Cyber News Roundup for March 21, 2025
In this week’s cyber news roundup, we delve into a range of critical incidents and updates. From a massive data breach impacting over 500,000 individuals at the Pennsylvania State Education Association, to the active exploitation of vulnerabilities in Fortinet and Apache Tomcat, cyber threats continue to evolve. We’ll also touch on Google’s $32 billion acquisition of Wiz, the U.S. government’s warning on cybersecurity team layoffs, and a ransomware attack in the remote island nation of Yap. Stay tuned as we break down these stories and their implications for cybersecurity. At RedSeal, we’re dedicated to helping organizations proactively manage their cyber exposure and reduce risk, ensuring that threats like these don’t catch you off guard.
A Pennsylvania union notifies over 517,000 individuals of a data breach
The Pennsylvania State Education Association (PSEA) is notifying over 517,000 individuals of a data breach from July 2024, where attackers stole personal, financial, and health data, including Social Security numbers and payment information. The Rhysida ransomware gang claimed responsibility, demanding a 20 BTC ransom. PSEA has not disclosed if it paid. Rhysida has previously attacked major institutions, including the British Library and Lurie Children’s Hospital. Affected individuals are offered free credit monitoring and urged to monitor their accounts. (Bleeping Computer)
Veeam patches backup and replication vulnerabilities
The defect, which has a CVE number and a CVSS score of 9.9, could allow for “remote code execution by authenticated domain users.” It affects numerous backup and replication versions in the 12.x range. According to cybersecurity firm watchTowr, which reported the vulnerability, it is “rooted in a broader issue within Veeam’s deserialization mechanism,” which, watchTowr says, the company has “failed to properly address.” watchTowr also points out that “while the exploitation of the new vulnerability requires for the attacker to be logged in, the authentication requirement is fairly weak.” (SecurityWeek)
Nation-state groups hit organizations with Microsoft Windows zero-day
Researchers at Trend Micro “discovered and reported this particular eight-year-old defect to Microsoft six months ago, but no remediations or fixes have arrived as of yet. The vulnerability does not yet have a CVE number but it “allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut .lnk files, also known as shell link files. According to the researchers’ report, a link to which is included in the show notes, state-sponsored groups have been exploiting the zero-day since 2017, targeting governments, think tanks and organizations in the finance, cryptocurrency, telecom, military and energy sectors, according to researchers. (Cyberscoop and Trend Micro)
CISA confirms active exploitation of a critical Fortinet vulnerability
The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical Fortinet vulnerability (CVE-2025-24472) in ransomware attacks. The flaw, affecting FortiOS and FortiProxy, allows attackers to gain super-admin privileges via crafted proxy requests. Linked to the Mora_00 ransomware group, it has been exploited to deploy a new strain called SuperBlack. Additionally, CISA flagged a supply chain vulnerability (CVE-2025-30066) in the tj-actions/changed-files GitHub Action, which impacted over 23,000 organizations. Attackers modified the code, exposing CI/CD secrets in GitHub Actions logs. Organizations are urged to patch Fortinet devices (FortiOS 7.0.17, 7.2.13, 7.0.20) and ensure they’re using a secure version of the GitHub Action to prevent further exploitation. (Infosecurity Magazine)
Attackers swipe data from Pennsylvania teachers union
The Pennsylvania State Education Association (PSEA) reported to the Office of the Maine Attorney General that they suffered a breach impacting 517,487 people. The nonprofit said the attack occurred on July 6 and exposed sensitive financial and health information. Although PSEA’s disclosure didn’t explicitly mention ransomware or extortion, it did say that steps were taken to ensure the stolen data was deleted. The Rhysida ransomware gang publicly claimed responsibility for the attack back in September 2024. (The Record and Bleeping Computer)
IBM warns of critical vulnerabilities in AIX
IBM’s Advanced Interactive eXecutive (AIX) operating system rarely makes the cyber news these days. But IBM is now urging its customers to apply patches after disclosing two critical vulnerabilities (CVE-2024-56346 and CVE-2024-56347), one of which carries a maximum severity score of 10. Both flaws are caused by improper process controls and allow remote attackers to execute arbitrary commands. Third-party sources suggest around 9,000 organizations still use the OS, which is generally deployed in critical applications powering high-value industries. IBM said AIX versions 7.2 and 7.3 are both vulnerable and should be updated immediately. (The Register)
An Apache Tomcat vulnerability is under active exploitation
