UK Demands Backdoor in Apple Encryption; 2.8 Million Devices Launch Brute Force Attack; UK's RN & RAF Fast Track Cyber Specialists

The UK's Home Office has reportedly served a Technical Capability Notice (TCN) under the Investigatory Powers Act (IPA) compelling Apple to give the government backdoor access to worldwide users' encrypted data in the company's cloud service. Although "under the law, the demand cannot be made public," and while the Home Office will neither confirm nor deny "any such notices," both the Washington Post, who first reported the news, and the BBC have spoken with anonymous "sources familiar with the matter." The alleged demand specifically targets Apple's end-to-end encrypted Advanced Data Protection (ADP) measures, and may apply in cases of national security risk, requiring a legal permission process to access the backdoor. Apple's history with similar cases and the company's prior statements show a pattern of opposing or refusing such demands. In the UK specifically, out of over 6,000 requests for iCloud data between 2020 and 2023, Apple complied only four times. Cybersecurity experts and privacy groups have expressed deep concern over the serious risks to users' security and privacy posed by breaking encryption with backdoors; the Electronic Frontier Foundation notes that "any 'backdoor' built for the government puts everyone at greater risk of hacking, identity theft, and fraud," and the UK's Big Brother Watch states that such a backdoor "will not make the UK safer, but it will erode the fundamental rights and civil liberties of the entire population."

The Shadowserver Foundation has detected an ongoing brute force attack on the login credentials of network devices, carried out at an increasing scale since January, 2025, daily employing up to 2.8 million compromised network devices worldwide. The attacks appear to target a wide range of edge devices including those from major manufacturers such as Palo Alto, Ivanti, and SonicWall, and appear to originate from routers and IoT devices mainly made by MikroTik, Huawei, Cisco, Boa, and ZTE. Shadowserver observes that the IP addresses involved may suggest a botnet employing residential proxy networks. BleepingComputer suggests changing and strengthening passwords, enforcing MFA, "using an allowlist of trusted IPs," and disabling unused web admin interfaces. In a separate story, last week, cybersecurity agencies from the Five Eyes countries (Australia, Canada, New Zealand, the UK, and the US) jointly published guidance for securing edge devices.

The UK military is fast-tracking cyber-recruits to ensure that 50 cyber specialist operational positions within the Royal Navy and Royal Air Force are filled by the end of the calendar year. Recruits entering through the 'cyber pipeline' will complete their basic training within a month rather than the regular ten weeks. They will then receive three months of specialized training at the Cyber Defence Academy.

Apple has released iOS 18.3.1 and iPadOS 18.3.1 and 17.7.5 to address a vulnerability that was being actively exploited in targeted attacks. The flaw could be exploited to 'disable USB Restricted Mode on a locked device,' and was fixed through improved state management. The vulnerability was detected by Bill Marczak, a researcher at the University of Toronto's Citizen Lab, which 'focus[es] on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.'

The Cybersecurity and Infrastructure Security Agency (CISA) has published an Industrial Control Systems (ICS) advisory, warning that some versions of Trimble Cityworks, an infrastructure software tool for managing assets and work, are vulnerable to a flaw that is under active exploit. The flaw, CVE-2025-0994, CVSS score 8.6, allows an authenticated user "to execute arbitrary code on the IIS server due to deserialization of untrusted data." All versions of Trimble Cityworks prior to 15.8.9 and Cityworks with office companion prior to 23.10 are affected; Cityworks Online has been automatically patched, and Trimble urges users to update on-premises instances immediately. The indicators of compromise (IoCs) show that "attackers attempted to leverage the flaw to deploy payloads including obfuscated JavaScript code, a custom Rust loader used to load Cobalt Strike, and various other malicious executable and binaries." Local and federal government agencies use Trimble Cityworks to manage "airports, utilities, municipalities and counties," and all Federal Civilian Executive Branch agencies must patch by February 28.

Researchers at NowSecure have detected multiple security and privacy vulnerabilities in the DeepSeek app for iOS. NowSecure's assessment of the app turned up a number of risks, including unencrypted data transmission; weak and hardcoded encryption keys; unsecure data storage; data collection & fingerprinting; and data sent to China and subject to laws in PRC. NowSecure urges organizations to prohibit the use of the app, 'explore alternative AI platforms that prioritize mobile app security and data protection, [and] continuously monitor all mobile applications to detect emerging risks.'

The UK's independent, non-profit Cyber Monitoring Centre (CMC) is now classifying cyber incidents by severity. CMC was initially conceived to provide quantifiable information for insurance companies to help them determine whether a cyber incident constitutes a systemic event; the organization will provide information to 'all security risk owners.' The CMC will evaluate incidents affecting organizations within the UK that are estimated to have 'a potential financial impact' of at least £100 million ($123.6 million). Categorization criteria include number of organizations impacted by the incident and the total estimated financial damages. For each evaluated incident, CMC staff members will provide a severity categorization from 1 to 5 and a report detailing how they arrived at the categorization. The CMC's classification system bears a resemblance to the scale used to classify hurricanes.

A critical flaw in Orthanc Server could be exploited to disclose information, modify records, or cause denial-of-service conditions. The issue lies in missing authentication for a critical function and affects Orthanc Digital Imaging and Communications in Medicine (DICOM) Server versions older than 1.5.8. The US Cybersecurity and Infrastructure Security Agency (CISA) has published an Industrial Control System (ICS) Medical Advisory describing the issue. Users are urged to upgrade to the most recent version to Òenable the HTTP authentication by setting the configuration "AuthenticationEnabled": true in the configuration file.'

In a report to the London Stock Exchange, British engineering firm IMI plc has disclosed 'a cyber security incident involving unauthorised access to the Company's systems.' IMI has not provided many details beyond stating that they brought in third-party experts to investigate. IMIÕs disclosure comes roughly a week after another UK engineering firm, Smiths, disclosed a cyberattack.

In a 10-Q form filed with the Securities and Exchange Commission (SEC), newspaper publisher Lee Enterprises disclosed a "cyber incident" on February 3, 2025, that has resulted in an IT outage and disruption of the company's operations. Lee Enterprises "publishes 77 daily newspapers and 350 weekly and specialty publications in 26 states," and many of its news outlets experienced the effects of the attack, including days of problems with editorial and production applications, sometimes causing delayed or missed publications, as well as problems with reader subscription account access. The company notified its employees on the day of the attack that "data centers hosting applications and services used by Lee employees and media outlets were offline, including its systems for subscriber services," and "call center applications, some phone lines and other core systems, including [the] VPN for remote employees and single sign-on for accessing applications, were inaccessible." At time of this writing, the outages have not been resolved. The exact nature, scope, full impact of the attack, and anticipated recovery timeline have not been disclosed.