Major breach at the US Treasury’s OCC.

Treasury’s OCC reports a major email breach. Patch Tuesday updates. A critical vulnerability in AWS Systems Manager (SSM) Agent allowed attackers to execute arbitrary code with root privileges. Experts urge Congress to keep strict export controls to help slow China’s progress in AI. A critical bug in WhatsApp for Windows allows malicious code execution.CISA adds multiple advisories on actively exploited vulnerabilities. Insider threat allegations rock a major Maryland medical center. Microsoft’s Ann Johnson from Afternoon Cyber Tea is joined by Jack Rhysider, the creator and host of the acclaimed podcast Darknet Diaries. Feds Aim to Rewrite Social Security Code in Record Time. 

Today is Wednesday April 9th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Treasury’s OCC reports a major email breach. 

The U.S. Treasury’s Office of the Comptroller of the Currency (OCC) reported a major email breach, discovered on February 12, 2025. The incident involved unauthorized access to 103 email accounts, including those of OCC executives and staff. Hackers accessed around 150,000 emails dating back to May 2023. Some messages contained sensitive information on federally regulated banks used for oversight and examinations. The breach was initially flagged by Microsoft, which alerted the OCC. While the OCC says there’s no sign the wider financial sector was affected, the compromised data is considered highly sensitive. The attacker’s identity remains unknown, but previous targeting of Treasury entities has been linked to China-based group Silk Typhoon. The OCC has since ended the unauthorized access and is continuing its investigation.

Patch Tuesday updates. 

This month’s Patch Tuesday was a heavyweight, with Microsoft releasing fixes for 147 vulnerabilities—five of them rated critical, and one already being exploited in the wild. That zero-day, tracked as CVE-2024-26234, involved a malicious proxy driver being used in targeted attacks. Most of the bugs hit core components like Windows Kernel, Office, and Azure services. If your org runs Microsoft infrastructure, this one’s a must-do.

But the patch party didn’t stop there.

Fortinet issued a fix for a critical bug in FortiSwitch, CVE-2024-48887. It allows remote, unauthenticated attackers to reset admin passwords with a specially crafted request. It’s a serious threat to network integrity and needs urgent patching.

Ivanti patched six vulnerabilities in its Endpoint Manager. One of them, CVE-2025-22466, could let an unauthenticated user execute a cross-site scripting attack and gain administrative access. VMware also delivered updates for 47 issues in Tanzu, with ten marked critical, and Zoom resolved six bugs across its Workplace suite.

And in the industrial sector, Rockwell, Siemens, Schneider Electric, and ABB all patched ICS vulnerabilities. Siemens even recommended replacing a power monitoring device entirely due to security flaws that couldn’t be safely mitigated with software alone.

So don’t delay, and patch ‘em if you’ve got ‘em. 

A critical vulnerability in AWS Systems Manager (SSM) Agent allowed attackers to execute arbitrary code with root privileges.  

A critical vulnerability in AWS Systems Manager (SSM) Agent allowed attackers to execute arbitrary code with root privileges by exploiting improper input validation in the ValidatePluginId function. This flaw let attackers craft malicious plugin IDs using path traversal (e.g., ../../) to create and execute unauthorized scripts in system directories like /tmp. Since the SSM Agent is widely used to manage EC2 and on-prem servers, the risk was significant. AWS patched the issue on March 5, 2025, in version 3.3.1957.0 after responsible disclosure in February. Security experts advise updating immediately, validating plugin IDs, and using safe path resolution methods like BuildSafePath. This incident underscores that even mature cloud tools are vulnerable and highlights the need for strict input validation and ongoing system monitoring in cloud environments.

Experts urge Congress to keep strict export controls to help slow China’s progress in AI. 

