Signal conversations hacked, Ransomware group hits infrastructure, Patch Palo Alto flaw - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines: February 20, 2025
Hosted by CISO Series

The latest episode of Cyber Security Headlines by CISO Series, hosted by Lauren Verno, delves into significant happenings in the information security landscape. Covering a range of topics from state-sponsored cyber attacks to critical vulnerabilities and legal actions against cybercriminals, this episode provides a comprehensive overview of current cybersecurity challenges and responses.

1. Russian Hackers Tap into Signal Conversations

Lauren Verno highlights a concerning development where Russian state-backed hackers are exploiting Signal’s "linked devices" feature to compromise accounts. By deceiving Ukrainian military personnel into scanning malicious QR codes, attackers gain the ability to intercept messages in real-time without fully breaching the victim's device.

“Russian hackers are exploiting Signal’s linked devices feature to hijack accounts by tricking targets, often Ukrainian military personnel, into scanning malicious QR codes,” (02:15).

Google researchers have identified multiple threat groups employing this technique, embedding QR codes within phishing pages masquerading as military applications or security alerts. In response, Signal has implemented security updates to mitigate these threats and advises users to exercise heightened caution when scanning QR codes.

2. Ransomware Group Hits Critical Infrastructure Globally

The Ghost ransomware group has made significant inroads into critical infrastructure across more than 70 countries, targeting various industries by exploiting unpatched vulnerabilities in Fortinet, ColdFusion, and Exchange servers. This widespread attack underscores the group's sophisticated methods and global reach.

“Ghost ransomware has hit critical infrastructure in multiple industries across 70 plus countries by exploiting unpatched vulnerabilities,” (05:30).

A joint advisory released by CISA, the FBI, and Ms. ISAC warns that Ghost employs tactics such as rotating malware variants, altering ransom notes, and changing email addresses to avoid attribution. They also utilize tools like Mimikatz and Cobalt Strike for initial access. To defend against these attacks, the advisory recommends patching vulnerabilities, implementing phishing-resistant multi-factor authentication (MFA), segmenting networks, and maintaining offline backups.

3. Patch Palo Alto Flaw Immediately

A critical authentication bypass vulnerability in Palo Alto Networks' Pan-OS firewalls is being actively exploited by attackers. This flaw allows malicious actors to chain it with two other vulnerabilities to escalate privileges and access sensitive files.

“Attackers are actively exploiting a critical authentication bypass flaw in Palo Alto Networks’ Pan-OS firewalls,” (07:45).

Exploitation attempts have surged from an initial two malicious IP addresses to 25, indicating a growing threat. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by March 11th. Organizations are urged to apply the necessary patches immediately and whitelist trusted IPs within the management interface to prevent unauthorized access.

4. Thousands Rescued from Scam Hubs

Thailand is preparing to receive 7,000 individuals rescued from illegal cyber scam hubs in Myanmar, as part of a regional effort to combat human trafficking and online fraud. These criminal syndicates from Myanmar, Cambodia, and Laos have coerced thousands into participating in scams, including cryptocurrency fraud and bogus investment schemes.

“Criminal syndicates in Myanmar, Cambodia, and Laos have forced thousands, many trafficked through Thailand, into scams like cryptocurrency fraud and fake investment schemes,” (10:20).

Despite ongoing efforts to dismantle these operations, previous crackdowns have revealed the resilience of these groups, who often relocate to continue their multi-billion-dollar illicit activities. This highlights the persistent challenge authorities face in eradicating such sophisticated cybercrime networks.

5. FBI Official Provides More Detail on SALT Typhoon Attack

At the 2025 Zero Trust Summit, FBI Deputy Assistant Director Cynthia Kaiser shed light on the extensive impact of the SALT Typhoon cyber attack orchestrated by China. This breach compromised data from major telecom providers, affecting a broad spectrum of individuals and sensitive information.

