X marks the hack.
X-Twitter had multiple waves of outages yesterday. Signal’s president warns against agentic AI. A new lawsuit alleges DOGE bypassed critical security safeguards. Is the Five Eyes Alliance fraying? The Minja attack poisons ai memory through user interaction. Researchers report increased activity from the SideWinder APT group. A critical Veritas vulnerability enables remote code execution. A Kansas healthcare provider breach exposes 220,000 patients’ data. New York sues Allstate over data exposure in insurance websites. CISA warns of critical Ivanti and VeraCore vulnerabilities. FTC to refund $25.5 million to victims of tech support scams. On our Industry Voices segment, we are joined by Gerald Beuchelt, CISO at Acronis, who is discussing how threat research and intelligence matter to MSPs. The UK celebrates a record-breaking CyberFirst Girls Competition.
Today is Tuesday March 11th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
X-Twitter had multiple waves of outages yesterday.
A cyberattack caused outages on X (formerly Twitter) on Monday, with reports indicating multiple attack waves. While Elon Musk called it a “massive cyberattack” and suggested a coordinated group or nation-state was involved, details remain unclear. Musk later pointed to IP addresses from Ukraine, but sources say most attack traffic came from the US, Vietnam, and Brazil.
The attack was likely a distributed denial-of-service (DDoS) attack, where compromised devices overwhelm a system with traffic. The Dark Storm Team, a pro-Palestine hacktivist group possibly linked to Russia, claimed responsibility. Other groups, including Anonymous-affiliated hacktivists, also took credit, but verifying these claims is difficult.
Cyberattacks like these often blur the lines between hacktivism, cybercrime, and state-sponsored operations. X has been targeted before, including by Anonymous Sudan, a group whose members were recently charged in the US for offering DDoS services. Investigations into this latest attack are ongoing.
Signal’s president warns against agentic AI.
Speaking at the SXSW conference, Signal President Meredith Whittaker warned that agentic AI poses serious privacy and security risks. She compared AI agents to “putting your brain in a jar,” as they perform tasks on users’ behalf, such as booking tickets, managing calendars, and sending messages.
To function, these agents would need deep access to users’ systems, including web browsing, credit card details, messaging apps, and calendars—likely with root-level permissions. She cautioned that processing such tasks would almost certainly happen on cloud servers, exposing sensitive data.
Whittaker stressed that integrating AI agents with secure messaging apps like Signal would compromise message privacy. She also criticized the AI industry’s reliance on mass data collection, arguing that prioritizing “bigger is better” AI risks further eroding privacy in exchange for convenience.
A new lawsuit alleges DOGE bypassed critical security safeguards.
A lawsuit alleges the Department of Government Efficiency (DOGE) bypassed critical security safeguards at the Social Security Administration (SSA), risking exposure of sensitive data. Former SSA Acting Chief of Staff Tiffany Flick warned that DOGE operatives, led by Mike Russo, pressured officials to grant system access to Akash Bobba, despite unresolved security clearances. DOGE’s push for unrestricted data access ignored federal protections designed to prevent financial exploitation and unauthorized system breaches.
Flick accused DOGE of forcing staff to share highly sensitive information via potentially unsecured email channels, relying on AI tools to analyze data and determine federal job cuts. She resigned after security policies were disregarded and Leland Dudek, a mid-level analyst, was elevated to acting commissioner.
The AFL-CIO-backed lawsuit warns that DOGE’s actions jeopardize national security, with federal cybersecurity experts sounding alarms over mass government dismissals and weakened data protection measures.
Is the Five Eyes Alliance fraying?
NBC News reports several U.S. allies are reconsidering their intelligence-sharing protocols, fearing that Trump’s warming ties with Russia could compromise sensitive data. Sources say concerns center on protecting foreign assets, as intelligence agencies are bound by strict commitments to shield sources’ identities.
Members of the Five Eyes alliance (UK, Canada, Australia, New Zealand), along with Israel and Saudi Arabia, are evaluating whether to limit intelligence flow to Washington. While publicly downplaying concerns, some officials privately question U.S. reliability and the risk of intelligence leaks.
Trump’s recent pauses in intelligence assistance to Ukraine and the reported halt of cyber operations against Russia have heightened security worries. Some fear a U.S.-Russia cyber détente, despite Russia’s history of harboring cybercriminals. Former intelligence officials warn that Moscow is an unreliable partner, and scaling back intelligence-sharing could undermine global security efforts.
The Minja attack poisons ai memory through user interaction.
Researchers from Michigan State University, University of Georgia, and Singapore Management University have uncovered a new attack method that manipulates AI models with memory, without requiring backend access. Dubbed MINJA (Memory INJection Attack), the technique allows a regular user to poison an AI’s memory simply by interacting with it.
The attack injects misleading prompts into the model’s memory, altering future responses. Tested on GPT-4-powered AI agents, MINJA tricked a medical chatbot into swapping patient records, a webshop AI into misdirecting purchases, and a QA agent into answering questions incorrectly.
With over 95% injection success, MINJA bypasses traditional moderation filters by disguising manipulations as legitimate reasoning. The findings highlight serious security risks for AI systems with memory, urging immediate improvements in AI memory safeguards. OpenAI has not yet commented on the vulnerability.
Researchers report increased activity from the SideWinder APT group.
Researchers at Securelist report increased activity from the SideWinder APT group in 2024, with enhanced malware, expanded targets, and global reach. Traditionally focused on military and government entities, the group now targets maritime, logistics, and nuclear sectors across South Asia, Southeast Asia, the Middle East, and Africa.
