Week that Was for 02.15.25

At a glance.

• Salt Typhoon exploits unpatched Cisco devices in campaign against telecoms.
• Russia's Seashell Blizzard expands its targeting.
• Chinese espionage actor may be moonlighting as ransomware attacker.
• Russian threat actors target Microsoft 365 accounts.
• Suspected New IRA members charged for possessing information from PSNI's 2023 data breach.
• Cybercrime and nation-state operations are increasingly entwined.
• Apple patches actively exploited zero-day.
• Stolen OpenAI credentials were likely obtained via infostealers, not a breach.
• CISA warns of actively exploited Trimble Cityworks vulnerability.

Salt Typhoon exploits unpatched Cisco devices in campaign against telecoms.

Recorded Future's Insikt Group warns that the Chinese state-sponsored threat actor Salt Typhoon (which Insikt Group tracks as "RedMike") continues to target telecommunication companies. Between December 2024 and January 2025, the researchers observed a campaign that exploited unpatched internet-facing Cisco network devices to compromise several organizations, including the US-based affiliate of a UK telecom provider and a South African telecom provider. The attacks exploited CVE-2023-20273, a privilege escalation flaw affecting the web UI feature of Cisco IOS XE Software.

Insikt Group states, "RedMike has attempted to exploit more than 1,000 Cisco devices globally. The group likely compiled a list of target devices based on their association with telecommunications providers' networks. Insikt Group also observed RedMike targeting devices associated with universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States (US), and Vietnam. RedMike possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft. In addition to this activity, in mid-December 2024, RedMike also carried out a reconnaissance of multiple IP addresses owned by a Myanmar-based telecommunications provider, Mytel."

Russia's Seashell Blizzard expands its targeting.

Microsoft has published a report on a hacking campaign dubbed "BadPilot" run by a subgroup of the threat actor Seashell Blizzard (also known as "Sandworm"), which is attributed to a unit of Russia's GRU. BadPilot is a multiyear initial access operation targeting vulnerable Internet-facing infrastructure. Notably, the group has expanded its targeting from Eastern Europe and Asia to include the US, the UK, Canada, and Australia.

Microsoft states, "Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises. Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, [and] arms manufacturing, in addition to international governments."

Chinese espionage actor may be moonlighting as ransomware attacker.

Symantec reports that a toolset tied to Chinese espionage actors was recently used in an RA World ransomware attack against an Asian software company. While Chinese state-sponsored actors often share toolsets with each other, these tools aren't usually associated with cybercrime. Symantec says, "The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit." The researchers add, "In all the prior intrusions involving the toolset, the attacker appeared to be engaged in classic espionage, seemingly solely interested in maintaining a persistent presence on the targeted organizations by installing backdoors."

Russian threat actors target Microsoft 365 accounts.

Volexity and Microsoft have published separate reports warning that multiple Russian threat actors are launching spearphishing attacks designed to compromise Microsoft 365 accounts. The threat actors are impersonating individuals from the US State Department, the Ukrainian Ministry of Defence, the European Union Parliament, and prominent research institutions. Volexity attributes the campaigns to at least three different Russian groups, including CozyLarch (which overlaps with Cozy Bear). Microsoft describes attacks from a Russian threat actor the company tracks as "Storm-2372."

Notably, the attacks involve a lesser-known technique called "device code phishing," in which users are tricked into granting access via the Microsoft Device Code OAuth workflow. Microsoft explains, "In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors."

Volexity says "this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns."

Suspected New IRA members charged for possessing information from PSNI's 2023 data breach.

Two men in Northern Ireland have been charged with terrorism offenses after being found in possession of information leaked in a data breach from the Police Service of Northern Ireland (PSNI), the BBC reports. The two men allegedly had spreadsheets on their phones containing the names of PSNI police officers and staff members. The defendants are charged under the UK's Terrorism Act 2000 for collecting information likely to be of use to terrorists.

The breach occurred in August 2023 when the PSNI mistakenly published personal details belonging to all of its nearly 10,000 officers and staff while complying with a Freedom of Information request. The Register notes that Commissioner Pete O'Doherty of the City of London Police called the incident "the most significant data breach that has ever occurred in the history of UK policing."

Following the breach, Assistant Chief Constable Chris Todd, the PSNI's Senior Information Risk Owner, stated, "Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately."

Cybercrime and nation-state operations are increasingly entwined.

