocumented commands found in Bluetooth chip used by a popular Wi-Fi and Bluetooth devices  

As described in BleepingComputer, “the ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023, contains undocumented commands that could be leveraged for attacks. The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.” Researchers from Tarlogic Security, speaking at RootedCON in Madrid point out that ESP32 is “one of the world’s most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk is significant.”  (BleepingComputer)

 

House bill requires federal contractors to implement vulnerability disclosure policies  

The bill is named the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 and it “instructs the Office of Management and Budget (OMB) to consult with CISA, the Office of the National Cyber Director, NIST, and other relevant departments, and require federal contractors to have a VDP that is consistent with NIST guidelines.” The same is required of the Defense Department. A letter signed by representatives of proponents of the bill including HackerOne, Bugcrowd, Microsoft, Infoblox, Rapid7, Trend Micro, Tenable, and Schneider Electric, state that “contractors, given the vast amount of sensitive data they handle, are prime targets for cyber threats. As a result, the bill ensures all companies contracting with the federal government adhere to security best practices.” (Security Week)

 

Cybercriminals sped up their attacks last year  

Two security companies, CrowdStrike and ReliaQuest, are reporting separately that “in the past year ransomware groups achieved lateral movement within an average of 48 minutes after gaining initial access to targeted environments,” with the fastest breakout time recorded being 51 seconds. This is an improvement – for the threat actors – from 2023 when the average breakout time for interactive cybercrime intrusions was 62 minutes. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, in making his company’s announcement, added, “not only are these adversaries using different techniques, different capabilities, they’re doing it faster, and they’re iterating faster than many of the enterprises that they’re targeting.” (Cyberscoop)

 

Cyber attack allegedly behind X outages  

Elon Musk blamed a “massive cyberattack” on multiple X outages on Monday, while hacking group Dark Storm Team claimed responsibility. According to Downdetector, reports of outages spiked throughout the morning, with peaks at 6 a.m., 10 a.m., and 11:30 a.m. ET, impacting tens of thousands of users. Newsweek and other outlets report that Dark Storm Team, a pro-Palestinian hacking group known for targeting NATO countries and Israel, took credit for the attack via Telegram. While Musk suggested a large, coordinated group or nation-state may be involved, X is still dealing with intermittent issues as of this recording. (ZDNet)

 

CISA warns of critical Ivanti and VeraCode vulnerabilities  

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three critical Ivanti Endpoint Management vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161) to its Known Exploited Vulnerabilities (KEV) catalog. These path traversal flaws (CVSS 9.8) allow unauthenticated attackers to leak sensitive information remotely. CISA also flagged two VeraCode vulnerabilities, including CVE-2024-57968 (CVSS 9.9), an unrestricted file upload flaw, and CVE-2025-25181, an SQL injection vulnerability. The agency urges all organizations to immediately patch these issues to prevent cyberattacks. Ivanti software has faced multiple exploitations in 2025, with previous Connect Secure and Cloud Service Appliance vulnerabilities actively targeted by threat actors. (Infosecurity Magazine)

 

Researchers report increased activity from the SideWinder APT group  

Researchers at Securelist report increased activity from the SideWinder APT group in 2024, with enhanced malware, expanded targets, and global reach. Traditionally focused on military and government entities, the group now targets maritime, logistics, and nuclear sectors across South Asia, Southeast Asia, the Middle East, and Africa. Using spear-phishing emails, SideWinder exploits the CVE-2017-11882 vulnerability to deploy StealerBot, a post-exploitation toolkit. Their malware, disguised as legitimate DLL files, includes advanced evasion techniques like Control Flow Flattening. SideWinder rapidly adapts, modifying malware within five hours of detection. Their continued reliance on old vulnerabilities underscores the importance of patching outdated systems to defend against sophisticated threats targeting critical infrastructure worldwide. (Cyber Security News)

 

Ballista Botnet hits TP-Link devices  

A new report from the Cato CTRL team details how threat actors exploit a high-severity command injected vulnerability to execute code on TP-Link Archer AX-21 routers to deploy the botnet ultimately. This flaw isn’t new, the first evidence of exploitation dates back to April 2023. The researchers saw the Ballista campaign using the flaw in January 2025. The attackers use a shell script to execute a malware binary across various system architectures, which opens the door to remote code execution or a denial of service. The researchers noted the malware can erase itself once execution begins, covering its tracks while spreading to other routers. Newer Ballista variants use TOR network domains rather than hardcoded IP addresses, indicating its under active development. Research by Censys found that Ballista infected over 6,000 devices across Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. (The Hacker News)

 