Using spear-phishing emails, SideWinder exploits the CVE-2017-11882 vulnerability to deploy StealerBot, a post-exploitation toolkit. Their malware, disguised as legitimate DLL files, includes advanced evasion techniques like Control Flow Flattening.
SideWinder rapidly adapts, modifying malware within five hours of detection. Their continued reliance on old vulnerabilities underscores the importance of patching outdated systems to defend against sophisticated threats targeting critical infrastructure worldwide.
A critical Veritas vulnerability enables remote code execution.
A severe remote code execution (RCE) flaw in Veritas Arctera InfoScale (CVE-2025-27816, CVSS 9.8) exposes enterprise disaster recovery (DR) infrastructure to attack. The issue stems from insecure deserialization in the Windows Plugin_Host service, allowing attackers to execute arbitrary code via malicious .NET remoting messages.
The flaw affects InfoScale versions 7.0–8.0.2 on Windows, with SYSTEM-level privilege risks. Veritas advises disabling Plugin_Host or using manual DR configurations to mitigate exposure. Security experts warn that outdated technologies like .NET deserialization remain prime targets, requiring proactive defense beyond patching. Organizations must audit DR workflows to prevent exploitation.
A Kansas healthcare provider breach exposes 220,000 patients’ data.
A December cyberattack on Sunflower Medical Group compromised 221,000 patients’ sensitive data, including Social Security numbers, medical records, and insurance details. The breach, discovered January 7, revealed hackers had been inside the system since mid-December, stealing files.
While Sunflower has not confirmed a ransomware attack, the Rhysida ransomware gang claimed responsibility, demanding $800,000. The company notified regulators, offered credit monitoring, and stated no operational disruptions occurred. Rhysida has previously targeted healthcare and nonprofit organizations, heightening concerns over medical data security.
New York sues Allstate over data exposure in insurance websites.
New York State is suing Allstate Insurance for failing to secure personal data, allowing criminals to steal thousands of driver’s license numbers from poorly designed quote-generating websites. The issue stemmed from National General, an Allstate unit, which exposed driver’s license numbers in plain text during the quoting process. Fraudsters exploited the system, harvesting at least 12,000 records for identity theft and unemployment fraud.
The breach went undetected for over two months, with 9,100 New Yorkers affected—yet National General failed to notify them, violating state laws. Another 187,000 individuals’ data was compromised due to weak access controls, including plain-text passwords and no multi-factor authentication for insurance agents.
New York seeks penalties and an injunction against continued security failures. Texas has also sued Allstate for allegedly collecting telematics data without user consent, further raising privacy concerns.
CISA warns of critical Ivanti and VeraCore vulnerabilities.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three critical Ivanti Endpoint Management vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161) to its Known Exploited Vulnerabilities (KEV) catalog. These path traversal flaws (CVSS 9.8) allow unauthenticated attackers to leak sensitive information remotely.
CISA also flagged two VeraCore vulnerabilities, including CVE-2024-57968 (CVSS 9.9), an unrestricted file upload flaw, and CVE-2025-25181, an SQL injection vulnerability. The agency urges all organizations to immediately patch these issues to prevent cyberattacks.
Ivanti software has faced multiple exploitations in 2025, with previous Connect Secure and Cloud Service Appliance vulnerabilities actively targeted by threat actors.
FTC to refund $25.5 million to victims of tech support scams.
The Federal Trade Commission (FTC) will begin distributing $25.5 million in refunds to 736,375 consumers deceived by Restoro and Reimage, tech support companies that used fake system warnings to trick users into paying for unnecessary computer repairs.
These firms impersonated Windows pop-ups, falsely claiming devices had malware or performance issues. Investigators found their software fabricated security threats to push users into buying repair plans ranging from $58 to $499.
Fined $26 million in 2024, the companies are now banned from deceptive telemarketing. The FTC continues to crack down on fraudulent tech practices, previously targeting TurboTax, Avast, and data brokers. Refunds will be sent via PayPal starting March 13, with recipients needing to redeem them within 30 days.
Coming up after the break we are joined by Gerald Beuchelt, CISO at Acronis, who is discussing how threat research and intelligence matter to MSPs, and afterwards stick around for a record-breaking CyberFirst Girls Competition.
I recently sat down with Gerald Beuchelt, CISO at Acronis, to discuss how threat research and intelligence matter to MSPs, here’s our conversation.
That was Gerald Beuchelt, we will have more on their research in our show notes, be sure to check it out.
The UK celebrates a record-breaking CyberFirst Girls Competition.
And finally, this year’s CyberFirst Girls Competition in the UK has not only crowned its winners but also inspired the next generation of cybersecurity professionals. In a record-breaking year, 14,500 girls across 4,159 teams took on the challenge, showcasing brilliant problem-solving, teamwork, and determination.
At a ceremony at Jodrell Bank, Hillcrest School in Birmingham was named “Top Scoring State Newcomer”, while Henrietta Barnett School in North London took “Top Scoring Team”. With regional champions and special award winners also honored, the event coincided perfectly with International Women’s Day, highlighting the industry’s need for more female representation.
Chris Ensor of the NCSC expressed gratitude to teachers, sponsors, and participants, emphasizing the importance of encouraging young women into cyber careers. With just 17% of cybersecurity roles filled by women, competitions like CyberFirst are critical in closing the industry’s skills gap and shaping a more diverse future.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
