Cyber News Roundup for March 6, 2025

In this week’s roundup, gain insight into critical developments in cybersecurity. We’ve got highlights from sectors lagging in NIS2 compliance and the urgent need for improvement. Explore how hackers are exploiting legal loopholes to avoid detection, making it harder for law enforcement to tackle cybercrime. We also cover the latest on state-sponsored cyberattacks, including charges against Chinese hackers and evolving tactics by Silk Typhoon. Stay informed with expert insights to stay ahead of these rapidly emerging threats. Let’s dive in.

 

Six Critical Infrastructure Sectors Failing on NIS2 Compliance  

A recent report from Enisa, published on March 6, 2025, highlights that six critical infrastructure sectors—health, gas, and digital infrastructure among them—are lagging in compliance with the EU’s NIS2 directive. The health sector struggles with complex supply chains, legacy systems, and insecure medical devices, while the gas sector needs better incident readiness. Digital infrastructure, including internet exchanges and cloud services, is notably immature in its cybersecurity practices. Enisa is collaborating with EU Member States to provide guidance and improve sector maturity to meet these essential security standards. (Infosecurity)

 

Differing names for hackers hinders law enforcement, says security agent  

According to an article in Cyberscoop, an investigator, who cannot be named, stated, during a speech that cannot be identified, that malicious hackers take full advantage of the lack of standardized names for their operations, since the justice system was set up long ago and is not built for the sophistication of international criminal cyber gangs. One particular problem involves the fact that the groups make use of the Public Access to Court Electronic Records (PACER) system. They use it to study affidavits and learn how investigations are opened and conducted. In addition, the agent added, “there are disincentives for law enforcement agencies and agents from different districts to work together. “Everyone wants to get theirs, … everyone wants their stats, because that’s what they’re judged on.” (Cyberscoop)

 

U.S. charges Chinese infrastructure hackers  

As quoted in BleepingComputer, “the U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011. The victims include “U.S. federal and state government agencies, foreign ministries of multiple governments in Asia, U.S.-based dissidents, as well as a prominent religious organization in the United States.” i-Soon also goes by the name Anxun Information Technology. (BleepingComputer)

 

Silk Typhoon evolves to exploit common IT solutions  

The Chinese espionage group Silk Typhoon, also known as Hafnium, has been identified by security researchers at Microsoft Threat Intelligence, to be “increasingly exploiting common IT solutions, such as remote management tools and cloud applications, to gain initial access.” Silk Typhoon is one of the best-resourced and technically adept state-sponsored threat actors, targeting IT services, healthcare, government agencies and higher education institutions, globally. Recent activity by the group includes “abusing stolen API keys and credentials from privilege access management (PAM) systems, cloud application providers, and cloud data management companies.” These activities allow the group to “infiltrate downstream customer environments, conduct reconnaissance and exfiltrate data related to U.S. government policy, legal processes and other areas of strategic interest. Microsoft says the group also uses password spray attacks, scanning public repositories like GitHub for leaked corporate passwords. (InfoSecurity Magazine)

 

Google patches 43 Bugs, including two   

sneaky zero-daysIn March 2025, Google released security updates addressing 43 vulnerabilities in Android, notably two zero-days actively exploited in targeted attacks. One, identified as CVE-2024-50302, is a high-severity information disclosure flaw in the Linux kernel’s Human Interface Device driver. This vulnerability was reportedly leveraged by Serbian authorities using an exploit chain developed by Israeli firm Cellebrite to unlock confiscated devices. The exploit chain also included a USB Video Class zero-day (CVE-2024-53104) and an ALSA USB-sound driver zero-day, discovered by Amnesty International’s Security Lab in mid-2024. Google had previously provided fixes for these vulnerabilities to OEM partners in January. (Google)

 

CISA flags vulnerabilities exploited in the wild  

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include several critical security flaws, underscoring the importance of timely remediation to protect organizational networks.

The newly added vulnerabilities are:​

• CVE-2024-4885: A critical path traversal vulnerability in Progress WhatsUp Gold, which could allow unauthenticated remote code execution.​
• CVE-2023-20118: A medium-severity command injection vulnerability in Cisco Small Business RV Series Routers, enabling arbitrary command execution or authentication bypass. Notably, Cisco has stated it will not release a fix for this issue.​
• CVE-2022-43769 and CVE-2022-43939: A pair of vulns, both affecting Hitachi Vantara Pentaho BA Server, which involve special element injection and authorization bypass.
• CVE-2018-8639: And an improper resource shutdown or release flaw in Microsoft Windows Win32k, which could be exploited to execute arbitrary code.

Federal agencies are mandated to address these vulnerabilities by March 24, 2025. CISA strongly recommends that all organizations, regardless of sector, prioritize the remediation of these vulnerabilities to mitigate potential exploitation risks. And, we have the CVEs for all these vulnerabilities in our selected reading for you should you need them. (SC Media)

 

3 VMware Zero-Day bugs allow sandbox escape  

Broadcom is telling VMware customers to patch three actively exploited zero-day vulnerabilities affecting ESXi, Workstation, and Fusion. These flaws allow attackers with admin access to escape virtual machines and compromise the underlying host, which can lead to data exfiltration, malware deployment, and service disruption. CISA has added the vulnerabilities to its exploited list, requiring federal agencies to patch by March 25th. (Dark Reading)

 

Meet Rayhunter: a new open-source tool from EFF to detect cellular spying  

The EFF launched an open-source tool called Rayhunter, designed to detect cell-site simulators… or devices that mimic cell towers to track phones and potentially intercept data. Rayhunter runs on a $20 Orbic mobile hotspot and monitors control traffic to identify suspicious activity, like forced downgrades to vulnerable 2G networks. Users get alerts for anomalies and can review logs. EFF expects Rayhunter to help build defenses against CSS and inform legal efforts to regulate their use. (EFF)

 

Cyber Command ordered to halt offensive operations against Russia during Ukraine negotiations   

The Record reports that US Defense Secretary Pete Hegseth has ordered Cyber Command to halt offensive cyber operations against Russia. The full scope of the directive is unclear, but it doesn’t include the NSA or its signals intelligence operations targeting Russia. The Washington Post cites a current US official familiar with the order as saying the pause is meant to last only as long as negotiations over the war in Ukraine continue. The Post says the operations being halted “could include exposing or disabling malware found in Russian networks before it can be used against the United States, blocking Russian hackers from servers that they may be preparing to use for their own offensive operations, or disrupting a site promoting anti-U.S. propaganda.”

