CISA Adds Fortinet Vulnerabilities to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two serious vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The first is a flaw in Fortinet’s FortiOS and FortiProxy systems, which allows attackers to bypass authentication and gain super-admin access to firewalls. This vulnerability, identified as CVE-2025-24472, has been exploited by cybercriminals to hijack firewalls, create rogue users, modify settings, and access internal networks, including SSL VPNs. Fortinet has released fixes for affected systems, and CISA confirmed that this flaw is being used in ransomware attacks.

The second vulnerability, CVE-2025-30066, affects a popular GitHub tool called tj-actions/changed-files, which is used in over 23,000 repositories to automate tasks. Attackers compromised this tool to leak sensitive data from software projects, including access keys and other secrets. These secrets were exposed in build logs, potentially accessible by anyone with the right permissions, which could lead to serious security risks. The attack was detected in March 2025, and CISA urges organizations to address this issue as well.

CISA has ordered federal agencies to fix these vulnerabilities by April 8, 2025, and experts recommend that private organizations also take action to secure their systems. These vulnerabilities highlight the importance of regularly updating software and monitoring for any suspicious activity to protect against cyberattacks.

Existing Malware Operation Has Compromised over 20,000 Wordpress Sites

The DollyWay malware operation has been active since 2016, compromising over 20,000 WordPress sites worldwide. Initially, the campaign spread dangerous malware like ransomware and banking trojans, but its current form (DollyWay v3) primarily serves as a scam redirection system. It redirects website visitors to fake sites for dating, gambling, crypto, and sweepstakes, generating millions of fraudulent impressions monthly. The operation is highly sophisticated, using tools like a Traffic Direction System (TDS) to filter visitors based on various factors, ensuring that only valid users are redirected to the scam sites.

DollyWay is extremely persistent, automatically reinfecting websites with every page load, which makes it very difficult to remove. It hides malicious code within plugins and uses a legitimate third-party WordPress plugin (WPCode) to inject and obfuscate malware. The attackers also create hidden admin accounts, making disinfection even more challenging. GoDaddy researchers have revealed that DollyWay is part of a larger, long-running operation, with strong connections between various malware campaigns and shared infrastructure. To protect against this threat, GoDaddy has published a list of indicators of compromise (IoCs) and will continue to monitor and report on the evolving tactics used by the attackers.

Former Microsoft Phishing Attack Targeting macOS

A recent phishing campaign, originally targeting Windows users, has shifted focus to macOS users, according to cybersecurity firm LayerX. In 2024 and early 2025, the campaign relied on compromised websites to display fake Microsoft security alerts, tricking victims into entering their Windows usernames and passwords. These phishing pages were hosted on a trusted Microsoft platform, making them harder to detect by traditional anti-phishing defenses.

After new anti-scareware features were added to browsers like Chrome, Firefox, and Microsoft Edge, which reduced Windows-targeted attacks by 90%, the attackers shifted their efforts to macOS. The phishing pages targeting macOS users were nearly identical to those for Windows but were modified to target Safari users. The malicious pages were still hosted on Windows.net, and victims were redirected from compromised websites to the phishing pages after typing in incorrect URLs.

LayerX warns that this campaign poses a serious threat to enterprise users, as it can lead to data exposure at the organizational level if corporate accounts are compromised. The adaptability of the attackers, now focusing on macOS with minimal adjustments to their infrastructure, highlights the persistence and professionalism of the campaign, making it a significant risk to both individuals and businesses.

Defensible Strategies

Learn from those who have been attacked

Infosys to Settle Class Action Lawsuit Series for $17.5 Million

Infosys Limited has agreed to settle a series of class action lawsuits for $17.5 million following a data breach at its subsidiary, Infosys McCamish System (IMS). The breach, disclosed in November 2023, disrupted some of IMS's systems but initially provided limited details. It was later revealed that the breach, which occurred between October 29 and November 2, 2023, exposed sensitive personal data, including names, Social Security numbers, and bank account information of millions of individuals.

The breach affected customers of companies like Fidelity Investments, Bank of America, and American Express, who were notified that their personal data had been compromised through IMS's systems. In total, approximately 6.5 million people were impacted. IMS worked to restore its affected systems by the end of 2023 and disclosed the full extent of the breach in April 2024.

As part of the proposed settlement, Infosys has agreed to pay $17.5 million into a fund to resolve the lawsuits filed on behalf of those affected by the breach. The settlement, which is still pending court approval, will address all claims without any admission of liability by Infosys. Once finalized, it will provide compensation to individuals whose personal information was exposed in the breach.

Pennsylvania Education Union Notifying Members of a Breach

The Pennsylvania State Education Association (PSEA) is informing over half a million people that their personal data was stolen in a security breach that occurred in July 2024. The breach affected a wide range of individuals, including teachers, support staff, and retired educators. The stolen data includes sensitive information such as Social Security numbers, payment card details, health records, and more.

The PSEA offered free credit monitoring and identity restoration services to those impacted, urging individuals to monitor their financial accounts for suspicious activity. The union completed an investigation into the breach in February 2025, and it was determined that the stolen data varied by person, with some individuals having their highly personal and financial information exposed.

The breach was claimed by the Rhysida ransomware gang, which demanded a ransom in exchange for not leaking the stolen data. Rhysida, known for its attacks on various high-profile organizations, has previously targeted entities like Sony and Lurie Children's Hospital. While it's unclear whether PSEA paid the ransom, the gang removed the threat of releasing the data after their demand was not met. Rhysida continues to be a significant threat, particularly in the healthcare and public sectors.