Cybersec Feeds Overview, Feb 17 - Feb 23, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

TLDR Summary #

⚠️ Vulnerabilities

• Microsoft Power Pages vulnerability (CVE‑2025‑24989, CVSS 8.2) that allows improper access control – now listed in CISA’s KEV catalog.
• Palo Alto Networks PAN‑OS File Read vulnerability (CVE‑2025‑0111) exploited to gain unauthorized access.
• Craft CMS Code Injection vulnerability (CVE‑2025‑23209) that permits remote code execution through manipulated inputs.
• OpenSSH vulnerabilities (CVE‑2025‑26465 and CVE‑2025‑26466) exposing systems to man‑in‑the‑middle attacks and denial‐of‑service, with additional issues observed in Juniper Networks’ devices.
• Multiple vulnerabilities in the NVIDIA CUDA Toolkit (including CVE‑2024‑53870 to CVE‑2024‑53878) affecting tools used for analyzing CUDA binary (cubin) files.

💥 Incidents

• Bybit cryptocurrency exchange suffered a breach resulting in over $1.4 billion in ETH being stolen from an offline (cold) wallet.
• Health Net Federal Services and its parent Centene Corporation reached an $11+ million settlement over alleged cybersecurity lapses in fulfilling defense contract obligations.
• Warby Parker was fined approximately $1.5 million by the U.S. Department of Health and Human Services after a credential stuffing attack compromised customer health data.
• A data breach at DM Clinical Research exposed over 1.6 million medical survey records containing personal health information.
• Ransomware attacks by the Ghost (Cring) ransomware group have impacted organizations in more than 70 countries.

📈 Emerging threats

• The Ghost ransomware (also known as Cring, Crypt3r, etc.) continues to exploit known, long‑patched vulnerabilities on internet‑facing servers for financial gain.
• ACRStealer malware is emerging by leveraging legitimate Google Docs communications as its command‑and‑control channel to exfiltrate credentials.
• New infostealer variants such as FrigidStealer are targeting macOS (as well as Windows and Android) via fake browser update prompts.
• The Darcula 3.0 phishing kit now automatically generates counterfeit websites for any brand, signaling increased automation in phishing campaigns.
• Jailbreaking techniques against large language models are exposing vulnerabilities in popular generative AI web products.

📋 Regulatory and policy updates

• In response to a reported legal order, Apple has removed its Advanced Data Protection (ADP) feature for new iCloud users in the U.K., raising significant privacy concerns.
• The SEC has rebranded its cryptocurrency unit to focus on combatting cyber‑related misconduct and emerging technology threats.
• Ongoing legal discussions and guidelines under GDPR and CCPA empower individuals to sue companies for data misuse and privacy violations.
• Broader policy debates and evolving regulatory frameworks continue to shape cybersecurity and AI deployment standards.

🛠️ Security Operations

• Rapid7 and Intezer have introduced AI‑powered SIEM features and predictive vulnerability scoring methods to improve incident response and reduce human triage costs.
• Metasploit Framework has been updated with new exploit modules and improved fetch payload support for multiple architectures (including PPC, MIPS, and ARM).
• Tools such as txt2stix have advanced to incorporate AI‑based extraction of indicators of compromise (IoCs) and tactics, techniques and procedures (TTPs) for effective threat analysis.

🥳 Wins

• Cisco’s research into Salt Typhoon exploits has provided clear patch recommendations and improved detection measures, reinforcing effective remediation practices.
• Microsoft successfully patched its Power Pages zero‑day and continues to secure its services
• Advancements in AI‑driven SIEM and SOC technologies have begun to lower operational costs and improve threat detection efficiency across organizations.

Gov Feeds #

• The Ghost ransomware group, also known as Cring, is exploiting well-known CVEs to target outdated internet-facing services in organizations across multiple sectors globally, including critical infrastructure and healthcare. CISA and partners have released relevant indicators of compromise and tactics, techniques, and procedures (CISA and Partners Release Advisory on Ghost (Cring) Ransomware, #StopRansomware: Ghost (Cring) Ransomware).

• CISA has identified several industrial control systems vulnerabilities affecting products from vendors like ABB, Siemens, and Elseta, including high severity vulnerabilities such as hard-coded credentials and command injection with remote exploitability (ABB ASPECT-Enterprise, NEXUS, and MATRIX Series, Elseta Vinci Protocol Analyzer).

• CISA has added multiple new vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting ongoing threats from vulnerabilities in Microsoft, Palo Alto Networks, and CMS systems, which are actively exploited in the wild (CISA Adds One Known Exploited Vulnerability to Catalog, CISA Adds Two Known Exploited Vulnerabilities to Catalog).

• The cybersecurity landscape for critical digital infrastructure remains under heightened threat from cybercrime and state-sponsored actors. Reports highlight increased activity targeting healthcare and other critical sectors, with ransomware as a significant threat (Building a Collective Defense: Collaborative Threat Intelligence and Information Sharing for Critical Infrastructure, Health-ISAC 2025 Health Sector Cyber Threat Landscape).