The New York Times observes that “Former officials said it was common for civilian leaders to order pauses in military operations during sensitive diplomatic negotiations, to avoid derailing them. Still, for President Trump and Mr. Hegseth, the retreat from offensive cyberoperations against Russian targets represents a huge gamble. It essentially counts on Mr. Putin to reciprocate by letting up on what many call the ‘shadow war’ underway against the United States and its traditional allies in Europe.”

The Pentagon declined to comment on the report. A senior Defense official told the Record, “Due to operational security concerns, we do not comment nor discuss cyber intelligence, plans, or operations. There is no greater priority to Secretary Hegseth than the safety of the Warfighter in all operations, to include the cyber domain.” (The Record)

 

CISA denies claims of deprioritizing Russian threats  

CISA is pushing back against reports that it has been directed to stop tracking Russian cyber threats, calling the claims “fake” and a risk to national security. This is an update to a story that first appeared over the weekend, in which The Guardian reported that a memo deprioritizing Russia was issued—an allegation that CISA and DHS officials deny, with one calling the report “garbage.” Meanwhile, The Record, The New York Times, and The Washington Post confirm that U.S. Cyber Command has been ordered to pause offensive cyber operations against Russia while negotiations over the war in Ukraine continue. Lawmakers on both sides are criticizing any shift, warning that it could weaken U.S. defenses against Russian cyber threats. (The Record), (Bleeping Computer), (CyberScoop)

 

Latin America’s escalating cybersecurity crisis  

Cyber threats in Latin America are growing faster than anywhere else, with attacks surging 53% year-over-year and organizations facing nearly 40% more weekly incidents than the global average. Experts point to political instability, lagging cybersecurity adoption, and the rapid rise of financial tech. Some of the most impacted industries include healthcare, communications, and governments with an average of 3,000-4,000 attacks per week. These attacks are particularly affecting Brazil, where cybercriminals exploit inexperienced users and even collaborate with cartels. (Dark Reading)

 

CISA flags Cisco and Windows flaws  

U.S. federal agencies have until the end of the month to address flaws in Cisco and Windows systems. CISA reports these flaws, CVE-2023-20118 and CVE-2018-8639, allow attackers to execute arbitrary commands and gain elevated privileges on vulnerable devices, with exploitation currently underway. While the agency has noted these flaws being actively exploited, it has not provided any specific details surrounding the malicious activity or who may be responsible. You can learn more about these specific flaws in the show notes of today’s episode. (Bleeping Computer)

 

Multiple local governments experience cyberattacks  

New year, same problem. Several local government agencies are grappling with cyberattacks that have disrupted services, including Anne Arundel County, Maryland, which has been dealing with limited services for over a week. While major services like 911 remain operational, county officials are still investigating the incident and cannot confirm if it’s a ransomware attack. The trend continues across multiple states, with other local agencies, including the Cleveland Municipal Court and Missouri’s Department of Conservation, also affected by ongoing attacks. At this time, most of the government agencies have not provided any additional information other than they are investigating the incident. (The Record)

 

Malware abuses Microsoft dev tunnels for C2 communication  

In a new twist, cybercriminals are exploiting Microsoft’s dev tunnels service to send data back and forth from malware-infected devices. This service, designed for developers to test apps and collaborate securely, is now being abused to help malware avoid detection. Recently, researchers found two versions of Njrat malware using Microsoft’s dev tunnels to connect to command-and-control servers. The malware communicates through hidden URLs, making it harder for traditional security systems to spot. The malware checks in with its remote servers, reporting its status, and can even spread through USB devices. Experts say that organizations not using dev tunnels should keep an eye on DNS logs for any unusual dev tunnel URLs as a way to spot potential attacks early. (SANS)

 

JavaGhost uses compromised AWS environments to launch phishing campaigns  

Palo Alto Networks’ Unit 42 warns that the JavaGhost threat actor is compromising misconfigured AWS environments and using them to launch phishing campaigns. The group gains entry to the AWS environments via exposed long-term access keys. Once they’ve gained access, the attackers use the victim’s Amazon Simple Email Service (SES) and WorkMail services to send out phishing emails. Since the emails are sent from a legitimate source, they’re more likely to bypass security filters. To defend against these attacks, Unit 42 recommends that AWS users limit access to administrative rights, rotate IAM credentials regularly, use short term/just-in-time access tokens, and enable multi-factor authentication. (PaloAlto)

 

Philippine army suffers cyberattack  

The Philippine Army confirmed a cyberattack after a local hacking group claimed to have breached its systems and accessed confidential documents. Army spokesperson Col. Louie Dema-ala described it as an “illegal access attempt” that was swiftly contained, with no detected data theft or damage. However, digital security group Deep Web Konek reported that hacker group Exodus Security claimed responsibility, alleging it had compromised 10,000 records of active and retired service members. The leaked data reportedly includes personal, military, and financial details, though its authenticity and exact volume remain unverified. Authorities continue to investigate the breach. (The Record)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.