Welcome to your weekly cybersecurity scoop! Ever thought about how the same AI meant to protect our hospitals could also compromise them? This week, we’re breaking down the sophisticated world of AI-driven threats, key updates in regulations, and some urgent vulnerabilities in healthcare tech that need our attention.
As we unpack these complex topics, we’ll equip you with sharp insights to navigate these turbulent waters. Curious about the solutions? They’re smarter and more unexpected than you might think. Let’s dive in.
⚡ Threat of the Week
Juniper Networks Routers Targeted by J-magic — A new campaign targeted enterprise-grade Juniper Networks routers between mid-2023 and mid-2024 to infect them with a backdoor dubbed J-magic when certain precise conditions. The malware is a variant of a nearly 25-year-old, publicly available backdoor referred to as cd00r, and is designed to establish a reverse shell to an attacker-controlled IP address and port. Semiconductor, energy, manufacturing, and information technology (IT) sectors were the most targeted.
The Human Touch In Creating and Securing Non-Human Identities
In today’s digital landscape, a new class of identities has emerged alongside traditional human users: non-human identities (NHIs).This ebook explores everything you need to know about managing NHIs in your environment.
Download
🔔 Top News
- Palo Alto Firewalls Found Vulnerable to Firmware Exploits — An analysis of three firewall models from Palo Alto Networks – PA-3260, PA-1410, and PA-415 – uncovered that they are vulnerable to known security flaws that could be exploited to achieve Secure Boot bypass and modify device firmware. In response to the findings, Palo Alto Networks said exploiting the flaws requires an attacker to first compromise PAN-OS software through other means and obtain elevated privileges to access or modify the BIOS firmware. It also said it will be working with third-party vendors to develop firmware updates for some of them.
- PlushDaemon Linked to Supply Chain Compromise of South Korean VPN Provider — A never-before-seen China-aligned hacking group named PlushDaemon carried out a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023 to deliver malware known as SlowStepper, a fully-featured backdoor with an extensive set of information gathering features. The threat actor is also said to have exploited an unknown vulnerability in Apache HTTP servers and conducted adversary-in-the-middle (AitM) attacks to breach other targets of interest. Active since at least 2019, the group has singled out individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.
- Mirai Botnet Launches Record 5.6 Tbps DDoS Attack — Cloudflare revealed that a Mirai botnet comprising over 13,000 IoT devices was responsible for a record-breaking 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack aimed at an unnamed internet service provider (ISP) from Eastern Asia. The attack lasted about 80 seconds. The web infrastructure company said the average unique source IP address observed per second was 5,500, and the average contribution of each IP address per second was around 1 Gbps.
- Over 100 Flaws in LTE and 5G Implementations — A group of academics has disclosed 119 security vulnerabilities impacting LTE and 5G implementations, Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, srsRAN, that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network. Some of the identified vulnerabilities could be weaponized to breach the cellular core network, and leverage that access to monitor cellphone location and connection information for all subscribers at a city-wide level, carry out targeted attacks on specific subscribers, and perform further malicious actions on the network itself.
- Ex-CIA Analyst Pleads Guilty to Sharing Top Secret Docs — Asif William Rahman, a former analyst working for the U.S. Central Intelligence Agency (CIA), pleaded guilty to transmitting top secret National Defense Information (NDI) to unauthorized personnel and attempted to cover up the activity. The incident, which took place in October 2024, involved Rahman sharing documents prepared by the National Geospatial-Intelligence Agency and the National Security Agency. They were related to Israel’s plans to attack Iran, and were subsequently shared on Telegram by an account called Middle East Spectator. He has pleaded guilty to two counts of willful retention and transmission of classified information related to the national defense. He is expected to be sentenced on May 15, 2025, potentially facing a maximum penalty of 10 years in prison.
️🔥 Trending CVEs
Your go-to software could be hiding dangerous security flaws—don’t wait until it’s too late! Update now and stay ahead of the threats before they catch you off guard.
