A list of topics we covered in the week of February 17 to February 23 of 2025

February 21, 2025 - Healthcare security is failing patients time and again. This week DM Clinical Research and Helath Net Federal Services take the spotlight

February 20, 2025 - Beware before downloading Google Chrome from a Google search, you might get more than you expected.

February 20, 2025 - An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack.

February 20, 2025 - South Korea says it's uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok.

February 19, 2025 - Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

 A week in security (February 17 &#8211; February 23) 

Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

TP-Link is one of the most popular router manufacturers in the US, but the company is facing a potential ban due to security concerns about its links to China. A December report from The Wall Street Journal revealed that the US Commerce, Defense, and Justice Departments are investigating TP-Link, though no evidence of deliberate wrongdoing has yet emerged.

“We are a US company,” Jeff Barney, president of TP-Link told WIRED, “We have no affiliation with TP-Link Tech, which focuses on mainland China, and we can prove our separateness.”

The investigation was sparked by a letter from John Moolenaar, a Republican for Michigan, and Raja Krishnamoorthi, a Democrat of Illinois. Both are on the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. They outlined concerns that Chinese state-sponsored hackers may be able to compromise TP-Link’s routers more easily than other brands and thereby infiltrate US systems, and that TP-Link is subject to Chinese law, meaning it can be forced to hand over sensitive US information by Chinese intelligence officials.

Photograph: Simon Hill

TP-Link was founded in China in 1996 by two brothers, and TP-Link USA was established in 2008. It wasn’t until 2022 that the Chinese and US wings began to split. The process of moving the 170 subsidiaries and all the related ownership out of Hong Kong and into the United States was delayed by the pandemic, says Barney, but it was divested and restructured by 2024.

TP-Link now has headquarters in California and Singapore and manufactures in Vietnam. It researches, designs, develops, and manufactures everything except chipsets in-house, according to Barney. “Our entities in China are governed directly by us, our employees badged by us, secured by us, in our own facilities.” He also says TP-Link has shared documentation with investigators and that its factory in Vietnam was audited by US retail partners like Walmart, Best Buy, and Costco.

“Everybody has a Nexus in China,” Barney says. He claims that American rival Netgear uses Chinese ODMs (original device manufacturers) to build its products and that even Apple relies on manufacturing in China. Netgear says its routers are manufactured in Taiwan, Vietnam, and Thailand, not China.

**Competition Concerns**

The WSJ report suggests that TP-Link has a leading 64.9 percent share of the US router market, but TP-Link disputes this. The company claims its share hovered around 20 percent for the last few years, but jumped to a 36.5 percent unit share and a 30.7 percent dollar share in 2024. But even TP-Link’s lower estimate shows a company in the ascendancy. This dominance has been driven by aggressively low prices and a relatively early roll-out of Wi-Fi 7 routers, perceived by some as a concerted effort to flood the US market.

“Technology should not be exorbitant,” Barney says. “We're trying to democratize these products.”

However, the wide product range raises questions, with many wondering how TP-Link can profit from routers sold at such low prices compared to the competition. Former CNET reviewer Dong Ngo explores this point on the in-depth router review website, Dong Knows.

Concerns about the links between Chinese companies and its government are nothing new. The ban on Huawei’s networking equipment and US sanctions came after years of cybersecurity concerns and intellectual property lawsuits brought by US companies. The TikTok ban is not being enforced by President Donald Trump’s administration, but owner ByteDance is still under pressure to divest its US operations. These situations can be tricky for the average person to navigate because the lines between shoddy security, Chinese espionage, US protectionism, and the growing trade war are distinctly blurry and are not mutually exclusive.

It’s no secret that US competitor Netgear has been lobbying the US government on “cybersecurity and strategic competition with China.” Netgear has had a tough couple of years after adopting a premium pricing strategy that did not resonate with consumers. It has also been embroiled in litigation against TP-Link for patent infringement, resulting in TP-Link paying a $135 million settlement in September 2024.

**Are TP-Link Routers Secure?**

TP-Link has signed CISA’s “Secure by Design” pledge and is part of the Technical Exchange Group. It has a vulnerability disclosure program, where independent researchers and the security community can report potential issues to security@tp-link.com. It claims report response time was 8.4 days on average in 2023, with patches released in an average of 38.5 days. The company is also planning to launch a bug bounty program.

Barney claims TP-Link’s rate of vulnerabilities per product is significantly lower than many of its peers, including Netgear and Cisco, citing public data collected by Finite State, an independent US cybersecurity company, from CVE Details, VulDB, and CISA (Cybersecurity and Infrastructure Security Agency), but not everyone agrees.

“TP-Link does not have a great reputation for patching vulnerabilities or working with security researchers, which does raise alarm bells,” Pieter Arntz, malware intelligence researcher for Malwarebytes told WIRED via email.

Photograph: TP-Link; Data Source: U.S. Cybersecurity and Infrastructure Security Agency

TP-Link was criticized in a recent Microsoft report over a “password spraying” hack that mostly impacted its routers, and the report suggested Chinese “nation-state threat actor activity.” Barney says these were end-of-service products and that Asus and Netgear routers were also impacted.

Other incidents include a Check Point Research exposé of a malicious firmware implant for TP-Link routers, linked to a Chinese state-sponsored “advanced persistent threat” group dubbed “Camaro Dragon.” Cyfirma researchers also found TP-Link router vulnerabilities for sale on underground forums.

“It’s also a challenge because regardless of the home router vendor, there will always be vulnerabilities found,” Arntz says.