• A significant backdoor was discovered in Contec CMS8000 vital sign monitors, which presents a risk due to its connection to a Chinese government-funded network, posing privacy and safety concerns for affected devices used globally (The Alarming Backdoor Hiding in 2 Chinese Patient Monitors).

• Europol has identified key challenges in combating cybercrime, including issues with data volume, loss, and access, anonymization services, and international cooperation hurdles, indicating areas needing focused efforts in cybersecurity strategy and policy (Common Challenges in Cybercrime).

• With anticipated developments in cybersecurity efforts, the FBI plans to integrate emerging technologies such as AI to bolster defenses against cyber threats, particularly focusing on patch management and critical infrastructure protection (The Year Ahead: FBI’s 2025 Cybersecurity Priorities).

• The SSSCIP highlights the importance of strengthening critical infrastructure cybersecurity defenses, with particular emphasis on threats posed by Russian state actors employing low-complexity brute force techniques against exposed operational technology devices (CTO at NCSC Summary: week ending February 23rd).

Vendor Feeds #

• The ransomware group Ghost continues to exploit known vulnerabilities in outdated software, as detailed in joint advisories from the U.S. CISA and the FBI. Targeting has included exploits for vulnerabilities like CVE-2018-13379 and CVE-2021-34473 among others, impacting organizations across more than 70 countries (Cybersecurity Snapshot: Ghost Ransomware Group Targets Known Vulns).

• The cryptocurrency exchange Bybit experienced a substantial cyber heist, resulting in the theft of over $1.4 billion in Ethereum, attributing the incident to a sophisticate attack while transferring funds from cold to warm wallets (Hackers drained $1.4 billion of cryptocurrency from Bybit exchange, CEO confirms, The Bybit Incident: When Research Meets Reality).

• Black Basta gang’s internal communications were leaked, revealing internal discord potentially linked to Russian bank attacks. The leak exposed operational details, including Indicators of Compromise (IoCs) and tactics, techniques, and procedures (TTPs) (Black Basta’s Internal Chats Leak: Everything You Need to Know).

• Microsoft disclosed a high-severity zero-day vulnerability (CVE-2025-24989) in its Power Pages platform, potentially allowing unauthorized privilege escalations. This has been fixed, and affected customers have been notified (Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV).

• Cisco’s IOS XE vulnerabilities (CVE-2023-20198 and CVE-2023-20273) are actively exploited by the APT group Salt Typhoon, targeting global telecommunications networks with privilege escalation and code execution capabilities (Chinese APT Exploits Cisco IOS XE Vulnerabilities).

• Recent cybersecurity findings indicate escalating ransomware campaigns targeting Microsoft Teams environments. Tactics involve exploiting system settings and leveraging social engineering attacks to deploy ransomware (A New Wave of Ransomware Campaigns Targeting Microsoft Teams).

• The Cybersecurity and Infrastructure Security Agency (CISA) issued fresh warnings about manipulative vulnerabilities in Juniper Networks and OpenSSH. Flaws include severe vulnerabilities that could allow unauthorized access and session hijacks (Security Flaws in OpenSSH and Juniper Networks Demand Action).

• Cyber police arrested Poland’s former justice minister for alleged responsibility in government spyware abuses. This follows a broader investigation into abuses of spyware tech by the previous ruling party (Top Polish anti-corruption official resigns amid spyware probe).

News Feeds #

• Salt Typhoon, a state-backed Chinese threat group, exploited Cisco vulnerabilities to attack U.S. telecom networks, gaining initial access primarily through misuse of legitimate credentials (Salt Typhoon Hackers Exploit Cisco Vulnerability to Gain Access To U.S. Telecom Networks, Salt Typhoon gained initial access to telecoms through Cisco devices).

• Russian state-sponsored threat groups are conducting phishing attacks targeting Signal accounts, compromising secure communications of Ukrainian military and government personnel (Russia-aligned threat groups dupe Ukrainian targets via Signal, Russian State-Backed Hackers Intensify Attacks on Signal Messenger Accounts).

• Bybit, a major cryptocurrency exchange, suffered a $1.4 billion breach attributed to North Korea’s Lazarus Group, linking the hack to previous Phemex and BingX attacks (Hacker steals record $1.46 billion from Bybit ETH cold wallet, Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group).

• Health Net Federal Services agreed to an $11M settlement over alleged cybersecurity compliance failures with DoD, highlighting the growing enforcement of cybersecurity protocols for federal contractors (US healthcare org pays $11M settlement over alleged cybersecurity lapses, Health Net, Centene Settle Cybersecurity Fraud Allegations with $11M Payout).

• Apple removed its Advanced Data Protection feature from UK services following a government request for a backdoor, raising concerns about future encryption policies (Apple pulls end-to-end encryption feature from UK after demands for law enforcement access, Apple removes advanced data protection tool in face of UK government request).

