Daily Briefing for 02.18.25

At a glance.

• Threat actors exploit recently patched Palo Alto firewall vulnerability.
• New macOS malware delivered via web injects.
• Newspaper publisher Lee Enterprises still recovering from ransomware attack.

Threat actors exploit recently patched Palo Alto firewall vulnerability.

Palo Alto Networks has confirmed that threat actors are exploiting a recently patched vulnerability (CVE-2025-0108) affecting its PAN-OS firewall software, SecurityWeek reports. The vulnerability is an authentication bypass flaw that can allow "an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts."

The company patched the flaw last week, and a proof-of-concept (PoC) exploit is publicly available. Palo Alto says it's "observed exploit attempts that utilize the PoC, chaining it with the exploit for CVE-2024-9474 on unpatched and unsecured PAN-OS web management interfaces."

New macOS malware delivered via web injects.

Proofpoint is tracking a new strain of macOS malware dubbed "FrigidStealer" that's being distributed via web inject campaigns. The malware is designed to steal sensitive information, including passwords, browser cookies, and files related to cryptocurrency.

The researchers explain, "Typically, an attack chain will consist of three parts: the malicious injects served to website visitors, which are often malicious JavaScript scripts; a traffic distribution service (TDS) responsible for determining what user gets which payload based on a variety of filtering options; and the ultimate payload that is downloaded by the script. Sometimes each part of the attack chain is managed by the same threat actor, but frequently the different parts of the chain may be managed by different threat actors."

In this case, the compromised websites inform visitors that they must update their browsers before continuing. If the user clicks the "Update now" button, the threat actor's TDS will download a DMG file. Proofpoint says, "Right clicking and selecting Open bypassed the MacOS security feature called Gatekeeper, which would otherwise warn the user that the application is unsigned and untrusted. (This is a very common technique used by Mac malware authors to effectively run malware on a host.) Clicking Open ran the embedded Mach-O executable, which led to the installation of FrigidStealer."

Newspaper publisher Lee Enterprises still recovering from ransomware attack.

US newspaper publisher Lee Enterprises continues to grapple with a cyberattack the company sustained on February 3rd, TechCrunch reports. The company said in an SEC filing that "threat actors unlawfully accessed the Company’s network, encrypted critical applications, and exfiltrated certain files," indicating the incident was a ransomware attack. The company added, "The incident impacted the Company’s operations, including distribution of products, billing, collections, and vendor payments. Distribution of print publications across our portfolio of products experienced delays, and online operations were partially limited."