Microsoft squashes windows server bug.
Microsoft issues emergency updates for Windows Server. Apple releases emergency security updates to patch two zero-days. CISA averts a CVE program disruption. Researchers uncover Windows versions of the BrickStorm backdoor. Atlassian and Cisco patch several high-severity vulnerabilities. An Oklahoma cybersecurity CEO is charged with hacking a local hospital. A Fortune 500 financial firm reports an insider data breach. Researchers unmask IP addresses behind the Medusa Ransomware Group. CISA issues a warning following an Oracle data breach. On our Industry Voices segment, we are joined by Rob Allen, Chief Product Officer at ThreatLocker, to discuss a layered approach to zero trust. Former CISA director Chris Krebs steps down from his role at SentinelOne.
Today is Thursday April 17th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Microsoft issues emergency updates for Windows Server.
Microsoft has issued emergency updates for Windows Server to fix a bug that prevented Windows containers from starting when using Hyper-V isolation. The problem happened when system file versions between the container and host didn’t match. This mismatch caused startup failures. The fix ensures containers now access the correct files from the host, improving stability and compatibility. These updates aren’t available via Windows Update and must be manually downloaded from the Microsoft Update Catalog. Microsoft also shared instructions for applying the fix using the DISM tool on live systems or installation media.
Apple releases emergency security updates to patch two zero-days.
Apple has released emergency security updates to patch two zero-day vulnerabilities actively exploited in targeted iPhone attacks. The bugs affect iOS, macOS, iPadOS, tvOS, and visionOS. One flaw allows remote code execution via malicious audio files, while the other bypasses Pointer Authentication, a key memory protection. Apple says the attack was “extremely sophisticated” but offered no further details. A wide range of devices, including iPhone XS and newer, iPads, Apple TVs, Macs, and Vision Pro are impacted. Despite being targeted attacks, all users are urged to update. This brings Apple’s 2025 zero-day count to five.
CISA averts a CVE program disruption.
CISA has extended MITRE’s contract to manage the CVE and CWE programs by 11 months, averting a disruption to the global vulnerability tracking system. The extension followed concerns raised after MITRE disclosed the U.S. government wouldn’t renew the contract set to expire on April 16. MITRE has managed the programs for 25 years, offering critical support to cybersecurity operations worldwide. The abrupt funding uncertainty stemmed from broader cuts that led MITRE to lay off hundreds of staff. In response, CISA identified emergency funding to keep operations running. Meanwhile, the CVE Foundation was formed to transition CVE oversight away from sole U.S. government control. New initiatives like the Global CVE (GCVE) system and the EU’s vulnerability database aim to diversify and decentralize global vulnerability management going forward.
Researchers uncover Windows versions of the BrickStorm backdoor.
Research from Nviso uncovers Windows versions of the BrickStorm backdoor, linked to the Chinese APT UNC5221 behind the MITRE hack in early 2024. These variants, active since at least 2022, target European organizations and offer stealthy file manipulation and network tunneling using DNS over HTTPS. Written in Go, they use scheduled tasks for persistence and rely on stolen credentials to abuse RDP and SMB. The malware hides its infrastructure using public cloud services and evades detection through encrypted, multiplexed C&C connections.
Atlassian and Cisco patch several high-severity vulnerabilities.
Atlassian and Cisco released patches for several high-severity vulnerabilities this week, some of which could lead to remote code execution. Atlassian addressed long-standing flaws in Bamboo, Confluence, and Jira, including DoS bugs and XML External Entity (XXE) issues. Cisco patched security defects in Webex App, Secure Network Analytics, and Nexus Dashboard. One Webex flaw could allow remote code execution via a crafted meeting invite. Neither company reported active exploitation of the vulnerabilities, but users are urged to update promptly.
An Oklahoma cybersecurity CEO is charged with hacking a local hospital.
