By the CyberWire staff
At a glance.
- US senators request transparency surrounding the UK's demands for encryption backdoors.
- Trump nominates Sean Plankey as new CISA director.
- Chinese threat actor targets Juniper routers.
- New ransomware operator targets Fortinet vulnerabilities.
- Attackers exploit critical PHP flaw patched last June.
US senators request transparency surrounding the UK's demands for encryption backdoors.
A bipartisan group of US Senators on Thursday published a letter urging the UK's Investigatory Powers Tribunal to "remove the cloak of secrecy" around reported requests to US companies for encryption backdoors. Apple reportedly received a Technical Capability Notice (TCN) under the UK's Investigatory Powers Act, requiring the company to provide the UK's security services with a way to access encrypted messages. Apple is barred by UK law from confirming whether it received such a notice, but ComputerWeekly reports that the company is contesting the order in a closed court.
The Record notes that Google refused to deny whether it received a similar notice. The company told Senator Ron Wyden (Democrat of Oregon) that if it had received such a request, "it would be prohibited from disclosing that fact." The senators said in their letter, "The UK’s attempted gag has already restricted U.S. companies from engaging in speech that is constitutionally protected under U.S. law and necessary for ongoing Congressional oversight."
US Director of National Intelligence Tulsi Gabbard has ordered a legal review of the UK government's demand, calling it "a clear and egregious violation of Americans’ privacy and civil liberties." President Trump said he raised the issue in a meeting with Prime Minister Keir Starmer, comparing the request to "something you hear about with China."
Stop Identity-Based Cybercrime with SpyCloud’s Holistic Identity Threat Protection
Stolen identity data is the hot commodity for cybercriminals. With the full scope of your users’ digital footprints at risk for exposure, traditional account-centric security is no longer enough to protect your business from cyberattacks. SpyCloud helps security teams correlate and automatically remediate individuals' hidden identity exposures from breaches, malware, and phishing across their many online personas. Eliminate identity-based cyber threats and proactively defend against account takeover, fraud, and ransomware with SpyCloud.
Trump nominates Sean Plankey as new CISA director.
President Trump has nominated Sean Plankey to run the Cybersecurity and Infrastructure Security Agency (CISA), CyberScoop reports. Plankey is a former Coast Guard officer who served as a director for cyber policy on the White House's National Security Council during the first Trump administration, focusing on maritime and Pacific cybersecurity policy. He also served as principal deputy assistant secretary for the Energy Department’s Office of Cybersecurity, Energy Security, and Emergency Response.
Plankey’s nomination now goes to the Senate for a confirmation vote. Axios notes that "[i]ndustry insiders on both sides of the aisle are likely to be pleased with his selection," and his nomination is unlikely to face pushback from Congress.
Many Voices. One Community
Join Us at the RSAC 2025 Conference. Join us at RSAC, April 28 - May 1 in San Francisco and gain access to cybersecurity innovators, expert-led sessions, and hands-on workshops. Leave with new strategies, insights, and connections to elevate your cybersecurity journey.
Chinese threat actor targets Juniper routers.
Mandiant warns that the China-aligned threat actor UNC3886 last year deployed new custom malware on Juniper Networks’ Junos OS routers. The TINYSHELL-based backdoors "had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device." The infected routers were running end-of-life hardware and software, and Mandiant recommends that organizations "upgrade their Juniper devices to the latest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT).
New ransomware operator targets Fortinet vulnerabilities.
Forescout warns that a new ransomware operator is exploiting two recently patched Fortinet firewall vulnerabilities to deploy a custom strain of ransomware dubbed "SuperBlack." SuperBlack was crafted with the builder for LockBit 3.0, which leaked online in 2022.
The attacker is targeting CVE-2024-55591 and CVE-2025-24472, which can be used to gain administrator privileges on vulnerable FortiOS devices. A proof-of-concept exploit has been available since late January, and Forescout recommends that organizations patch these flaws as soon as possible. The researchers note that there are over 7,000 exposed FortiGate firewalls in the United States alone.
Attackers exploit critical PHP flaw patched last June.
Researchers at GreyNoise are tracking mass exploitation of a critical remote code execution flaw affecting PHP, SecurityWeek reports. The vulnerability (CVE-2024-4577) was patched last June, and dozens of exploits are available. The flaw, which received a CVSS score of 9.8, can be exploited to compromise Windows servers that are using Apache and PHP-CGI.
Patch news.
Microsoft on Tuesday issued patches for 57 vulnerabilities, including six actively exploited zero-days, KrebsOnSecurity reports.
Apple has released an emergency patch for a critical zero-day affecting its WebKit browser engine. The company says the flaw "may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2."
Facebook has disclosed an actively exploited out-of-bounds write vulnerability affecting the open-source font rendering library FreeType, BleepingComputer reports. The flaw, tracked as CVE-2025-27363, can lead to arbitrary code execution.
Crime and punishment.
A dual Russian and Israeli national has been extradited from Israel to the United States for his alleged role in the LockBit ransomware gang. The US Justice Department said 51-year-old Rostislav Panev "acted as a developer of the LockBit ransomware group from its inception in or around 2019 through at least February 2024."
Courts and torts.
The state of New York has sued Allstate Insurance for alleged security lapses related to a website that leaked consumer data, Reuters reports. The lawsuit says Allstate's National General business unit ran a website that allowed consumers to request quotes for policies, which inadvertently enabled users to view driver's license numbers belonging to anyone living at a given address. The suit adds that bad actors used the tool to scrape driver's license numbers belonging to just under 200,000 people.
Allstate told the Register in a statement, "We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed driver's license numbers."