Apple issues emergency updates for a zero-day WebKit vulnerability  

Apple has issued emergency security updates to patch CVE-2025-24201, a zero-day WebKit vulnerability actively exploited in targeted attacks. The flaw, an out-of-bounds write issue, allows malicious web content to escape the Web Content sandbox, potentially enabling unauthorized actions. The update affects iOS, iPadOS, macOS, Safari, visionOS, and tvOS. Apple warns that the vulnerability was used in sophisticated attacks on older iOS versions. This is Apple’s third zero-day fix in 2025, following similar patches in January and February. Users should update immediately to mitigate risks, as Apple has not disclosed attacker details or targets. (Cyber Security News)

 

Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days 

Microsoft released patches for 57 security flaws, including 6 actively exploited zero-days affecting Windows Kernel, NTFS, FAT File System, and Microsoft Management Console. Exploits involve use-after-free, integer overflow, and heap-based buffer overflow, with PipeMagic malware used in targeted attacks. Threat actors can chain vulnerabilities to execute remote code via malicious VHD files. The U.S. Cybersecurity and Infrastructure Security Agency – or CISA – has ordered federal agencies to apply fixes by April 1, 2025. (The Hacker News)

 

China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days  

Security firm Dragos published a case study revealing that the Chinese hacker group Volt Typhoon infiltrated the U.S. electric grid through a breach at Littleton Electric Light and Water Departments (LELWD) in Massachusetts. The hackers had access to the utility’s network for over 300 days, collecting sensitive operational technology (OT) data, including information on energy grid operations. This data could be used for future targeted attacks. Volt Typhoon, linked to the Chinese government, has been previously associated with espionage and attacks on U.S. critical infrastructure. (Security Week)

 

In Memoriam: Mark Klein, AT&T Whistleblower Who Revealed NSA Mass Spying  

Mark Klein, the former AT&T technician who exposed a secret NSA surveillance program, has died. Klein revealed that the NSA had installed a secret room at AT&T’s San Francisco office, where internet data was copied and routed to the government. In 2006, he brought over 100 pages of evidence to the Electronic Frontier Foundation, which led to lawsuits against the NSA and increased public awareness of mass surveillance. Despite threats from AT&T, Klein stood by his claims, inspiring reforms and greater scrutiny of government spying. (EFF)

 

A UK hospital finds thousands of unwelcome guests on their network  

Our device inventory desk tells us that the Princess Alexandra Hospital in the UK) recently discovered that PlayStations, coffee machines, and even passing electric cars were connecting to its network. Deputy director of ICT Jeffery Wood admitted, “Our attack surface was much bigger than we thought,” after finding 5,000–10,000 unknown devices lurking in their system. This alarming revelation came during a trial of a cyber exposure platform, part of a broader tech modernization effort.

With no dedicated cybersecurity team, the hospital’s infrastructure staff handles security, integrating automated tools, XDR, and AI-driven protections. Network segmentation has even freed the marketing team to use Apple devices—previously banned. However, zero-trust security remains a distant dream. Deputy Director Wood says the hospital is embracing a “one NHS” partnership model rather than siloed vendor relationships, but warns: “This isn’t just cyber risk. This is risk. Attacks could harm our patients.”

Nothing like a cybersecurity audit to find out your MRI machine shares a network with someone’s PS5. (Computing)

 

Medusa ransomware continues to attack infrastructure  

In a joint alert released March 12, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are warning that as of February of this year, “Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing.” The group, which is unrelated to MedusaLocker, engages in double extortion, and use phishing and unpatched vulnerabilities for initial access. The group’s practices include “disabling security software, terminating processes related to backups, security, data sharing, and communication, and erasing shadow copies to prevent file recovery.” A link to the alert is available in the show notes to this episode. (Security Week and CISA)

 

DoJ seeks to break up Google  

As posted in The Cyberwire, “on Friday, the Department of Justice (DOJ) submitted a request that would aim to break up Google by forcing the company to sell Chrome. In its filing, the DOJ stated that Google’s illegal conduct has created an economic goliath, one that wreaks havoc over the marketplace to ensure that no matter what occurs, Google always wins.” These filings follow a 2023 antitrust case in which “Google was found guilty of monopolistic practices regarding the company’s search engine services,” as well as a second antitrust lawsuit from 2024 that is “examining whether the company has also engaged in monopolistic behaviors related to its advertising business.” The ruling, expected this summer, “has the potential to significantly impact how Google operates, how users interact with its services, and the overall landscape of the search engine business.” (The Cyberwire)

 

Chinese spy group exploits Juniper Networks routers  

Researchers at Mandiant are warning of a state-backed espionage group operating out of China, UNC3886, targeting routers made by Juniper Networks. This is a group we reported on in June 2023, when they were exploiting a VMware ESXi zero-day. In this latest report Mandiant says the group was involved in a project to deploy custom backdoors on Junos OS routers and that the group’s focus is “mainly on defense, technology, and telecommunication organizations located in the U.S. and Asia.” They pointed out that the affected routers were running end-of-life hardware and software, but also that the malware deployed on the Juniper routers “demonstrates that UNC3886 has in-depth knowledge of advanced system internals.” (The Record