PAN-ic mode: The race to secure PAN-OS.

Palo Alto Networks confirms a recently patched firewall vulnerability is being actively exploited.CISA warns of an actively exploited iOS vulnerability. Juniper Networks has issued a critical security advisory for an API authentication bypass vulnerability. The acting commissioner of the Social Security Administration (SSA) resigns after Elon Musk’s team sought access to sensitive personal data of millions of Americans. The EagerBee malware framework is actively targeting government agencies and ISPs across the Middle East. Proofpoint researchers document a new macOS infostealer. A new phishing kit uses timesheet notification emails to steal credentials and two-factor authentication codes. JPMorgan Chase will begin blocking Zelle payments to social media contacts to combat online scams. Our guest is Tim Starks from CyberScoop discussing his interview with former National Cyber Director Harry Coker. Transferring your digital legacy. 

Today is Tuesday February 18th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Palo Alto Networks confirms a recently patched firewall vulnerability is being actively exploited.

Palo Alto Networks has confirmed that CVE-2025-0108, a recently patched firewall vulnerability, is being actively exploited. The flaw, disclosed on February 12, allows unauthenticated attackers to bypass authentication and execute PHP scripts via the PAN-OS management interface.

Threat intelligence firm GreyNoise detected exploit attempts starting February 13, with attacks originating from nearly 30 unique IPs. The vulnerability can be chained with CVE-2024-9474 for remote code execution, posing a serious risk to unpatched systems.

A proof-of-concept (PoC) exploit is publicly available, and researchers warn that roughly 3,500 PAN-OS management interfaces remain exposed. Palo Alto urges immediate patching, emphasizing that securing external-facing management interfaces is critical. Assetnote, which discovered the flaw, coordinated disclosure with Palo Alto, arguing transparency helps defenders track attacks rather than leaving organizations vulnerable in the dark.

CISA warns of an actively exploited iOS vulnerability. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about CVE-2025-24200, a zero-day vulnerability in Apple iOS and iPadOS, actively exploited in targeted attacks. The flaw, an authorization bypass in Apple’s USB Restricted Mode, allows attackers with physical access to disable security protections on locked devices, potentially exposing sensitive data.

Apple confirmed the exploit has been used in highly sophisticated attacks against high-value individuals, possibly by state-sponsored groups. The vulnerability affects a wide range of Apple devices, including iPhone XS and later models.

Emergency patches were released on February 10, 2025, and CISA urges users to update before March 5. While no specific surveillance vendors are named, the attack methods resemble those used by firms like NSO Group. Users should update immediately and enforce physical security measures.

Juniper Networks has issued a critical security advisory for an API authentication bypass vulnerability. 

Juniper Networks has issued a critical security advisory for CVE-2025-21589, an API authentication bypass vulnerability affecting Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router products. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to gain full administrative control by injecting spoofed JWTs, bypassing authentication checks.

Attackers can exploit this flaw to modify routing policies, intercept encrypted traffic, and move laterally across networks. The vulnerability affects multiple software versions and requires network adjacency but no user interaction. Juniper discovered the issue through internal testing, with no known exploitation as of February 18, 2025.

Patches are available, and cloud-managed WAN Assurance routers received automatic fixes. Organizations must apply updates immediately, audit configurations, monitor API requests, and implement network segmentation to mitigate risks. Unpatched systems pose serious threats to SD-WAN and 5G infrastructure.

The acting commissioner of the Social Security Administration (SSA) resigns after Elon Musk’s team sought access to sensitive personal data of millions of Americans. 

Turning to Washington, Michelle King, the acting commissioner of the Social Security Administration (SSA), resigned after Elon Musk’s team sought access to sensitive personal data of millions of Americans. Musk’s so-called Department of Government Efficiency has been embedding in federal agencies, claiming to root out fraud and waste.

The SSA, which manages $1.5 trillion in benefits, reported $71.8 billion in improper payments from 2015-2022—less than 1% of total disbursements. Musk’s team sought access to an internal database containing financial, employment, and medical records, raising serious privacy concerns.

Former SSA commissioner Martin O’Malley refuted Musk’s claims of mass fraudulent payments, calling them baseless. Amid controversy, Trump’s nominee for SSA leadership, Frank Bisignano, awaits Senate confirmation. The White House backs Musk’s broader data-access initiatives.

The EagerBee malware framework is actively targeting government agencies and ISPs across the Middle East. 

The EagerBee malware framework is actively targeting government agencies and ISPs across the Middle East, including Saudi Arabia, UAE, and Qatar. Linked to the Chinese-aligned APT27 (CoughingDown), the malware employs advanced backdoor capabilities through DLL hijacking and process hollowing.

