HTTPS Certificates Get New Security Requirements; Oracle Health Data Breach; 23andMe Future Buyer Must Follow Privacy Policy

The Certificate Authority Browser (CA/Browser) Forum has added two practices to its Baseline Requirements to enhance the security of HTTPS certificates. The first, Multi-Perspective Issuance Corroboration (MPIC), "enhances existing domain control validation methods by reducing the likelihood that routing attacks can result in fraudulently issued certificates. Rather than performing domain control validation and authorization from a single geographic or routing vantage point, which an adversary could influence as demonstrated by security researchers, MPIC implementations perform the same validation from multiple geographic locations and/or Internet Service Providers." CAs must also now use linting, which "ensures certificates are well-formatted and include the necessary data for their intended use, such as website authentication." Both new requirements took effect on March 15, 2025.

BleepingComputer and Bloomberg have both reported that Electronic Health Records (EHR) company Oracle Health, formerly known as Cerner, privately communicated to its customers on plain non-letterhead paper the news of a data breach detected on February 20, 2025, involving "Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud." According to the communication, in the month before the attack was detected the threat actor accessed servers using compromised customer credentials and exfiltrated data to a remote server, possibly including patient information from electronic health records. Reportedly Oracle Health will help identify impacted individuals, but the company claims that hospitals are responsible for determining any HIPAA violations and handling further specific notifications. Oracle has not publicly acknowledged this breach, and has openly denied the separate alleged March 20, 2025 breach of Oracle Cloud servers.

In a letter sent to the acting trustees and trial attorneys in the 23andMe bankruptcy case, the US Federal Trade Commission writes that whoever purchases 23andMe must uphold the company's data privacy policy. According to the 23andMe privacy statement, "If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity." 23andMe filed for Chapter 11 bankruptcy protection on March 23, 2025. Their privacy policy was last updated on March 14, 2025.

For their State of CPS Security: Healthcare Exposures 2025 report, researchers from Claroty's Team82 conducted "an analysis of connected medical devices and systems exposed to known exploits, ransomware, and attacks leveraging insecure connectivity."

Not only do healthcare CISOs face issues posed by legacy technology and unsupported products, but the patching cycle is determined by the interactions of the vendor and the US Food and Drug Administration (FDA), "which is responsible for the validation of any cybersecurity-related changes made to medical devices." Team82 writes, "Our goal in this report is to shed light on the riskiest exposures facing healthcare devices and networks -- as well as OT within hospitals -- [to] provide some context to help identify those assets most in jeopardy, and demonstrate the number of devices burdened not only by known and exploited vulnerabilities (KEVs), but those that are most at risk to ransomware and extortion attacks, and insecurely connected to the internet."

Mozilla has published a security advisory reporting a sandbox escape vulnerability now fixed for Windows users in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1. CVE-2025-2857, rated critical by Mozilla, would allow sandbox escape due to a compromised child process causing the parent process to return an unintentionally powerful handle. Mozilla notes that developers found this flaw following a recent report from Kaspersky of a similar sandbox escape in Chrome for Windows under active exploit: CVE-2025-2783, fixed in Chrome 134.0.6998.177/.178 and now added to the US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) database. The Firefox flaw is not known to have been exploited. Tor Browser, which shares its codebase with Firefox, has also patched the flaw for Windows users in version 14.0.8. Users of Firefox, Chrome, and Tor for operating systems besides Windows are not affected.

On March 31, 2025 Apple released security updates for a wide range of their products. The updates include notable backported fixes for flaws reportedly exploited as zero-days in older devices and operating systems: CVE-2025-24085, CVSS score 7.3, allows privilege elevation through a malicious application already installed on the device due to a use-after-free bug in the Core Media component. This flaw is fixed in macOS Sonoma 14.7.5, macOS Ventura 13.7.5, and iPadOS 17.7.6. CVE-2025-24200, CVSS score: 4.6, allows an actor to disable USB Restricted Mode as part of a physical cyberattack on a locked device, due to an authorization issue in the Accessibility component. CVE-2025-24201, CVSS score 8.8, allows an attacker to break out of the Web Content sandbox using crafted malicious web content due to an out-of-bounds write issue in the WebKit component. These two flaws are fixed in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11. Other items included in the release are updates for visionOS, tvOS, macOS Sequoia, Safari, Xcode, and additional versions of iOS and iPadOS.

