Signal May Exit Sweden Over E2EE Backdoor; CVSS 10.0 Flaw in Mitre Caldera; Anne Arundel County Cyberattack

"We would leave the market before we would comply with something that would catastrophically undermine our ability to provide private communications ... We have a responsibility to provide technology that upholds human rights in an era where those rights are being infringed on in many, many corners," said Meredith Whittaker, president of the parent non-profit behind encrypted messaging service Signal, in an interview with Swedish publication SVT Nyheter. Whittaker's ultimatum is a response to a proposed bill in Swedish parliament that would require Signal and Meta's WhatsApp to "store chat data for up to two years and make it available to law enforcement officials upon request." The bill could go before the legislature as early as March 2026. SVT Nyheter also reports that Sweden's armed forces rely on Signal and have submitted a letter warning the government against the risks of weakening encrypted communication.

Read more in

The MITRE Caldera team is urging users to download and install the most recent version of MITRE Caldera to address a critical OS command injection execution vulnerability that affects all versions of the scalable, automated adversary emulation platform. The vulnerability, which has been scored 10.0, 'can be triggered in most default configurations. The only preconditions for this vulnerability to be exploitable are the presence of Go, python and gcc on the system that the Caldera server is running on. Notably, all of these dependencies are required for Caldera to be fully-functional in the first place and on many distributions, gcc is a dependency of Go, meaning this vulnerability is extremely likely to be available to an attacker,' according to Dawid Kulikowski, who detected and reported the issue.

Read more in

Maryland's Anne Arundel County has published an announcement informing residents and employees that due to a cyberattack that caused a day of shutdown on Monday, February 24, "some services may be limited" despite county buildings reopening the following day, and individual departments should be contacted with service inquiries. All essential employees and emergency employees must report in person as usual, but anyone eligible for telework is encouraged to work remotely to avoid possible internet connectivity issues. StateScoop quotes a previous revision of the announcement that specified MD officials had limited the office's internet access intentionally as a precaution, and the current page states that further updates are forthcoming.

Read more in

DISA Global Solutions, "a third-party administrator of employment screening services, including drug and alcohol testing and background checks," has disclosed a data breach that took place between February 9 and April 22 in 2024. The breach affected 3.33 million people, according to a report filed February 21, 2025, with the Maine attorney general's office. A report filed with the Massachusetts Office of Consumer Affairs and Business Regulation indicates that the data accessed included social security numbers, financial accounts, driver's licenses, and credit/debit numbers, but not medical records. The notice on DISA's website states that in the attack, "an unauthorized third party accessed a limited portion of our environment ... and procured some information," leading the company to secure its network, notify law enforcement, restore its systems and operations, and implement additional security. DISA is not aware of "any attempted or actual misuse of any information." Affected individuals have been notified, and have been offered credit monitoring and identity restoration services through Experian. The Register indicates that wording of a now-removed statement suggested the company was responding to ransomware.

Read more in

In their 2025 OT/ICS Cybersecurity Report published earlier this week, Dragos notes a significant increase in ransomware attacks against industrial organizations and emergence of new threat groups targeting these organizations. New malware variants of ICS-specific malware were used against operational technology networks in 2024, and were used in the Russian-Ukrainian war to disrupt communications to gas, water, and sewage sensors, and to disrupt availability of heat for hundreds of apartment buildings. 'This year's report demonstrates two important trends,' said Robert M. Lee, co-founder and CEO of Dragos. 'That OT has become a mainstream target, and that even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure.'

Read more in

The Open Source Security Foundation (OpenSSF) has announced the initial release of their Open Source Security Project Baseline (OSPS Baseline). 'The Open Source Project Security (OSPS) Baseline is a set of security criteria that projects should meet to demonstrate a strong security posture. The controls are organized by maturity level and category: Level 1: for any code or non-code project with any number of maintainers or users; Level 2: for any code project that has at least 2 maintainers and a small number of consistent users; and Level 3: for any code project that has a large number of consistent users.' Additionally, some of the controls map to external frameworks, including OpenSSF Best Practices Badge (BPB): 2024; NIST Cybersecurity Framework (CSF): 2.0; Cyber Resilience Act (CRA): 20.11.2024; Software Security Development Framework (SSDF): 1.1; ISO/IEC 18974 (OC): 1.0 - 2023-12; Open Cybersecurity Reference Architecture (OCRE): 2024; and Supply Chain Levels for Software Artifacts (SLSA): 1.0.

Read more in

Researchers from Claroty's Team82 are looking into vulnerabilities in the Windows CE operating system, 'a legacy OS still prevalent in OT environments.' In the first of four planned blog posts on the subject, Claroty's Team82 describes how they developed a Windows CE app that is designed to help them understand the OS as they conduct their research. The researchers note that Windows CE 'is commonly found in industrial settings because of its ease of access. It's most often used in critical factory machinery, and is easily configurable and customizable, making it a great fit for HMI systems deployments.' Future blog posts will include information about CVEs found in the course of their research.

Read more in

Earlier this week, Qualcomm announced that it is extending support for Android devices with Qualcomm chips for 'up to eight consecutive years of Android software and security updates.' Previously, the maximum duration of guaranteed support was four years. The new offer applies to 'Android smartphones running on the Snapdragon 8 Elite Mobile Platform [as well as] smartphones launching on new Snapdragon 8 and 7-series mobile platforms.' The decision to offer the extended update plan to customers will rest with the original equipment manufacturer (OEM).

Read more in

Siemens has published a security advisory providing details about 'an open redirect vulnerability that could allow an attacker to redirect the legitimate user to an attacker-chosen URL to steal valid session data.' The issue lies in the Teamcenter SSO login service. While there is currently no fix available for the vulnerability, Siemens is developing updated versions to address the issue. Until those are released, Siemens recommends configuring the environment according to their operational guidelines for Industrial Security, following product manual recommendations, and not clicking on links from untrusted sources.

Read more in

The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical and two high-severity vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. CVE-2017-3066, CVSS score 9.8, allows arbitrary code execution through a deserialization flaw in the Apache BlazeDS library in Adobe ColdFusion. CVE-2023-34192, CVSS score 9.0, allows arbitrary code execution via a crafted script to the /h/autoSaveDraft function due to a cross-site scripting (XSS) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). CVE-2024-20953, CVSS score 8.8, allows an attacker with network access and low privileges to compromise a system via HTTP due to a deserialization vulnerability in Oracle Agile PLM. CVE-2024-49035, CVSS score 8.7, allows privilege escalation through an improper access control vulnerability in Microsoft Partner Center. The Microsoft privilege escalation CVE is the only one of the four to have been acknowledged in a public report, but no additional details of the attack were provided.

Read more in