SonicWall and Palo Alto Respective OS Added to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog: one in Palo Alto Networks' PAN-OS and another in SonicWall’s SonicOS. The first vulnerability, CVE-2025-0108, affects PAN-OS firewalls, allowing attackers to bypass authentication and potentially exploit the system’s management interface. This flaw has been actively exploited by cybercriminals since it was disclosed, and security experts urge organizations using PAN-OS to update their systems immediately.

The second vulnerability, CVE-2024-53704, affects SonicWall SonicOS and concerns improper authentication in the SSL VPN and SSH management services. SonicWall has warned customers that this vulnerability is actively being targeted by attackers and has recommended upgrading to the latest firmware to fix the issue. The vulnerability, rated with a high CVSS score of 8.2, poses a serious risk to users with SSL VPN or SSH management enabled.

CISA has emphasized that federal agencies must address these vulnerabilities promptly to safeguard their networks, as per a directive aimed at reducing the risk of exploited vulnerabilities. Experts also recommend that private organizations check the CISA catalog and apply necessary patches to protect their systems from potential attacks exploiting these vulnerabilities.

Palo Alto Expands Upon Vulnerabilities Used in Active Exploits

Palo Alto Networks has warned that three critical vulnerabilities in its PAN-OS firewalls are being actively exploited in attacks. These flaws include CVE-2025-0108 (authentication bypass), CVE-2024-9474 (privilege escalation), and CVE-2025-0111 (file read vulnerability). The vulnerabilities are being chained together by attackers to gain unauthorized access and execute commands on vulnerable systems. Despite patches being released to fix these issues in February 2025, many PAN-OS firewalls remain unpatched, leaving them at risk.

Exploitation attempts targeting these vulnerabilities have increased, with multiple attackers actively trying to breach systems. Security researchers have found that many PAN-OS devices, especially those with exposed web management interfaces, have not yet applied the necessary updates, making them vulnerable to attacks. Palo Alto Networks urges organizations to immediately patch their systems to prevent further exploitation and protect sensitive information.

Chrome and Firefox Announce Fresh Security Fixes

Google and Mozilla have released important security updates for their popular browsers, Chrome and Firefox, to address high-severity vulnerabilities. Google’s latest Chrome update fixes two heap buffer overflow issues that could allow remote code execution, as well as a medium-severity bug. These vulnerabilities were discovered by external researchers, with Google rewarding them for their findings. The update is now available for Windows, macOS, and Linux users, though Google did not mention any active exploitation of these flaws.

Mozilla’s Firefox 135 update also addresses high-severity memory safety vulnerabilities that could lead to potential code execution. The flaws were related to memory corruption, and Mozilla warned that, with enough effort, they could have been exploited by attackers. Both companies emphasized the importance of updating their browsers to prevent potential security risks.

Defensible Strategies

Learn from those who have been attacked

Venture Capitalist Firm, Insights, Announce Breach

Insight Partners, a private equity and venture capital firm, disclosed that it was recently targeted in a cyberattack, with hackers gaining access to its information systems through a social engineering scheme. The breach was detected on January 16, 2025, and the company believes the attacker was removed the same day. While the investigation into the full extent of the breach is still ongoing, Insight Partners has stated that it doesn’t expect the incident to significantly impact its portfolio companies or stakeholders.

However, the company acknowledged the possibility that personal or sensitive data may have been compromised and has alerted those connected to Insight Partners to enhance their security measures. No ransomware group has claimed responsibility for the attack. With over $90 billion in assets and investments in major cybersecurity companies, Insight Partners is taking steps to further investigate and address the situation.

Signal’s Linked Device Feature Exploited

Several Russia-aligned threat actors have been using a novel technique to compromise accounts on the secure messaging app Signal. The attackers exploit Signal’s legitimate "linked devices" feature, which allows users to connect the app to multiple devices. By using malicious QR codes disguised as group invites, security alerts, or device pairing instructions, they can link a victim’s Signal account to a device controlled by the attacker. This enables the attackers to monitor the victim's messages in real-time, giving them ongoing access to conversations.

Google’s Threat Intelligence Group has identified multiple groups involved in these attacks, including UNC5792, which has used malicious QR codes to target Ukrainian military personnel. Another group, UNC4221, has employed a phishing kit designed to mimic a Ukrainian military application, alongside a lightweight JavaScript payload that collects user data. Other threat groups like Sandworm, Turla, and UNC1151 have also targeted Signal users with various tools to exfiltrate messages from infected devices.

This threat to secure messaging apps like Signal is growing, with multiple Russian threat agents focusing their efforts on breaching these platforms through phishing, malware, and even gaining brief physical access to unlocked devices. Google’s disclosure follows a similar warning from Microsoft, which highlighted Russian hackers targeting messaging apps like WhatsApp and Teams using similar tactics. The rise in such attacks serves as a stark reminder of the increasing vulnerability of messaging apps to cyberattacks.

Ghost Ransomware Involved in Attacks in Over 70 Countries

Ghost ransomware has been targeting victims in over 70 countries, including those in critical industries such as healthcare, government, education, and manufacturing. The attackers typically exploit outdated software and firmware vulnerabilities in internet-facing services. Since early 2021, this financially motivated ransomware group has used publicly accessible code to breach vulnerable systems, often rotating malware and ransom communications to avoid detection.

The group, known by several names like Cring, Phantom, and Wickrme, has targeted known vulnerabilities in systems like Fortinet SSL VPN, ColdFusion, and Microsoft Exchange. Their attacks involve using vulnerabilities such as CVE-2018-13379, CVE-2021-34473, and others to gain unauthorized access. They often use tools like Mimikatz and CobaltStrike to deploy ransomware payloads after breaching a network. This has led to fluctuating attribution of the group over time.

To protect against Ghost ransomware, experts advise organizations to regularly back up systems, patch vulnerabilities promptly, segment networks to limit damage, and enforce multi-factor authentication for privileged accounts. CISA, the FBI, and MS-ISAC also provided specific guidance and indicators to help detect and defend against these types of attacks, which continue to affect organizations worldwide.