• CISA flagged a new critical vulnerability in Craft CMS being actively exploited in the wild, underlining the ongoing risk from unpatched software (CISA flags Craft CMS code injection flaw as exploited in attacks).

• U.S. cybersecurity discourse emphasizes the need for enhanced offensive cyber strategies to counter adversaries, noting a shift to more kinetic impact potential of cyber operations (Former NSA, Cyber Command chief Paul Nakasone says U.S. falling behind its enemies in cyberspace).

• The SEC rebranded its Crypto Assets Unit to the “Cyber and Emerging Technologies Unit,” raising concerns about possibly deprioritizing cryptocurrency enforcement (SEC rebrands cryptocurrency unit to focus on emerging technologies).

• Darktrace identified critical vulnerabilities in edge devices from Palo Alto Networks and Fortinet, exploited throughout 2024, emphasizing persistent risks in network infrastructure (Edge device vulnerabilities fueled attack sprees in 2024).

Personal Feeds #

• Recent executive orders reshaping U.S. AI policy have increased the attack surface and shifted the responsibility for AI security to corporate leaders, urging them to establish their own AI security standards (AI Security: CISOs, Seize the Future!).
• The cyber espionage group Salt Typhoon, linked to China, uses custom malware named JumbledPath to target and spy on U.S. telecommunication providers (Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers).
• A new ransomware called NailaoLocker has targeted European healthcare organizations, exploiting Check Point VPN appliance vulnerabilities, relying on tools like ShadowPad and PlugX (NailaoLocker ransomware targets EU healthcare-related entities).
• The U.S. CISA has added several vulnerabilities, including Microsoft Power Pages, Palo Alto Networks PAN-OS, and Craft CMS flaws, to its Known Exploited Vulnerabilities catalog, highlighting ongoing exploit trends (U.S. CISA adds Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog, U.S. CISA adds Craft CMS and Palo Alto Networks PAN-OS flaws to its Known Exploited Vulnerabilities catalog).
• A sophisticated attack led to the theft of $1.5 billion in cryptocurrency from Bybit, marking it as the largest crypto heist to date (Lazarus APT stole $1.5B from Bybit, it is the largest cryptocurrency heist ever).
• Advances in AI technology pose new economic and security challenges for security operations, particularly in SIEM environments as data volumes grow (The New Economics of an AI-Powered SIEM).
• Device code phishing techniques exploiting vulnerabilities in OAuth standards to give attackers access to accounts are gaining popularity (Got a Microsoft Teams invite? Storm-2372 gang exploit device codes in global phishing attacks, Device Code Phishing).
• Innovations in turning phished data into mobile wallets highlight ongoing developments in cybercrime, driven by groups in China (How Phished Data Turns into Apple & Google Wallets).

Community Feeds #

• Ghost ransomware uses vulnerabilities in widely-used software such as Fortinet FortiOS, Adobe ColdFusion, and Microsoft Exchange. It’s important to monitor for unauthorized use of PowerShell and segment networks to restrict lateral movement (US authorities warn Ghost ransomware leverages older CVEs).

• PayPal’s “New Address” feature is exploited to send phishing emails, highlighting the need for awareness around potential abuse of legitimate service features (Beware: PayPal “New Address” feature abused to send phishing emails).

• Over 100 security flaws identified in LTE and 5G network implementations pose significant security concerns, necessitating scrutiny of these technologies’ deployment (RANsacked: Over 100 Security Flaws Found in LTE/5G Network Implementations).

• XWorm malware showcases obfuscation challenges by combining executable data with PowerShell-code pieces, underscoring the need for improved detection capabilities (XWorm Cocktail: A Mix of PE data with PowerShell Code).

• Apple has ended iCloud encryption in the UK, responding to government data demands, raising privacy and data protection concerns (Apple Ends iCloud Encryption in UK Amid Government Data Demands, Three questions about Apple, encryption, and the U.K.).

• Data embassies opening globally as a strategy to protect critical information reflect a growing trend in safeguarding national data sovereignty (Nations Open ‘Data Embassies’ to Protect Critical Info).

• Recent cybersecurity incidents, including those affecting Anne Arundel County and a major U.S. news publisher, highlight the ongoing threat of ransomware attacks against public and private sectors (Anne Arundel County Hit by Ransomware Attack Amid Maryland Cyber Threats, Major U.S. News Publisher Faces Major Cyberattack Disrupting Operations).

• Xaiomi phones are advised by Iran for potential delegates, raising questions about the security implications of using specific hardware in certain geopolitical contexts (Iran and Xaiomi).

• A new tool for debloating container files shows a reduction of up to 97% in vulnerabilities by removing unused elements, pointing to advancements in maintaining lightweight and secure container environments (Containers are bloated and that bloat is a security risk. We built a tool to remove it!).

Disclaimer #

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created with BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.