Breakthrough in Microsoft Majorana 1 Quantum Processor; Signal QR Code Phishing; OpenSSH Patches DoS & MitM Vulnerabilities

Microsoft has announced a quantum computing breakthrough in the development of its Majorana 1 chip. At issue is making qubits (quantum bits) as reliable as binary bits; qubits are more sensitive to noise and therefore susceptible to errors. Microsoft writes of their development: 'Built with a breakthrough class of materials called a topoconductor, Majorana 1 marks a transformative leap toward practical quantum computing.' Majorana 1 will potentially comprise one million qubits on a single chip slightly larger than CPUs in desktops and servers.

According to Google Threat Intelligence Group (GTIG), "Russia state-aligned threat actors" have been abusing a legitimate feature in the encrypted messaging app Signal that links devices using a QR code or URL, "allow[ing] one Signal account to be used on multiple devices, like a mobile device, desktop computer, and tablet." The threat actors trick a user into following a QR code or link under false pretenses -- appearing to be a security alert, a group invitation, or even part of a Ukrainian military application -- that actually links the victim's account to an instance controlled by the attacker, meaning "future messages will be delivered synchronously to both the victim and the threat actor in real-time." Signal has released an update designed to protect against this type of phishing attack by requiring authentication when linking devices, and by warning and checking in with users during and after the process. GTIG warns that threats to many messaging applications, including WhatsApp and Telegram, are intensifying, and recommends protective practices: lock mobile device screens using a complex password; ensure devices and apps are updated; enable Google Play Protect on Android devices and consider Lockdown Mode on iPhones; examine the "linked devices" list regularly; be wary of QR codes and links, especially if the context "urge[s] immediate action"; and implement MFA.

Researchers from the Qualys Threat Research Unit (TRU) have disclosed two vulnerabilities stemming from memory errors in OpenSSH. CVE-2025-26465, CVSS score 6.8, would allow an attacker to perform a Man-in-the-Middle (MitM) attack if the VerifyHostKeysDNS option is set to "yes" or "ask" -- notably, this flaw has been present since December 2014 in OpenSSH 6.8p1, and the vulnerable configuration was enabled by default in FreeBSD until March 2023. CVE-2025-26466, CVSS score 5.9, leaves the OpenSSH client and server vulnerable to pre-authentication Denial-of-Service (DoS) attacks. Both flaws have been patched in OpenSSH 9.9p2. OpenSSH is a critical and widely-used tool "which underpins many of the encrypted remote connections across Windows, Linux, and macOS, as well as secure file transfers," and is implemented in high-profile systems including "Facebook, Morgan Stanley, NetApp, Netflix, and Uber."

Juniper Networks has released a security advisory notifying users of a critical authentication bypass vulnerability affecting Session Smart Routers (SSR), Session Smart Conductors, and WAN Assurance Routers, which has now been patched. CVE-2025-21589, CVSS score 9.3, "may allow a network-based attacker to bypass authentication and take administrative control of the device" using an alternate path or channel. The flaw is fixed in SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2 and later; devices that operate with WAN Assurance connected to the Mist Cloud will have been patched automatically.

Microsoft has published a security update disclosing the zero-day exploitation and subsequent patching of a high-severity vulnerability in Power Pages, the company's "low-code software as a service (SaaS) platform for creating, hosting, and administering modern external-facing business websites." CVE-2025-24989, CVSS score 8.2, allows unauthorized privilege elevation and possible bypass of user registration control via an improper access control vulnerability. The notice assesses the flaw as "Exploitation Detected," but provides no further details on the exploitation. Microsoft has already patched the service and notified customers who may have been affected, providing "instructions on reviewing their sites for potential exploitation and clean up methods."

