Cyber Security Headlines: February 20, 2025
Hosted by CISO Series

The latest episode of Cyber Security Headlines by CISO Series, hosted by Lauren Verno, delves into significant happenings in the information security landscape. Covering a range of topics from state-sponsored cyber attacks to critical vulnerabilities and legal actions against cybercriminals, this episode provides a comprehensive overview of current cybersecurity challenges and responses.

1. Russian Hackers Tap into Signal Conversations

Lauren Verno highlights a concerning development where Russian state-backed hackers are exploiting Signal’s "linked devices" feature to compromise accounts. By deceiving Ukrainian military personnel into scanning malicious QR codes, attackers gain the ability to intercept messages in real-time without fully breaching the victim's device.

“Russian hackers are exploiting Signal’s linked devices feature to hijack accounts by tricking targets, often Ukrainian military personnel, into scanning malicious QR codes,” (02:15).

Google researchers have identified multiple threat groups employing this technique, embedding QR codes within phishing pages masquerading as military applications or security alerts. In response, Signal has implemented security updates to mitigate these threats and advises users to exercise heightened caution when scanning QR codes.

2. Ransomware Group Hits Critical Infrastructure Globally

The Ghost ransomware group has made significant inroads into critical infrastructure across more than 70 countries, targeting various industries by exploiting unpatched vulnerabilities in Fortinet, ColdFusion, and Exchange servers. This widespread attack underscores the group's sophisticated methods and global reach.

“Ghost ransomware has hit critical infrastructure in multiple industries across 70 plus countries by exploiting unpatched vulnerabilities,” (05:30).

A joint advisory released by CISA, the FBI, and Ms. ISAC warns that Ghost employs tactics such as rotating malware variants, altering ransom notes, and changing email addresses to avoid attribution. They also utilize tools like Mimikatz and Cobalt Strike for initial access. To defend against these attacks, the advisory recommends patching vulnerabilities, implementing phishing-resistant multi-factor authentication (MFA), segmenting networks, and maintaining offline backups.

3. Patch Palo Alto Flaw Immediately

A critical authentication bypass vulnerability in Palo Alto Networks' Pan-OS firewalls is being actively exploited by attackers. This flaw allows malicious actors to chain it with two other vulnerabilities to escalate privileges and access sensitive files.

“Attackers are actively exploiting a critical authentication bypass flaw in Palo Alto Networks’ Pan-OS firewalls,” (07:45).

Exploitation attempts have surged from an initial two malicious IP addresses to 25, indicating a growing threat. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by March 11th. Organizations are urged to apply the necessary patches immediately and whitelist trusted IPs within the management interface to prevent unauthorized access.

4. Thousands Rescued from Scam Hubs

Thailand is preparing to receive 7,000 individuals rescued from illegal cyber scam hubs in Myanmar, as part of a regional effort to combat human trafficking and online fraud. These criminal syndicates from Myanmar, Cambodia, and Laos have coerced thousands into participating in scams, including cryptocurrency fraud and bogus investment schemes.

“Criminal syndicates in Myanmar, Cambodia, and Laos have forced thousands, many trafficked through Thailand, into scams like cryptocurrency fraud and fake investment schemes,” (10:20).

Despite ongoing efforts to dismantle these operations, previous crackdowns have revealed the resilience of these groups, who often relocate to continue their multi-billion-dollar illicit activities. This highlights the persistent challenge authorities face in eradicating such sophisticated cybercrime networks.

5. FBI Official Provides More Detail on SALT Typhoon Attack

At the 2025 Zero Trust Summit, FBI Deputy Assistant Director Cynthia Kaiser shed light on the extensive impact of the SALT Typhoon cyber attack orchestrated by China. This breach compromised data from major telecom providers, affecting a broad spectrum of individuals and sensitive information.

“Can any of you imagine a world in which China would have been stealing information about you as a 13-year-old? That’s precisely what American children are facing,” Kaiser stated (11:55).

The attack compromised law enforcement information, call records, and personal data of American children, raising significant concerns about long-term privacy and security implications. Despite sanctions imposed on a Chinese national and a linked cybersecurity firm, the SALT Typhoon operation remains active, continuing its assaults on global networks.

6. New Malware Spreads as Fake Browser Update

A new macOS-targeted malware named Frigid Stealer is being distributed via compromised websites posing as browser updates. This malware deceives users into entering their passwords, subsequently stealing browser cookies, credentials, Apple Notes, and cryptocurrency-related files.

“Frigid Stealer is being distributed via a compromised website disguised as a browser update,” (14:10).

Linked to the financially motivated cybercriminal group TA2727, known for targeting Windows and Android users with similar tactics, the malware leverages a traffic distribution service operated by TA2726 to direct traffic to various cybercrime groups, including those responsible for the Sock.Ghoulish malware.

7. Military Man Pleads Guilty in Telecom Attacks

John Wagonas, a former US Army soldier, has pleaded guilty to unlawfully accessing and transferring confidential phone records from major carriers AT&T and Verizon. He faces up to 10 years in prison and a $250,000 fine for each of the two charges.

“John Wagonas faces up to 10 years in prison and a $250,000 fine for each of the two charges for unlawful transfer of confidential phone records,” (16:45).

These breaches are connected to the broader indictment related to the 2024 Snowflake data breaches, which exposed data from AT&T, LendingTree, Santander Bank, Ticketmaster, and over 160 other companies, highlighting the pervasive risks within the telecom sector.

8. Trump Administration Taps Top DOJ Official

President Donald Trump intends to nominate John Eisenberg, a pivotal figure in his first impeachment, to lead the Justice Department's National Security Division. Eisenberg, who served as a legal advisor to the National Security Council during the Ukraine Call scandal, would oversee critical areas such as terrorism and cyber espionage cases.

“John Eisenberg’s nomination is likely to spark some scrutiny over his handling of the Ukraine call and his position on FISA’s Section 702,” (18:30).

If confirmed, Eisenberg's appointment could reignite debates surrounding his previous actions and stances, particularly regarding FISA’s Section 702, a cornerstone national security surveillance tool.

Conclusion

This episode of Cyber Security Headlines provides a thorough examination of contemporary cybersecurity threats, legislative moves, and efforts to combat cybercrime. From state-sponsored attacks and ransomware threats to legal prosecutions and policy nominations, the discussions underscore the dynamic and multifaceted nature of the cybersecurity landscape. For listeners seeking deeper insights into these stories, more detailed analyses are available at CISOseries.com.