Daily Briefing for 03.04.25

At a glance.

• CISA says it will continue monitoring Russian cyber threats.
• Broadcom patches zero-days that can lead to VM escape.
• Ransomware attack against Lee Enterprises is still disrupting contractor payments.
• Palau's health ministry recovers from ransomware attack.

CISA says it will continue monitoring Russian cyber threats.

The US Department of Homeland Security says the Cybersecurity and Infrastructure Security Agency (CISA) will continue monitoring cyber threats from Russia, asserting that media reports to the contrary are false. The Guardian reported over the weekend that CISA staff received a memo directing them to prioritize threats from China, with no mention of Russia. Tricia McLaughlin, Assistant Secretary for Public Affairs at DHS, told CyberScoop that such a memo was never sent, adding, "CISA remains committed to addressing all cyber threats to U.S. critical infrastructure, including from Russia. There has been no change in our posture or priority on this front."

The Guardian's story is separate from reports that Defense Secretary Pete Hegseth ordered Cyber Command to halt offensive operations against Russia during negotiations over the war in Ukraine. The Pentagon hasn't officially commented on these reports, but Bloomberg cites an anonymous senior defense official as saying that "Hegseth has neither canceled nor delayed any cyber operations directed against malicious Russian targets and there has been no stand-down order whatsoever from that priority."

Kim Zetter at Zero Day has written up a useful summary that clarifies reporting on these two stories.

Broadcom patches zero-days that can lead to VM escape.

Broadcom has issued patches for three actively exploited zero-days affecting VMware ESX and any products that contain ESX, including vSphere, Cloud Foundation, and Telco Cloud Platform, SecurityWeek reports. Broadcom warns that the vulnerabilities can lead to a virtual machine escape, stating, "This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself."

Ransomware attack against Lee Enterprises is still disrupting contractor payments.

US newspaper publisher Lee Enterprises is still grappling with a ransomware attack that occurred on February 3rd, TechCrunch reports. Freelancers and contractors who work for the company told TechCrunch they haven't been paid for their work since the attack took place. One contractor is owed thousands of dollars, and has no timeline for when Lee's payment system will be up and running again.

Lee Enterprises itself has avoided using the term "ransomware," but it mentioned in an SEC filing that the attackers "encrypted critical applications and exfiltrated certain files." The Qilin ransomware gang last week claimed responsibility for the attack. The filing also noted that the incident disrupted "distribution of products, billing, collections, and vendor payments."

Palau's health ministry recovers from ransomware attack.

The island nation of Palau's Ministry of Health and Human Services (MHHS) is recovering from a ransomware attack it sustained on February 17th, the Record reports. The ministry attributed the attack to the Qilin ransomware gang, adding that the crooks were able to exfiltrate data during the incident. The MHHS stated, "Based on the kind of information that has been stolen, MHHS and its cyber advisors do not perceive any significant impact to the security of individual Palauans. However, MHHS recommends that all Palauans remain vigilant against potential fraud and/or phishing emails that may attempt to use this incident as a means of getting you to release personal information." The ministry added that the attack was "a heinous crime by greedy cyber criminals that has put our ability to provide critical medical care and lifesaving emergency services at risk."

A "defend forward" team from US Cyber Command is on-site assisting with the investigation.