Deral Heiland from Rapid7 has identified and disclosed two vulnerabilities, now both patched, in the firmware of Xerox Versalink C7025 Multifunction Printers (MFPs) affecting versions 57.69.91 and earlier. Both bugs are pass-back vulnerabilities: CVE-2024-12510 involves an attacker capturing clear text Lightweight Directory Access Protocol (LDAP) credentials given administrative access and access to the LDAP configuration settings; CVE-2024-12511 allows an attacker to capture SMB or FTP credentials by modifying the server's IP in the address book. Rapid7 notes that successful exploitation and access to Windows Active Directory could allow lateral movement within an organization's environment and lead to further compromises. Rapid7 disclosed these flaws to Xerox in March 2024, showing a timeline of ongoing check-ins with the company until they made patches available in January 2025 and opened disclosure in February 2025. Rapid7 recommends patching MFP firmware immediately, and if updating is not possible, to "set a complex password for the admin account ... avoid using Windows authentication accounts that have elevated privileges ... [and] avoid enabling the remote-control console for unauthenticated users."

Major Australian fertility services provider Genea published a statement on Wednesday, February 19, 2025, confirming that certain systems and servers have been taken offline during investigation of "suspicious activity" including an unauthorized third party's access to the company's data. Genea is still working to understand "the extent to which [the data accessed] contains personal information," and is communicating with any patients whose treatment schedule may be affected by the incident. The Australian Broadcasting Corporation (ABC) reports that Genea is "liaising with the Australian Cyber Security Centre," but that several clinics' phone lines were down five days before the statement was issued, and a number of patients have reported serious disruptions to their treatments as well as unavailability of the MyGenea app, used for tracking cycle and fertility data and viewing test results and forms. "Serious data breaches including leaks of identity, personal or financial information must be reported to the Office of the Australian Information Commissioner (OAIC) within 30 days."

A Dutch man purchased 15 500GB hard drives at a flea market; when he examined them at home, he found they contained troves of medical data. The man initially purchased just five of the drives, but once he discovered the sensitive nature of the data they held, he returned to the flea market and purchased the rest of the seller's drives from that batch, noting, "luckily they ended up with me and not with criminals." The medical data on the devices are from 2011 through 2019.

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have published a joint cybersecurity advisory to share known indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) for Ghost (Cring) ransomware. The advisory recommends several actions to mitigate Ghost-related cyberthreats: 'Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by potentially compromised network devices; Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe; Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization; and Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.' The document also lists seven CVEs the Ghost threat actors have been known to exploit: CVE-2018-13379, which affects Fortinet FortiOS appliances; CVE-2010-2861 and CVE-2009-3960, which affect servers running Adobe ColdFusion; CVE-2019-0604, which affects Microsoft SharePoint; and CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, commonly referred to as the ProxyShell attack chain, which affects Microsoft Exchange.

US Congressmen and committee chairmen Brett Guthrie (R-Kan.) and John Joyce (R-Md.) have announced the creation of a working group within the House Committee on Energy and Commerce aimed at discussing and developing legislation for a comprehensive "national data privacy standard." Eight other House Republicans will work with stakeholders in the stated interest of "protect[ing] Americans' rights online and ... [US] leadership in digital technologies, including artificial intelligence." MeriTalk notes that "there is no comprehensive Federal data privacy law, and 20 states have their own individual privacy laws."

Between March 2015 and March 2018, US military healthcare administration contractor Health Net Federal Services (HNFS) allegedly violated its contract with the US Defense Health Agency (DHA) by failing to meet required cybersecurity standards and misrepresenting its compliance on annual reports. The DHA claims HNFS failed to scan for known vulnerabilities and remedy security flaws; ignored third-party cybersecurity auditors' reports covering many risks and policies; and "falsely attested ... compliance with at least seven of the NIST 800-53 security controls." During this time HNFS administered the TRICARE health plan covering military personnel and their families in 22 US states. A settlement agreement signed in the first week of February 2025 requires HNFS and its parent corporation, Centene, to pay the United States $11,253,400, admitting no liability.