The UAE Cyber Security Council urges organizations to patch Exchange servers, monitor modified DLLs, and review service configurations. Immediate memory analysis is recommended as EagerBee leaves minimal disk traces.

Proofpoint researchers document a new macOS infostealer. 

A new macOS malware campaign has emerged. On February 18, Proofpoint reported the discovery of FrigidStealer, a new macOS infostealer linked to the TA569 threat group, also known as Mustard Tempest and Purple Vallhund.

TA569, previously known for FakeUpdates/SocGholish attacks, now collaborates with two new groups, TA2726 and TA2727. TA2727 recently deployed FrigidStealer alongside Windows and Android malware, while TA2726 functions as a traffic distribution service.

In early 2025, Proofpoint observed TA2726 redirecting traffic—North American users to TA569 and others to TA2727, which distributed malware like Lumma Stealer, DeerStealer, and Marcher. The FrigidStealer campaign, detected in January 2025, tricked Mac users into downloading malware through fake update pages.

Security experts warn that evolving collaboration among threat actors makes these campaigns increasingly sophisticated and harder to track.

Meanwhile, A new XCSSET malware variant is targeting macOS users, Microsoft reports. Originally discovered in 2020, XCSSET spreads through Apple Xcode, infecting systems when compromised projects are executed. It steals data from chat apps, injects JavaScript, takes screenshots, and encrypts files.

The latest variant employs new obfuscation techniques, enhanced persistence, and novel infection methods. It randomizes payload generation, drops payloads into shell launch files, and manipulates Launchpad’s dock path to execute malware.

Microsoft also observed new payload injection techniques using TARGET, RULE, and FORCED_STRATEGY methods in Xcode projects. The malware continues to target digital wallets, Notes app data, and system files.

With these upgrades, XCSSET remains a stealthy and evolving macOS threat.

A new phishing kit uses timesheet notification emails to steal credentials and two-factor authentication codes. 

Cybersecurity researchers have uncovered a phishing campaign using the Tycoon 2FA phishing kit, disguised as timesheet notification emails to steal credentials and two-factor authentication codes. Attackers abuse Pinterest’s redirect service to bypass security filters before leading victims to a malicious Russian-hosted site.

Tycoon 2FA is evolving, now featuring obfuscated JavaScript, geofencing, and adaptive phishing forms mimicking Microsoft 365, Salesforce, and banking portals. This multi-platform credential theft suggests collaboration with ransomware groups.

Threat actors increasingly exploit trusted platforms like Pinterest to evade detection, rendering traditional perimeter defenses ineffective. Experts recommend organizations implement behavior-based detection systems and strict access controls to counter these evolving threats.

JPMorgan Chase will begin blocking Zelle payments to social media contacts to combat online scams. 

JPMorgan Chase will begin blocking Zelle payments to social media contacts starting March 23 to combat a rise in online scams. Nearly 50% of reported fraud cases involving Zelle or wire transfers between June and December 2024 originated on social media.

Zelle, a widely used digital payments service, offers fast bank-to-bank transfers but lacks purchase protection, making it a prime target for scammers. Chase’s updated policy warns that Zelle should only be used to pay trusted individuals, not social media sellers.

This change follows a CFPB lawsuit against Zelle’s operator, Early Warning Services, and three major banks—including Chase—accusing them of rushing Zelle to market without proper consumer protections. The lawsuit claims hundreds of thousands of users lost over $870 million.

Chase may delay, decline, or block payments deemed high-risk and request additional transaction details to mitigate fraud risks.

Our guest today is Tim Starks sharing some insights from his interview with former National Cyber Director Harry Coker. And, Transferring your digital legacy. We’ll be right back

Welcome back

Transferring your digital legacy. 

And finally, let's be honest—most of us spend more time online than in real life. But what happens to all that digital baggage when we log off… for good?

Estate planning usually focuses on money, property, and who gets Grandma’s antique clock—but what about your social media, emails, and cloud-stored cat photos? If you don’t leave instructions, your loved ones might be stuck navigating a bureaucratic nightmare of forgotten passwords and locked accounts.

A handy guide from The New York Times suggests you start by creating a digital directive—a simple document outlining who gets access to your online accounts and what should happen to them. Keep your credentials in a secure password manager or an old-school notebook (just don’t tape it to your monitor).

And don’t forget to assign a legacy contact for Apple, Google, and Facebook. Because if you don’t, your profile could end up as a haunting reminder—or worse, a playground for hackers. Plan ahead, and save your loved ones the headache!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.