“Can any of you imagine a world in which China would have been stealing information about you as a 13-year-old? That’s precisely what American children are facing,” Kaiser stated (11:55).

The attack compromised law enforcement information, call records, and personal data of American children, raising significant concerns about long-term privacy and security implications. Despite sanctions imposed on a Chinese national and a linked cybersecurity firm, the SALT Typhoon operation remains active, continuing its assaults on global networks.

6. New Malware Spreads as Fake Browser Update

A new macOS-targeted malware named Frigid Stealer is being distributed via compromised websites posing as browser updates. This malware deceives users into entering their passwords, subsequently stealing browser cookies, credentials, Apple Notes, and cryptocurrency-related files.

“Frigid Stealer is being distributed via a compromised website disguised as a browser update,” (14:10).

Linked to the financially motivated cybercriminal group TA2727, known for targeting Windows and Android users with similar tactics, the malware leverages a traffic distribution service operated by TA2726 to direct traffic to various cybercrime groups, including those responsible for the Sock.Ghoulish malware.

7. Military Man Pleads Guilty in Telecom Attacks

John Wagonas, a former US Army soldier, has pleaded guilty to unlawfully accessing and transferring confidential phone records from major carriers AT&T and Verizon. He faces up to 10 years in prison and a $250,000 fine for each of the two charges.

“John Wagonas faces up to 10 years in prison and a $250,000 fine for each of the two charges for unlawful transfer of confidential phone records,” (16:45).

These breaches are connected to the broader indictment related to the 2024 Snowflake data breaches, which exposed data from AT&T, LendingTree, Santander Bank, Ticketmaster, and over 160 other companies, highlighting the pervasive risks within the telecom sector.

8. Trump Administration Taps Top DOJ Official

President Donald Trump intends to nominate John Eisenberg, a pivotal figure in his first impeachment, to lead the Justice Department's National Security Division. Eisenberg, who served as a legal advisor to the National Security Council during the Ukraine Call scandal, would oversee critical areas such as terrorism and cyber espionage cases.

“John Eisenberg’s nomination is likely to spark some scrutiny over his handling of the Ukraine call and his position on FISA’s Section 702,” (18:30).

If confirmed, Eisenberg's appointment could reignite debates surrounding his previous actions and stances, particularly regarding FISA’s Section 702, a cornerstone national security surveillance tool.

