Podcasts
CyberWire Daily
Ep 2252
The CyberWire Daily Podcast 2.25.25
Ep 2252 | 2.25.25

Orange you glad you didn't fall for this?

Show Notes
Transcript

A hacker claims to have stolen internal documents from a major French telecommunications company. A security breach hits Russia’s financial sector. Cyberattacks targeting ICS and OT surged dramatically last year. Chinese group Silver Fox is spoofing medical software. The UK Home Office’s new vulnerability reporting policy risks prosecuting ethical hackers. Ransomware actors are shifting away from encryption. A sophisticated macOS malware campaign is distributing Poseidon Stealer. The LightSpy surveillance framework evolves into a cross-platform espionage tool. A Chinese botnet is targeting Microsoft 365 accounts using password spraying attacks. Our guest today is Lauren Buitta, Founder and CEO at Girl Security, discussing mentoring and intergenerational strategies. There may be a backdoor in your front door. 

Today is Tuesday February 25th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A hacker claims to have stolen internal documents from  a major French telecommunications company. 

A hacker named Rey claims to have stolen 6.5GB of internal documents from Orange Group,  a major French telecommunications company and digital services provider, primarily affecting its Romanian branch. The breach exposed 380,000 unique email addresses, customer and employee data, invoices, contracts, and partial payment card details. Rey, a member of the HellCat ransomware group, says they accessed Orange’s systems for over a month using compromised credentials and vulnerabilities in Jira software. After exfiltrating data for three hours undetected, they attempted to extort Orange but were ignored. Orange confirmed the breach affected a non-critical back-office application, stating that customer operations were unaffected. The company is investigating and working with authorities. Rey denies this was a HellCat operation, though the group has previously targeted Schneider Electric and Telefónica.

A security breach hits Russia’s financial sector. 

Russia’s National Coordination Center for Computer Incidents (NKTsKI) has warned the country’s financial sector about a security breach at LANIT, a major IT service provider. LANIT, Russia’s largest system integrator, serves key government agencies, including the Ministry of Defense and military-industrial complex firms like Rostec. The attack, which occurred on February 21, 2025, affected two subsidiaries, LANTER and LAN ATMservice, both specializing in banking technology, ATMs, and payment systems. The breach could have serious implications for Russia’s banking infrastructure. Authorities have not disclosed the attack’s origin, method, or impact, but the incident suggests a potential supply chain compromise rather than a typical DDoS attack on banks.

Cyberattacks targeting ICS and OT surged dramatically last year. 

Cyberattacks targeting industrial control systems (ICS) and operational technology (OT) surged dramatically by 87% in 2024, according to cybersecurity firm Dragos. Ransomware attacks on industrial infrastructure also increased by 60%, reflecting heightened geopolitical tensions involving conflicts like Russia-Ukraine and China-Taiwan. Experts warn that state-sponsored groups, such as China’s Volt Typhoon, are infiltrating critical infrastructure, preparing potential future disruptions. Volt Typhoon has notably identified strategic U.S. targets, including power substations critical for military deployments. Alarmingly, non-state cybercriminals are gaining ICS expertise through collaboration with state actors, broadening attack capabilities and risks to critical infrastructure. This shift threatens more frequent, indiscriminate attacks as cybercriminal groups increasingly target industrial systems for financial or disruptive objectives.

Chinese group Silver Fox is spoofing medical software. 

A Chinese government-backed hacking group, Silver Fox, is spoofing medical software to infect hospital patients’ computers with backdoors, keyloggers, and cryptominers, according to Forescout’s Vedere Labs. The malware mimics Philips DICOM image viewers and other healthcare applications, tricking victims into installing ValleyRAT, a remote access tool. The attack uses PowerShell commands to evade detection and downloads encrypted payloads from Alibaba Cloud. While targeting individuals, the malware could spread into hospital networks through infected patient devices, posing a major cybersecurity risk to healthcare organizations.

The UK Home Office’s new vulnerability reporting policy risks prosecuting ethical hackers. 

The UK Home Office’s new vulnerability reporting policy risks prosecuting ethical hackers, even if they follow its guidelines, due to the Computer Misuse Act (CMA) of 1990. Unlike the Ministry of Defence (MoD), which assures researchers they won’t face prosecution, the Home Office offers no such protections, leaving them vulnerable to legal action. The CyberUp Campaign warns that the outdated CMA criminalizes all unauthorized access, discouraging responsible disclosure. While other countries have modernized laws to protect researchers, critics worry the UK’s delay is harming cybersecurity resilience.

Ransomware actors are shifting away from encryption. 