Researchers at Infoblox have published a report describing a Phishing-as-a-service (PhaaS) kit observed in use since 2020, that has grown in complexity and among other capabilities now abuses domain name server mail exchange (DNS MX) records to "dynamically serve phishing web templates that relate to the victim's email service," targeting users globally and in over a dozen languages. Referencing Cloudflare DNS over HTTPS (DoH) or Google Public DNS, the kit loads one of at least 114 spoofed HTML templates mimicking a login page relevant to the victim. Infoblox suggests organizations strengthen DNS security, "tightening DNS control so that users cannot communicate with DoH servers or blocking user access to adtech and file sharing infrastructure not critical to the business," positing that "if companies can reduce the number of unimportant services in their network, they can reduce their attack surface." Heath Renfrow, co-founder and CISO at Fenix24, recommends deep DNS logging and analysis; monitoring for brand spoofing and MC record anomalies; using zero-trust gateways; enforcing DMARC, DKIM, and SPF authentication; and requiring regular anti-phishing training.

Researchers from Sucuri found that threat actors are hiding malware in the WordPress mu-plugins directory. Must-use (mu) plugins are in a separate directory and are automatically activated. By placing the malware here, it is more likely to evade routine security checks. The researchers detected three different types of malware written in PHP: a phony update redirect, a remote code execution webshell, and a spam injector. These are not the first instances of malware found in the the mu-plugins directory: earlier this year, Sucuri found "multiple backdoors allowing attackers to execute malicious code remotely," noting that "Attackers exploit this directory to maintain persistence and evade detection, as files placed here execute automatically and are not easily disabled from the WordPress admin panel."

The Windows 11 Insider Preview Build 26200.5516 released March 28, 2025 has removed the bypassnro.cmd script, ensuring "all users exit setup with internet connectivity and a Microsoft Account." The script's purpose was to create a registry value removing the requirement for an internet connection during setup, allowing users who preferred not to use a Microsoft Account to proceed with only a local Windows account. Microsoft's stated intention is "to enhance security and user experience" by removing the script, though Lawrence Abrams, owner and Editor in Chief of BleepingComputer, reports that "many users do not want to use a Microsoft Account, thinking it reduces their privacy and allows Microsoft to monitor their activities." The same bypass can be manually achieved using commands as long as Windows still includes the registry value.

On March 24, 2025, the US National Institute of Standards and Technology (NIST) published NIST AI 100-2e2025, representing the agency's final guidelines on "securing applications of artificial intelligence (AI) against adversarial manipulations and attacks," offering terminology and attack taxonomy for adversarial machine learning (AML). The report identifies and classifies attacks "relative to: (i) the AI system type, (ii) the stage of the ML life cycle process in which the attack is mounted, (iii) the attacker's goals and objectives in terms of the system properties they seek to violate, (iv) the attacker's capabilities and access, and (v) the attacker's knowledge of the learning process and beyond," differentiating chiefly between Predictive AI (PredAI) and Generative AI (GenAI) and offering improved mitigation techniques.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a malware analysis report (MAR) detailing malware called RESURGE that has been used to exploit a known stack-based buffer overflow vulnerability in Ivanti Connect Secure before version 22.7R2.5; Ivanti Policy Secure before version 22.7R1.2; and Ivanti Neurons for ZTA gateways before version 22.7R2.3. The MAR includes indicators of compromise, detection signatures, and suggested mitigations. As RESURGE is capable of surviving reboots, CISA recommends conducting a factory reset.

A former intern at the UK's Government Communications Headquarters (GCHQ) pleaded guilty to violating the Computer Misuse Act (CMA) for downloading top secret information to his mobile phone and taking it home. Hasaan Arshad's plea admits to "committing an unauthorised act which risked damaging national security." The incident occurred in August 2022; he was arrested in September 2022. Due to the nature of the stolen data, parts of the case were to have been held in closed sessions, but his plea on the first day of the trial made that unnecessary. Sentencing will take place in June.