A critical remote code execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is being actively exploited. The flaw, disclosed on March 10, 2025, allows attackers to gain control of servers via a simple PUT request. Exploits appeared on GitHub just 30 hours after disclosure. Attackers upload base64-encoded payloads via a PUT request, then trigger execution with a GET request using a JSESSIONID cookie. Security tools struggle to detect this due to encoded payloads and multi-step execution. Apache urges immediate updates to Tomcat 11.0.3+, 10.1.35+, or 9.0.99+. Meanwhile, organizations should disable partial PUT support and restrict sensitive file storage. (Cyber Security News)
Google acquires cybersecurity firm Wiz for $32 billion
Alphabet’s Google Cloud has acquired cloud-based cybersecurity firm Wiz for $32 billion. Wiz was founded in Israel and was valued at $16 billion in 2024 while preparing for an IPO. This more than doubles Alphabet’s acquisition of Motorola Mobility for $12.5 billion in 2012. The Financial Times’ sources say that Wiz and Alphabet have agreed to a $3.2B termination fee, which lets Wiz run like an independent company, if the deal falls through or is significantly delayed. (The Verge)
Google doesn’t deny receiving a secret legal order from the UK government
Google has refused to deny receiving a secret legal order from the UK government, raising concerns among U.S. lawmakers. A bipartisan group in Congress fears that British authorities may be demanding access to encrypted messages from U.S. tech companies. This follows reports that Apple received a similar order, known as a Technical Capability Notice (TCN), which it is reportedly contesting in a closed court hearing. Lawmakers criticized the secrecy surrounding these orders, arguing it hinders congressional oversight and threatens Americans’ privacy. Under the UK’s Investigatory Powers Act, companies that receive a TCN are barred from confirming it. Experts, including from Britain’s intelligence community, have called for more transparency, with academics warning that the government’s refusal to clarify the situation is unsustainable and unjustifiable. (The Record)
The White House is urging federal agencies not to lay off cybersecurity teams
The White House is urging federal agencies not to lay off cybersecurity teams as they submit budget cut plans. U.S. federal CIO Greg Barbaccia emphasized in an email that cybersecurity is national security and should be protected. The warning comes amid concerns that deep budget cuts mandated by President Trump and adviser Elon Musk could weaken national cyber defenses. Former NSA cybersecurity director Rob Joyce warned that mass layoffs would be “devastating.” The Musk-led Department of Government Efficiency (DOGE) has also drawn criticism for granting unusually broad access to sensitive government data. At the Social Security Administration, officials raised alarms about the security risks posed by DOGE. Meanwhile, the Department of Homeland Security’s CISA has already lost over 130 positions as of mid-February.
Elon Musk reportedly visited the NSA on Wednesday, meeting with leadership to discuss staff cuts and operations. The NSA, a key player in U.S. cybersecurity and home to Cyber Command, is under Musk’s scrutiny as he pushes for government downsizing. His visit signals potential changes to intelligence and cyber operations. While Musk recently called for an NSA overhaul, he hasn’t detailed specific reforms. Intelligence officials are bracing for swift changes that could impact national cybersecurity. (Reuters)
Denmark warns of Europe telecom threat
The cybersecurity agency of Denmark made this warning in a threat assessment published last Thursday warning of “an increase in state-sponsored cyber espionage activities targeting the telecommunications sector in Europe.” Although no direct mention of Salt Typhoon’s activities in the U.S. was made in the statement, nor has there been any confirmation of Salt Typhoon activity in Europe, the Danish agency stated “there have been several attempts at cyber espionage against the European telecommunications sector in the past few years,” and it worries that European governments may “lack the political incentives to make a public attribution even if China is identified as responsible.” (The Record)
Micronesian island suffers cyberattack
To show that nowhere on earth is safe from cybercrime, the tiny island nation of Yap has suffered a ransomware attack, forcing the shutdown of all computers in its government health agency. Yap is one of the four states of the Federated States of Micronesia (FSM) and is located in the middle of the Pacific Ocean equidistant between the Philippines and Guam. Health officials from the island announced the attack, which occurred on March 11, on Facebook, stating that health services are still continuing, but are slower due to systems having been taken offline. (Security Affairs)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
