In today’s cybersecurity news…
Shock and lawsuit over security failures in DOGE takeover
A triple story here. Experts in cybersecurity and government process are likening the current activities of the DOGE group as an ongoing data breach, stating that the act of “exposing the personal data of millions of federal employees violates federal laws against sharing classified or sensitive information with uncleared individuals and creates new cybersecurity vulnerabilities for malicious hackers to exploit.” Chief among these concerns, they say, “are efforts by Elon Musk’s team to access the Department of the Treasury’s payment system housed in the Bureau of Fiscal Service,” which controls much of the spending by the federal government, including congressionally mandated programs like Social Security. The White House stated last Monday that “DOGE employees’ access to these systems were restricted to read-only.”
In addition, according to Brian Krebs, quoting Wired magazine, a 19-year-old working for the DOGE group “was given access to sensitive U.S. government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so.” This individual is reported to be “a former denizen of ‘The Com,’ an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.”
Furthermore, University of California students on Friday sued the federal Education Department to stop the DOGE team from “accessing federal student financial aid databases, which house sensitive information belonging to more than 42 million Americans.” The plaintiffs, who are members of the University of California Student Association, which serves all of the system’s campuses statewide, “argue that the access granted to DOGE by acting Secretary of Education Denise Carter violates the federal Privacy Act and the Internal Revenue Code.”
(Cyberscoop, Krebs on Security, and The Record)
CISA adds Microsoft Outlook and Sophos XG Firewall to its Known Exploited Vulnerabilities catalog
Five new vulnerabilities have been added to the catalog, being a 7-Zip Mark of the Web Bypass Vulnerability, a Dante Discovery Process Control Vulnerability, as CyberoamOS (CROS) SQL Injection Vulnerability, a Sophos XG Firewall Buffer Overflow Vulnerability, and the Microsoft Outlook Improper Input Validation Vulnerability that we reported on Friday. The Microsoft Outlook vulnerability and the buffer overflow issue in Sophos XG Firewall have a CVSS score of 9.8. In addition, according to Trend Micro security researcher Peter Girnus, the 7-Zip vulnerability has already been actively exploited by Russian cybercrime groups “through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files.” Federal agencies must fix this vulnerability by February 27, 2025. A list of the CVE numbers is available in the shownotes to this episode.
CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability
CVE-2022-23748 Dante Discovery Process Control Vulnerability
CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability
(Security Affairs and The Hacker News)
Huge thanks to our sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks.
But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC. Get started at Vanta.com/headlines
DeepSeek App transmits sensitive user and device data without encryption
A new report from mobile security company NowSecure reveals that DeepSeek’s mobile app for the Apple iOS operating system contains some serious security issues, including the fact that it sends sensitive data over the internet without encryption, as well as collecting extensive user and device data. The report said that when data is encrypted, the app uses an insecure symmetric encryption algorithm, a hard-coded encryption key, and reuses initialization vectors. Furthermore, “the data is sent to servers that are managed by a cloud compute and storage platform named Volcano Engine, which is owned by ByteDance, the Chinese company that also operates TikTok.”
UK releases hurricane-grade scale for cyberattacks
A product of a group named the Cyber Monitoring Centre (CMC), which is made up of cyber insurance industry figures and some cybersecurity thought leaders, this rating system parallels that of the Saffir-Simpson Scale, which identifies the severity of hurricanes. It is intended to “help cyber insurance companies, and their reinsurers, independently define what constituted a systemic event,” which is one that “emanates from a single source, such as an attack on a vendor, but has a significant impact on myriad other organizations.” Examples of this include NotPetya and the CrowdStrike event. As an independent, non-profit organization the CMC will categorize cyber events on a 1-5 scale, with five being the most severe, based on data around the financial impact of the event and the number of UK organizations affected.
Hackers allegedly publish secret Taliban records
The Taliban government of Afghanistan none too happy at the fact that hackers successfully “carried out a massive cyberattack against its computer systems and published over 50GB of stolen documents and files online.” The group, named TabiLeaks, has posted links to its collection on social media. These links point to 21 Taliban ministries and government agencies and include information about prisoners, travel restrictions and many other types of activities. For its part, the Taliban’s Ministry of Communications says that most of the files had already “been publicly accessible for years and that no system had been hacked.”
Zyxel will not patch newly exploited flaws in end-of-life routers
According to security company VulnCheck, Taiwan-based “Zyxel has issued a security advisory about actively exploited flaws in its Customer Premises Equipment CPE Series devices, such as such as modems and routers, warning that it has no plans to issue fixing patches and urging users to move to actively supported models.” According to network scanning engines FOFA and Censys, over 1,500 Zyxel CPE Series devices are exposed to the internet, so the attack surface is significant. “The researchers warned that despite these devices no longer being supported for many years, they are still found in networks worldwide.”
CVE-2024-40891 and CVE-2025-0890