Microsoft: US Rural Hospitals Need $75M to Strengthen Cybersecurity; Apple Challenges Alleged UK Backdoor Order; US Financial Orgs Urge CISA to Revise CIRCIA

There are roughly 2,100 rural hospitals in the US; of those, about 1,000 are independent hospitals, meaning that they are not part of a larger network that can help absorb the cost of and pass along security upgrades. Last year, Microsoft launched their Cybersecurity for Rural Hospitals Program, which offers 'free cybersecurity assessments, cybersecurity training, Microsoft security product discounts, and AI solutions designed to promote hospital resiliency.' In a paper published earlier this week, Microsoft shares insights gained from their work with participating hospitals. Microsoft's data indicate that 20 percent of hospitals experience increased patient mortality following cyberattacks. When rural hospitals experience cyberattacks, people have to travel farther for care, and this also contributes to negative outcomes for patients. Microsoft estimates rural hospitals would have to spend between $30,000 and $40,000 to bring their cybersecurity postures to basic standards. 'This would include implementing MFA, unified identity management, and separating user and privileged accounts so that the most common attacks could be largely mitigated.'

The Financial Times reports that nearly simultaneously with Apple's February 24 withdrawal of Advanced Data Protection (ADP) from the UK over a reported government order demanding backdoor access to end-to-end encrypted (E2EE) cloud data, the company also filed an appeal with the UK's Investigatory Powers Tribunal (IPT), aimed at overturning the order. The IPT is "an independent judicial body that oversees legal complaints against potential unlawful actions by a public authority or UK intelligence services." Apple's withdrawal of ADP from the UK alone would not constitute full compliance with the reported order, though the UK government has not acknowledged the existence of the order, an alleged Technical Capability Notice (TCN) under the Investigatory Powers Act 2016.

An open letter from several US financial sector organizations urges the Cybersecurity and Infrastructure Security Agency (CISA) to rescind and reissue a proposed rule that was published in the Federal Register last spring. The rule would implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which would require covered financial sector entities to report 'substantial cyber incidents' within 72 hours and ransom payments within 24 hours. CIRCIA has been set take effect in October 2025. The signatories 'believe the proposed rule will have significant and detrimental repercussions if not substantially revised, É [and] ask[s] that [CISA] work with industry to craft a new rule that allows a victim company to focus its resources on responding to an attack rather than filing government reports.'

Broadcom has released patches for three VMWare vulnerabilities, stating in an FAQ that there is evidence to suggest exploitation of the flaws in the wild; the Cybersecurity and Infrastructure Security Agency (CISA) has since added all three to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities impact VMWare ESXi, Workstation Pro/Player, Fusion, Cloud Foundation, and Telco Cloud Platform, and when chained together would allow an attacker to escape the OS sandbox of a virtual machine (VM) to compromise the hypervisor and other hosted machines. All three flaws require the attacker to have local administrative privileges on the guest VM. CVE-2025-22224, CVSS score 9.3, allows an attacker to execute code as the VM's VMX process running on the host, due to a Time-of-Check Time-of-Use (TOCTOU) vulnerability permitting an out-of-bounds write. CVE-2025-22225, CVSS score 8.2, allows an attacker to escape the sandbox via an arbitrary write vulnerability in the VMX process. CVE-2025-22226, CVSS score 7.1, allows an attacker to leak memory from the VMX process by exploiting an information disclosure vulnerability, an out-of-bounds read in HGFS. Microsoft Threat Intelligence reported the flaws to Broadcom. Neither CISA nor Broadcom have provided specifics beyond known exploitation. A matrix of fixed versions per product appears in Broadcom's advisory.

Elastic has released updates for Kibana to address a critical prototype pollution vulnerability that Òleads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.' The vulnerability affects Kibana versions 8.15.0 through 18.7.2; users are urged to update to Kibana version 18.7.3. Users who are unable to upgrade should 'set xpack.integration_assistant.enabled: false in Kibana's configuration.'

According to the results of the Healthcare Information Management Systems Society's (HIMSSÕs) 2024 Healthcare Cybersecurity Survey, more than half of the healthcare organizations responding said they plan to increase cybersecurity spending this year. Thirty percent of respondents plan to spend more than 7 percent of their IT budget in cybersecurity. In addition to cybersecurity budgets, the report looks at security awareness, security incidents, ransomware, artificial intelligence, third-party risks, and insider threats.

In a post on X on Sunday, March 2, 2025, Poland's space agency (POLSA), a member of the European Space Agency, announced that they disconnected their network from the internet and notified relevant authorities following a cybersecurity incident. An anonymous source inside POLSA told The Register "the attack appears to be related to an internal email compromise and that staff are being told to use phones for communication instead." Poland's digitalization minister, Krzysztof Gawkowski, posted separately to note that the attack was detected by state cybersecurity services, and the agency's recovery and subsequent investigation will be supported by computer security incident response teams CSIRT NASK and CSIRT MON.

An advanced persistent threat group targeted the United Arab Emirates (UAE) critical infrastructure organizations through a malicious email campaign, according to researchers from Proofpoint. The campaign targeted 'fewer than five Proofpoint customers in the United Arab Emirates with a distinct interest in aviation and satellite communications organizations, along with critical transportation infrastructure.' The investigation led researchers to discover a backdoor they are calling Sosano; the 'campaign used polyglot files to obfuscate payload content, a technique that is relatively uncommon for espionage-motivated actors in Proofpoint telemetry and speaks to the desire of the operator to remain undetected.'

Researchers from Human Security's Satori Threat Intelligence have detected a fraud operation involving a botnet of a million or more compromised Android devices. Satori, in collaboration with researchers from Google, Trend Micro, Shadowserver, and other partners, disrupted the campaign they call BADBOX 2.0. The botnet comprises more than a million backdoored Android TV devices. It was used to conduct several types of fraud schemes, including selling residential proxy services without users' permission, ad fraud, and click fraud.

The Toronto Zoo has issued a "final notification" press release providing additional information about a data breach that occurred in January 2024, resulting in a dark web leak of data belonging to guests, members, employees, volunteers, and donors, in some cases going back over 20 years, impacting some former staff employed from 1989, and leading to the loss of "decades of wildlife conservation research." All guests and members who engaged in general admission and membership purchases had their data compromised, including "first and last names, ... street address information, phone numbers and e-mail address information; and (only for guests and members making credit card transactions between January 2022 and April 2023), the last four digits of credit card numbers and associated expiration dates." The Zoo is working with the City of Toronto's Chief Information Security Office to better secure their systems, and there is an open investigation file with the Office of the Information and Privacy Commissioner of Ontario.