Jeffrey Bowie, CEO of a cybersecurity firm in Edmond, Oklahoma, has been charged with hacking St. Anthony Hospital, where authorities say he installed malware to secretly take and send screenshots every 20 minutes. Surveillance footage showed Bowie roaming hospital halls on August 6, trying doors before accessing a staff-only computer. He claimed he had a family member in surgery when confronted. Former employer Alias Cyber Security said they let Bowie go years ago over ethics concerns. Alias CEO Donovan Farrow expressed disappointment, calling the act a stain on the cybersecurity field. The hospital confirmed no patient data was compromised. Bowie was arrested after a forensic review uncovered the malware. Attempts to reach his company failed. Ethical hacking is common in the industry, but this case appears to have crossed legal and ethical lines.
A Fortune 500 financial firm reports an insider data breach.
Ameriprise Financial has notified over 4,600 customers that their personal data was improperly shared by a former advisor who left for LPL Financial between 2018 and 2020. The company discovered the breach in January 2025. The ex-employee shared more customer information than allowed during the transition, including names, addresses, emails, and phone numbers. Ameriprise hasn’t detailed if more sensitive data was leaked but is offering free credit monitoring to those affected. The firm, a Fortune 500 company founded in 1894 and formerly part of American Express, reported $17 billion in revenue last year. Ameriprise says it has since implemented new measures to prevent similar incidents. While this breach wasn’t the result of hacking, it underscores how internal lapses can still jeopardize customer privacy.
Researchers unmask IP addresses behind the Medusa Ransomware Group.
Researchers have unmasked the real IP address behind the Medusa Ransomware Group, a notorious operation long hidden on the Tor network. Covsec security experts exploited a severe vulnerability in Medusa’s blog platform, used to post stolen data, bypassing Tor’s anonymity protections. Using a server-side request forgery (SSRF) attack, they ran a simple command that revealed the server’s public IP: 95.143.191.148. Hosted via SELECTEL in Russia, the server runs Ubuntu and exposes insecure services including open SSH with password login. Medusa Locker, active since 2019, has targeted healthcare, education, and manufacturing sectors with double-extortion tactics. This rare technical breakthrough into a Tor-hidden ransomware group offers unprecedented visibility into its infrastructure, demonstrating how poor server security can undermine even the most elusive cybercriminal operations.
CISA issues a warning following an Oracle data breach.
Federal cybersecurity officials have issued a warning following a data breach involving Oracle, where hackers accessed credentials from legacy systems. Oracle privately notified customers in January but didn’t publicly confirm the breach. The company claimed Oracle Cloud Infrastructure (OCI) wasn’t impacted, though hackers accessed usernames from two outdated servers. The breach became public when a hacker, “rose87168,” offered stolen data from Oracle Cloud’s SSO and LDAP systems for sale online. Cybersecurity firms confirmed 6 million records were stolen, affecting over 140,000 tenants. The data included encrypted passwords, keys, and other sensitive information. The hacker allegedly solicited help to decrypt the data and extorted Oracle customers. CISA urged organizations to reset passwords, monitor logs, review code, and report incidents. Oracle has not commented on the federal advisory.
Former CISA director Chris Krebs steps down from his role at SentinelOne.
Chris Krebs, a respected voice in cybersecurity and former CISA Director, has stepped down from his role as SentinelOne’s Chief Intelligence and Public Policy Officer. The decision follows the revocation of his security clearance and a presidential order to review CISA’s conduct during his tenure. In a heartfelt message, Krebs made it clear the resignation was his alone, saying, “This is my fight, not the company’s.” Committed to defending democracy, free speech, and the rule of law, Krebs said the challenge ahead requires his full focus. Revered for his integrity, Krebs led CISA from its founding in 2018 until 2020, when he was dismissed after publicly affirming the 2020 election’s security. After leaving government, he co-founded the Krebs Stamos Group, which was later acquired by SentinelOne.
As he steps away from SentinelOne, we commend his continued commitment to truth and integrity, and wish him well on the road ahead.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