Technology experts urged Congress to keep strict export controls on semiconductor chips and other tech, arguing these restrictions are crucial for slowing China’s progress in AI and preserving U.S. leadership, CyberScoop reports.  Although the U.S. has long limited China’s access to advanced chips, the rise of generative AI models from firms like DeepSeek and Alibaba has raised doubts about the strategy’s effectiveness. Still, experts like Gregory Allen of the Center for Strategic and International Studies said these restrictions have already limited China’s AI advancement and should continue. DeepSeek, despite its progress, still struggles with a lack of high-performance computing power—something only U.S.-made chips currently provide. Experts argue that American technology is still foundational to China’s AI development, giving the U.S. vital leverage. They also criticized the Biden administration’s export control rollout, saying advance notice allowed Chinese firms to stockpile parts. They called for tighter, faster controls guided by deeper collaboration with tech and intelligence sectors.

A critical bug in WhatsApp for Windows allows malicious code execution.

A critical bug in WhatsApp for Windows, tracked as CVE-2025-30401, allows attackers to execute malicious code by tricking users into opening rigged attachments. The flaw, fixed in version 2.2450.6, involves a mismatch between MIME type and file extension. For example, an .exe file disguised as an image could run if clicked. Though the exploit requires user interaction, experts warn it’s easy to deceive users. Meta urges everyone to update WhatsApp and be cautious with attachments—even from familiar contacts.

CISA adds multiple advisories on actively exploited vulnerabilities. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent call for organizations to patch two actively exploited zero-day vulnerabilities: 

• CentreStack Vulnerability (CVE-2025-30406): This critical flaw in Gladinet’s CentreStack cloud server allows remote code execution via improper handling of cryptographic keys for ASP.NET ViewState data. Exploited since March, it was patched in version 16.4.10315.56368.  

• Windows CLFS Vulnerability (CVE-2025-29824): A use-after-free issue in Microsoft’s Common Log File System driver enables local privilege escalation. Actively exploited by the PipeMagic malware in ransomware attacks, it was addressed in April’s Patch Tuesday.  

CISA mandates federal agencies to apply these patches by April 29 and advises all organizations to prioritize these updates to mitigate potential threats.

Insider threat allegations rock a major Maryland medical center. 

A chilling insider threat case has rocked the University of Maryland Medical Center (UMMC), where a now-former pharmacist allegedly used his access to IT systems to spy on female clinicians for nearly a decade. Matthew Bathula is accused of installing spyware on over 400 hospital and home devices, enabling him to secretly watch coworkers breastfeeding, having sex, and interacting with their families. He reportedly used keyloggers to steal passwords, gaining access to personal accounts and cloud storage. Despite alerts from IT staff and suspicions of hacking, UMMC allegedly failed to identify or stop the breach. Victims only learned of the voyeurism through FBI investigators. A civil lawsuit claims UMMC was negligent, violating healthcare security laws. The hospital has since fired Bathula and pledged to improve its cybersecurity, but the damage—both emotional and reputational—is severe. This case is a stark reminder of how dangerous insider threats can be when detection and oversight fail.

 

 

Coming up, we have host of Afternoon Cyber Tea, Ann Johnson joined by guest Jack Rhysider, the creator and host of the acclaimed podcast Darknet Diaries. 

You can find a link to Ann and Jack’s full conversation in our show notes. Be sure to catch new episodes of Afternoon Cyber Tea every other Tuesday on N2K CyberWIre and your favorite podcast app. 

 

Feds Aim to Rewrite Social Security Code in Record Time. 

And finally, what could possibly go wrong with a plan to rip out the foundation of the U.S. Social Security system in a matter of months? Wired looks at plans hatched by DOGE—the Department of Government Efficiency—led by Elon Musk confidant Steve Davis. Their mission: ditch COBOL, the 60-year-old programming language still powering payments to over 65 million Americans, and replace it with something modern like Java. Fast. Experts are baffled. COBOL runs the system’s logic, payments, even Social Security number assignments. Migrating it all quickly risks unseen errors—like simply not paying people at all. The SSA’s own systems haven’t been seriously updated since the ‘80s. Add in a handful of young, untested engineers and a rumored AI translation plan, and you’ve got a recipe for digital disaster. Oh, and there’s also a mysterious “Are You Alive Project” rechecking beneficiaries. So yes—massive system rewrite, AI code conversion, death audits… and benefits millions depend on. What could possibly go wrong?

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.