This week’s list includes — CVE-2025-23006 (SonicWall), CVE-2025-20156 (Cisco Meeting Management), CVE-2025-21556 (Oracle Agile Product Lifecycle Management Framework), CVE-2025-0411 (7-Zip), CVE-2025-21613 (go-git), CVE-2024-32444 (RealHomes theme for WordPress), CVE-2024-32555 (Easy Real Estate plugin), CVE-2016-0287 (IBM i Access Client Solutions), CVE-2024-9042 (Kubernetes).
📰 Around the Cyber World
- India and the U.S. Sign Cybercrime MoU — India and the United States have signed a memorandum of understanding (MoU) to bolster cooperation in cybercrime investigations. “The MoU allows the respective agencies of the two countries to step up the level of cooperation and training with respect to the use of cyber threat intelligence and digital forensics in criminal investigations,” the Indian Ministry of External Affairs (MEA) said in a statement.
- Critical Security Flaws in ABB ASPECT-Enterprise, NEXUS, and MATRIX Products — More than a 100 security flaws have been disclosed in ABB ASPECT-Enterprise, NEXUS, and MATRIX series of products that could enable an attacker to disrupt operations or execute remote code. Gjoko Krstikj of Zero Science Lab has been credited with discovering and reporting the flaws.
- 91% of Exposed Exchange Server Instances Still Vulnerable to ProxyLogon — One of the vulnerabilities exploited by the China-linked Salt Typhoon hacking group for initial access is CVE-2021-26855 (aka ProxyLogon), a nearly four-year-old flaw in Microsoft Exchange Server. According to a new analysis from cybersecurity company Tenable, 91% of the nearly 30,000 external-facing instances of Exchange vulnerable to CVE-2021-26855 have not been updated to close the defect to date. “Salt Typhoon is known for maintaining a stealthy presence on victim networks and remaining undetected for a significant time period,” it said.
- IntelBroker Resigns from BreachForums — The threat actor known as IntelBroker has announced his resignation as the owner of an illicit cybercrime forum called BreachForums, citing lack of time. The development marks the latest twist in the tumultuous history of the online criminal bazaar, which has been the subject of law enforcement scrutiny, resulting in a takedown of its infrastructure and the arrest of its previous administrators. Its original creator and owner Conor Brian Fitzpatrick (aka Pompompurin) was sentenced to time served and 20 years of supervised release exactly a year ago. However, newly filed court documents show that his sentence has been vacated — i.e., declared void. “While released on bond awaiting sentencing, Fitzpatrick violated his conditions of release immediately by secretly downloading a virtual private network, which he then used virtually every day to access the Internet without the knowledge of his probation officer,” the document reads. “Not only did Fitzpatrick commit serious offenses, but he also showed a lack of remorse, joking about committing additional crimes even after entering a guilty plea.”
- Cloudflare CDN Bug Leaks User Locations — A new piece of research from a 15-year-old security researcher who goes by the name Daniel has uncovered a novel “deanonymization attack” in the widely used Cloudflare content delivery network (CDN) that can expose someone’s location by sending them an image on platforms like Signal, Discord, and X. The flaw allows an attacker to extract the location of any target within a 250-mile radius when a vulnerable app is installed on a target’s phone, or as a background application on their laptop, simply by sending a specially-crafted payload. Using either a one-click or zero-click approach, the attack takes advantage of the fact that Cloudflare stores caches copies of frequently accessed content on data centers located in close proximity to the users to improve performance. The security researcher developed a Teleport tool that let them check which of Cloudflare’s data centers had cached an image, which allowed them to triangulate the approximate location a Discord, Signal, or X user might be in. Although the specific issue was closed, Daniel noted that the fix could be bypassed using a VPN. While the geolocation capability of the attack is not precise, it can provide enough information to infer the geographic region where a person lives, and use it as a stepping stone for follow-on intelligence gathering. “The attack leverages fundamental design decisions in caching and push notification systems, demonstrating how infrastructure meant to enhance performance can be misused for invasive tracking,” the researcher said.