Google has published a report on the national security risks presented by cybercrime, arguing that state-sponsored hacking "should not be evaluated in isolation from financially motivated intrusions." The researchers note that state-backed groups from Russia, China, and Iran are increasingly leveraging commodity malware and other resources purchased on criminal forums. Russia in particular is well-known for retaining criminal hackers to support government-backed operations. Meanwhile, North Korean state-sponsored hackers frequently have financial gain as one of their primary motives.

Google believes governments should elevate cybercrime to a national security priority in order to combat this trend: "Governments must recognize cybercrime as a pernicious national security threat and allocate resources accordingly. This includes prioritizing intelligence collection and analysis on cybercriminal organizations, enhancing law enforcement capacity to investigate and prosecute cybercrime, and fostering international cooperation to dismantle these transnational networks."

Apple patches actively exploited zero-day.

Apple has issued emergency security updates for iOS 18 and iPadOS 18 to fix a zero-day flaw (CVE-2025-24200) that the company says "may have been exploited in an extremely sophisticated attack against specific targeted individuals." The company explained, "A physical attack may disable USB Restricted Mode on a locked device." USB Restricted Mode is designed to block forensic tools from accessing data on devices that have been locked for more than an hour.

Apple credits the flaw's discovery to Bill Marczak from the University of Toronto's Citizen Lab. The company hasn't shared specifics on the potential exploitation, but BleepingComputer notes that Citizen Lab often focuses on exploits used by commercial spyware tools.

Stolen OpenAI credentials were likely obtained via infostealers, not a breach.

OpenAI says it's found no evidence of a breach after a hacker claimed to be selling credentials associated with 20 million OpenAI accounts, SecurityWeek reports. Researchers at KELA analyzed a sample of the allegedly stolen data, finding that the credentials were likely obtained via infostealer malware and compiled from different datasets. The credentials in the sample analyzed by KELA were tied to infections by the Redline, RisePro, StealC, Lumma, and Vidar infostealers. The researchers state, "The compromised credentials came from 14 distinct sources, classified by KELA as Private Data Leaks (originate from paid subscription bot seling TG channels), Public Data Leaks (widely shared stolen credentials, often appearing in public forums, dark web marketplaces, [or on Telegram] channels). Notably, the most prevalent source in the dataset was linked to over 118 million compromised credentials in KELA’s data lake."

CISA warns of actively exploited Trimble Cityworks vulnerability.

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that hackers are exploiting a flaw in Trimble Cityworks, an asset management tool primarily used by local governments and public infrastructure operators. The vulnerability (CVE-2025-0994) has been assigned a CVSS score of 8.6, and "could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server."

Trimble issued a fix for the flaw on January 29th, and CISA has ordered Federal civilian agencies to apply the patch by February 28th.

Patch news.

Microsoft has issued patches for 56 vulnerabilities, including two actively exploited zero-days, KrebsOnSecurity reports. One of the zero-days is a privilege escalation flaw (CVE-2025-21391) in Windows Storage that can allow an attacker to delete targeted files on a system. The other zero-day is a buffer overflow vulnerability (CVE-2025-21418) that could allow an attacker to gain SYSTEM-level privileges.

Adobe has released fixes for 45 flaws across multiple products, including over a dozen critical flaws affecting Adobe Commerce, SecurityWeek notes.

Ivanti has issued patches for critical issues affecting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA). One of the flaws (CVE-2025-22467) has been assigned a CVSS score of 9.9, and can lead to remote code execution.

Patch Tuesday also saw security fixes from chipmakers Intel, AMD, and Nvidia, as well as industrial firms Schneider Electric and Siemens.

Crime and punishment.

A 25-year-old Alabama man, Eric Council Jr., has pleaded guilty to his involvement in hacking the X account belonging to the US Securities and Exchange Commission (SEC), the Record reports. Council and co-conspirators gained access to the SEC's X account via a SIM swapping attack and tweeted that the SEC had approved BTC Exchange Traded Funds, causing the price of Bitcoin to spike and then drop sharply. The Justice Department says Council carried out the SIM swapping portion of the hack.

A 22-year-old Indiana man named Evan Frederick Light has been sentenced to twenty years in prison for hacking an investment holdings company located in South Dakota and stealing over $37 million worth of cryptocurrency from more than 600 clients.

A 48-year-old Arizona woman named Christina Marie Chapman has pleaded guilty to running a laptop farm for fraudulent North Korean IT workers, the Record reports. Chapman helped the overseas workers obtain remote IT positions at 300 US companies, generating over $17 million for herself and the North Korean government.