IT Security Newsletter - 3/20/2025
Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
Cybercriminals working on behalf of at least six nation-states are actively exploiting a zero-day vulnerability in Microsoft Windows to commit espionage, steal data and cryptocurrency, according to Trend Micro researchers. The vulnerability, which Trend Micro tracks as ZDI-CAN-25373, allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut .lnk files, also known as shell link files, researchers said in a report released Tuesday. READ MORE...
500,000 Impacted by Pennsylvania Teachers Union Data Breach
The Pennsylvania State Education Association (PSEA) is notifying over 500,000 people that their personal information was stolen in a July 2024 data breach. In a data breach notice on its website, the teachers' union has revealed that the security incident occurred around July 6 and impacted its network environment, and that the attackers stole certain data from its systems. On February 18, 2025, PSEA determined that the stolen files contained personal information. READ MORE...
Veeam Patches Critical Vulnerability in Backup & Replication
Backup, recovery, and data protection firm Veeam on Wednesday announced patches for a critical-severity vulnerability in its Backup & Replication product that could allow attackers to execute arbitrary code remotely. In a scarce advisory, Veeam notes that the security defect, tracked as CVE-2025-23120 (CVSS score of 9.9), could allow for "remote code execution (RCE) by authenticated domain users", and that Backup & Replication version 12.3.0.310 and previous version 12 builds are affected. READ MORE...
Malware campaign 'DollyWay' breached 20,000 WordPress sites
A malware operation dubbed 'DollyWay' has been underway since 2016, compromising over 20,000 WordPress sites globally to redirect users to malicious sites. The campaign has evolved significantly in the past eight years, leveraging advanced evasion, re-infection, and monetization strategies. According to GoDaddy researcher Denis Sinegubko, DollyWay has been functioning as a large-scale scam redirection system in its latest version (v3). READ MORE...
DOGE to Fired CISA Staff: Email Us Your Personal Data
A message posted on Monday to the homepage of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is the latest exhibit in the Trump administration's continued disregard for basic cybersecurity protections. The message instructed recently-fired CISA employees to get in touch so they can be rehired and then immediately placed on leave, asking employees to send personal information in a password-protected email attachment -- with the password included in the body of the email. READ MORE...
Critical Fortinet Vulnerability Draws Fresh Attention
Fortinet customers who have not yet patched a critical authentication bypass vulnerability that the company disclosed in February might want to get to it quickly. CVE-2025-24472 enables allow remote attackers to snag super-admin privileges on affected systems by exploiting a weakness in how certain versions of Fortinet's FortiOS operating system and FortiProxy web gateway technologies handle Client Server Framework proxy requests. READ MORE...
WordPress security plugin WP Ghost vulnerable to remote code execution bug
Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. WP Ghost is a popular security add-on used in over 200,000 WordPress sites that claims to stop 140,000 hacker attacks and over 9 million brute-forcing attempts every month. It also offers protection against SQL injection, script injection, vulnerability exploitation, malware dropping, and other attacks and exploits. READ MORE...
- ...in 1916, Albert Einstein publishes his general theory of relativity, providing the basis for the current description of gravitation in modern physics.
- ...in 1923, The Arts Club of Chicago hosts the first showing of Pablo Picasso's art in the United States.
- ...in 1928, TV personality and Presbyterian minister Fred Rogers, the creator and host of "Mister Rogers' Neighborhood", is born in Latrobe, PA.
- ...in 1957, film director and actor Shelton Jackson Lee, AKA Spike Lee ("Do The Right Thing", "Malcolm X") is born in Atlanta, GA.