- Belsen Group Leaks Fortinet FortiGate Firewall Configs — A little-known hacking group named Belsen Group has leaked configuration data for over 15,000 Fortinet FortiGate firewalls on the dark web for free. This includes configurations and plaintext VPN user credentials, device serial numbers, models, and other data. An analysis of the data dump conducted by security researcher Kevin Beaumont has revealed that the configuration data has likely been put together by exploiting CVE-2022-40684, an authentication bypass zero-day vulnerability disclosed in October 2022, as a zero-day. Of the 15,469 distinct affected IP addresses, 8,469 IPs have been found to be still online and reachable in scans. As many as 5,086 IPs are continuing to expose the compromised FortiGate login interfaces. A majority of the exposures are in Mexico, Thailand, and the U.S. “If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor’s disclosure is small,” Fortinet said in response to the disclosure. The disclosure comes as another critical flaw in FortiGate devices (CVE-2024-55591 aka Console Chaos) has come under active exploitation in the wild since November 1, 2024.
🎥 Expert Webinar
- No More Trade-Offs: Secure Code at Full Speed — Tired of security slowing down development—or risky shortcuts putting you at risk? Join Sarit Tager, VP of Product Management at Palo Alto Networks, in this must-attend webinar to discover how to break the Dev-Sec standoff. Learn how to embed smart, seamless security guardrails into your DevOps pipeline, prioritize code issues with full ecosystem context, and replace “shift left” confusion with the clarity of “start left” success. If speed and security feel like a trade-off, this webinar will show you how to have both. Save your spot now.
- The Clear Roadmap to Identity Resilience — Struggling with identity security gaps that increase risks and inefficiencies? Join Okta’s experts, Karl Henrik Smith and Adam Boucher, to discover how the Secure Identity Assessment (SIA) delivers a clear, actionable roadmap to strengthen your identity posture. Learn to identify high-risk gaps, streamline workflows, and adopt a scalable, phased approach to future-proofing your defenses. Don’t let identity debt hold your organization back—gain the insights you need to reduce risk, optimize operations, and secure business outcomes.
P.S. Know someone who could use these? Share it.
🔧 Cybersecurity Tools
- Extension Auditor: With cyber threats becoming more sophisticated, tools like Extension Auditor are essential for maintaining online safety. This tool evaluates your browser extensions for security and privacy risks, providing a clear analysis of permissions and potential vulnerabilities. Extension Auditor helps you identify and manage extensions that could expose you to danger, ensuring your browsing is secure and your data remains private.
- AD Threat Hunting Tool: It is a simple yet powerful PowerShell tool that helps detect suspicious activities in your Active Directory, like password spray attacks or brute force attempts. It provides real-time alerts, smart analysis of attack patterns, and detailed reports with easy export options. With built-in testing to simulate attacks, this tool is a must-have for keeping your AD environment secure and identifying threats quickly.
🔒 Tip of the Week
Essential Network Security Practices — To effectively secure your network, you don’t need complex solutions. Keep your network safe with these easy tips: Use a VPN like NordVPN to protect your data and keep your online activities private. Make sure your firewall is turned on to stop unwanted access. Keep your software and devices updated to fix security weaknesses. Choose strong, unique passwords for all your accounts and consider using a password manager to keep track of them. Teach yourself and others how to spot phishing scams to avoid giving away sensitive information. These basic actions can greatly improve your network’s security and are simple to implement.
Conclusion
As we close this week’s newsletter, let’s focus on the crucial issue of vulnerabilities in healthcare technology. These gaps highlight a pressing need for enhanced security measures and more dynamic regulatory frameworks that can quickly adapt to new threats. How can we fortify our defenses to better protect critical infrastructure? Your expertise is essential as we tackle these challenges and push for more effective solutions. Let’s keep the dialogue open and continue to drive progress in our field. Stay informed and engaged.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25848588/DeepSeek.jpg)