Conclusion

This episode of Cyber Security Headlines provides a thorough examination of contemporary cybersecurity threats, legislative moves, and efforts to combat cybercrime. From state-sponsored attacks and ransomware threats to legal prosecutions and policy nominations, the discussions underscore the dynamic and multifaceted nature of the cybersecurity landscape. For listeners seeking deeper insights into these stories, more detailed analyses are available at CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, February 20, 2025. I'm Lauren Verno. Russian Hackers Tap into Signal Conversations Russian state backed hackers are exploiting Signals linked devices feature to hijack accounts by tricking Target often Ukrainian military personnel into scanning malicious QR codes. Once linked, attackers can intercept messages in real time without fully compromising the victim's device. Google researchers identified multiple threat groups using this technique, with some embedding QR codes in phishing pages disguised as military applications or security alerts. Signal has rolled out security updates to counter these threats, but is urging users to take extra precautions when scanning QR codes. Ransomware Group Hits Critical Infrastructure Globally Ghost ransomware has hit critical infrastructure in multiple industries across 70 plus countries by exploiting unpatched vulnerabilities in Fortinet, ColdFusion and Exchange servers and at joint advisory on Wednesday, CISA, the FBI and Ms. ISAC warned that attackers rotate malware variants, ransom notes and email addresses to evade attribution using tools like Mimikatz and Cobalt Strike for initial access. Now, to defend against these attacks, the advisory recommends organizations patch vulnerabilities, implement phishing resistant MFA segment networks and maintain offline backups, CISA says to patch Palo Alto Flaw Immediately Attackers are actively exploiting a critical authentication bypass flaw in Palo Alto network's Pan OS firewalls, chaining it to two other vulnerabilities to escalate privileges and and read sensitive files. Exploitation attempts have surged with 25 malicious IPs now targeting affected devices, up from just two initially. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by March 11th of this year. Organizations are also urged to apply patches immediately and and whitelist IPs in the management interface. Thousands Rescued from Scam Hubs Thailand is set to take in 7,000 people rescued from illegal cyber scam hubs in Myanmar as part of a regional crackdown on human trafficking and online fraud. Now criminal syndicates in Myanmar, Cambodia and Lao have forced thousands, many trafficked through Thailand into scams like cryptocurrency fraud and fake investment schemes. Now while authorities continue efforts to dismantle these operations, past crackdowns have shown that these groups often relocate and are able to continue this multi billion dollar industry thanks to today's episode sponsor, Scrut Automation. Scrut Automation allows compliance and risk teams of any size to establish enterprise grade security programs. Their best in class features like process automation, AI and over 75 native integrations, reverse compliance debt and help manage risk proactively as your business grows. Visit scrut.org to schedule a demo or learn more. That's www.scrut.IO. fBI official provides More Detail on SALT Typhoon Attack A top official at the FBI painted a clear picture as to the sheer impact of the SALT Typhoon attack. Speaking at the 2025 Zero Trust Summit, FBI Deputy Assistant Director Cynthia Kaiser emphasized the scale and indiscriminate nature of China's data collection from major telecom providers. Officials say the breach compromised every group of people, including law enforcement information, call records and even data on American children, raising concerns over its long term impact. Kaiser asked the crowd quote can any of you imagine a world in which China would have been stealing information about you as a 13 year old? That's precisely what American children are facing and that's going to follow them in the future. End quote. Since being exposed last year, the US has since sanctioned a Chinese national and a cybersecurity firm linked to the operation. But Salt Typhoon remains active with ongoing attacks on global networks. New Malware Spreads as Fake Browser update a new macOS targeting malware called Frigid Stealer is being distributed via a compromise website disguised as a browser update, tricking users into entering their passwords to steal browser cookies, credentials, Apple notes and cryptocurrency related files. Now the malware is linked to the financially motivated cybercriminal group TA2727, which has previously targeted Windows and Android users with similar tactics. Attackers are using a traffic distribution Service operated by TA2726, which also directs traffic to other cybercrime groups, including those behind the sock. Ghoulish Malware Military man pleads Guilty in Telecom Attacks A former US army soldier has pleaded guilty to hacking a significant amount of phone records from AT and T and Verizon. The defendant, John Wagonas, faces up to 10 years in prison and a $250,000 fine for each of the two charges for unlawful transfer of confidential phone records. Now the breaches are tied to the indictment of other hackers involved in the 2024 Snowflake data breaches, which expose data from AT&T, LendingTree, Santander Bank, Ticketmaster and over 160 other companies. Trump Administration Taps Top DOJ Official President Donald Trump plans to nominate John Eisenberg, a key figure in his first impeachment, to lead the Justice Department's National Security Division. Eisenberg, who served as a legal advisor to the National Security Council during the Ukraine Call scandal, would oversee terrorism and cyber espionage cases. If confirmed now, his nomination is likely to spark some scrutiny over his handling of the Ukraine call and his position on FISA's Section 702, which is a key national security surveillance tool. When it comes to buying cybersecurity solutions, we're often told the choice comes down to buying the best single tool available or buying into a wider platform of tools for better integration. But is there a way to have your cybersecurity cake and eat it, too? That's what we're digging into on this week's episode of Defense In Depth. Look for Is Platformization versus Best of Breed a false dichotomy Wherever you get your podcast. I'm Lauren Verno, reporting for the CISO series.
[08:48]
A
Cybersecurity headlines are available every weekday. Head to CISO series.com for the full stories behind the headlines.