Ransomware actors are shifting away from encryption, with 80% of attacks in 2024 focusing solely on data exfiltration, which is 34% faster, according to ReliaQuest’s Annual Cyber-Threat Report. Attackers achieve lateral movement in as little as 27 minutes, leaving defenders little time to respond. Service accounts were compromised in 85% of breaches, often due to poor security management. Insufficient logging was the top cause of breaches, while legitimate remote access tools were used in two-thirds of critical intrusions. ReliaQuest advises AI-driven security, better monitoring, VPN security, and rapid vulnerability patching. Automation is now essential, as attackers move faster than ever.

A sophisticated macOS malware campaign is distributing Poseidon Stealer. 

A sophisticated macOS malware campaign is distributing Poseidon Stealer via a fake DeepSeek AI website, according to cybersecurity researchers. The malware bypasses macOS Gatekeeper and harvests sensitive data, including browser credentials, cryptocurrency wallets, and system keychains. Attackers use malvertising to lure victims to a counterfeit site, delivering the malicious DMG file. Poseidon employs anti-analysis techniques and exfiltrates stolen data via curl POST requests. Security experts recommend restricting osascript execution, using next-gen antivirus (NGAV), and educating users on Terminal-based threats to mitigate the risk.

Meanwhile, a privilege escalation vulnerability in Parallels Desktop remains unpatched, with two exploits publicly disclosed, allowing attackers to gain root access on Macs. Security researcher Mickey Jin bypassed Parallels’ previous fix for CVE-2024-34331, a flaw stemming from missing code signature verification. Despite seven months of warnings, Parallels has not addressed the issue, leaving all known versions vulnerable. Jin urges users to take proactive security measures as attackers could exploit this in the wild.

The LightSpy surveillance framework evolves into a cross-platform espionage tool. 

The LightSpy surveillance framework has evolved into a cross-platform espionage tool, now supporting over 100 commands to infiltrate Android, iOS, Windows, macOS, Linux, and routers, according to new research. Originally targeting messaging apps, it now focuses on stealing Facebook and Instagram database files, exposing private messages, contacts, and metadata. LightSpy also uses malicious plugins for keystroke logging, screen capture, and USB monitoring. The framework’s multi-OS reach and advanced evasion tactics pose a significant cyberespionage threat, requiring behavior-based detection strategies for effective defense.

A Chinese botnet is targeting Microsoft 365 accounts using password spraying attacks. 

A Chinese botnet with 130,000+ compromised devices is targeting Microsoft 365 accounts using password spraying attacks that bypass multifactor authentication (MFA), according to SecurityScorecard. The botnet exploits non-interactive sign-ins, which often go unnoticed in security logs, allowing attackers to access emails, documents, and collaboration tools. The campaign, linked to Chinese infrastructure, poses a major threat to financial, healthcare, government, and tech sectors. Attackers also risk business disruption by triggering account lockouts. Security teams must monitor non-interactive sign-in logs to detect this evolving attack.

CISA adds an Oracle Agile PLM flaw to its Known Exploited Vulnerabilities (KEV) catalog. 

CISA has added CVE-2024-20953, an Oracle Agile PLM flaw, to its Known Exploited Vulnerabilities (KEV) catalog. The high-severity deserialization vulnerability, patched in January 2024, allows low-privileged attackers to execute arbitrary code. While no public reports confirm active exploitation, experts believe attackers likely use it post-initial access. Oracle vulnerabilities, particularly WebLogic flaws, remain frequent attack targets.

 

Our guest is next. I speak with Founder and CEO of Girl Security Lauren Buitta (byoo-etta) about mentoring and intergenerational strategies to get more girls and young women in the national security space. And, a truly open-door policy where one default password unlocks dozens of apartment buildings. We’ll be right back.

Welcome back

There may be a backdoor in your front door. 

Imagine if the key to your front door was published in the installation manual—and no one bothered to change it. That’s basically what’s happening with Hirsch’s Enterphone MESH door access system. A security researcher, Eric Daigle, discovered that dozens of buildings across the U.S. and Canada are still using the default, unchangeable-by-design password. And yes, it’s right there in the manual for anyone to find.

Hirsch’s response? “That’s not a bug, it’s a feature!” The company insists that customers should have read the instructions and changed the password themselves. Spoiler: many didn’t. As a result, elevators, office doors, and even entire residential buildings are just a login away from unauthorized access.

The flaw, now officially CVE-2025-26793, is a perfect 10 on the “Oh no” scale—but Hirsch won’t fix it. Instead, they emailed customers a polite reminder to read the manual. RTFM, my friends. RTFM…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.