A part of the problem with older routers is that the onus is often on the user to download and install updates, and this is rarely automatic or as simple as clicking on “update,” which means many patches are never installed, creating vulnerable devices for any savvy cybercriminals or nation-states. Even months after TP-Link released patches for a vulnerability on its popular Archer AX21 router, hackers continue to scan for and exploit it on unpatched routers.

These security concerns are moot in the face of built-in backdoors. Backdoors can be pieces of code or even hardware added to the circuit board that enables remote parties to gain access and potentially control the device. There’s no evidence that TP-Link devices have backdoors, but, as Ngo points out, when you use an online account with your router, you are already giving the company access through the front door. Whether remote connectivity is justified by the need for automatic software updates, remote control access, or other features for users, it effectively gives the manufacturer access to your router.

**Should You Worry?**

Ultimately, the concern isn’t so much about the Chinese government or other malicious actors spying on your web browsing habits—though that is possible—it’s the idea they might employ your router as a part of a botnet to launch a cyberattack on a US government agency or major service provider.

The NSA has been concerned about Chinese hackers for some time now, and China's Salt Typhoon spies continue to infiltrate US internet service providers and telecommunications companies. Speaking on the _NatSec Tech_ podcast recently, former special assistant to the president and cybersecurity coordinator on the US National Security Council, Rob Joyce, likened TP-Link routers to a Trojan Horse and suggested China is pre-positioning for a potentially devastating attack on US infrastructure.

While some cybersecurity experts suggest a ban is imminent, Barney is confident that TP-Link routers won’t be banned. Investigations are ongoing. Even if the government doesn't find anything or decides against a ban, it won’t publicly clear TP-Link. It’s more likely the investigation will fade from the news.

Photograph: Simon Hill

For owners of a TP-Link router or anyone considering buying one, it all boils down to trust. We've tested and recommend several TP-Link routers and Deco mesh systems in our buying guides because they offer good value and great performance. But we continually update our guides and will monitor the situation before deciding whether we need to reconsider those recommendations.

There’s no easy fix because all the major router manufacturers have issues with vulnerabilities, and most of them require you to use an online account. You can go down the rabbit hole with router security, or seek out security-focused brands like Firewalla, but expect to pay more for your equipment in both time and money.

Even if you stick with what you have, there are steps you can take to be more secure online. We recommend using a VPN service and learning a little about router settings. Malwarebytes’ Arntz says the most secure router is the one on which you are comfortable changing the settings: credentials, firewall options, and especially installing updates.

Here’s his advice for home TP-Link router owners who are concerned:

*   First, update your login credentials. Ensure you have moved away from the default login credentials set by the router manufacturer (or internet provider). Make this password different from your Wi-Fi name and password. And remember, length equals strength when it comes to passwords.
*   Second, patch your device and set a reminder to check regularly for firmware updates.
*   Third, turn on the firewall and Wi-Fi encryption. You can find these settings by logging into your router from its app or website.
*   Finally, consider purchasing a new router from a different vendor with a less problematic history.

TP-Link also manufactures a wide range of smart home devices marketed under the Tapo brand, including everything from security cameras to water leak detectors. These are not part of the current investigation, which seems to be focused solely on routers. TP-Link says it has applied to the FCC’s Cyber Trust Mark program administered by UL Solutions, which ensures that internet-of-things devices are tested and labeled secure. Sadly, there is no such program for routers.

The US Is Considering a TP-Link Router Ban—Should You Worry?

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

133.0.3065.82

2/21/2025

133.0.6943.126/.127

CVE-2025-1006: Chromium: CVE-2025-1426 Heap buffer overflow in GPU

CVE-2025-1426: Chromium: CVE-2025-1006 Use after free in Network

CVE-2025-0999: Chromium: CVE-2025-0999 Heap buffer overflow in V8

FBI and CISA warn of Ghost ransomware, a China-based cyber threat targeting businesses, schools, and healthcare worldwide by exploiting software vulnerabilities.

A joint advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) reveals the ongoing threat of Ghost ransomware, also known as Cring.

Active since early 2021, this group, operating out of China, has targeted organizations in over 70 countries, impacting critical infrastructure, schools, healthcare, government networks, and businesses of all sizes. Their motive is purely financial gain.

****How Ghost Operates:****

Ghost actors exploit known vulnerabilities in internet-facing services running outdated software and firmware. Their modus operandi involves using publicly available code to exploit known vulnerabilities, such as those in Fortinet FortiOS appliances, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange. Once inside, they deploy ransomware payloads, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which encrypt files and demand hefty ransoms in cryptocurrency.

While Ghost’s ransom notes often threaten to sell stolen data, they typically exfiltrate limited amounts of information, focusing on encrypting systems for ransom.

****Identifying Ghost Activity:****

The advisory provides a list of indicators of compromise (IOCs), including file hashes, ransom email addresses, and tools used by Ghost actors. Organizations should investigate any presence of these IOCs on their networks. Unusual network traffic, such as scans for vulnerable devices, manipulation of administrator accounts, and execution of unfamiliar PowerShell scripts, can also indicate Ghost activity.

****Protecting Your Organization:****

The advisory also stresses the importance of basic security measures to defend against Ghost ransomware. One key measure is maintaining regular backups, preferably offline or segmented, to enable system restoration without succumbing to ransom demands. Timely patching software and firmware is also vital in addressing known vulnerabilities before they can be exploited.

Organizations should implement network segmentation by isolating compromised systems to limit the spread of infections. Strengthening authentication methods is another vital step, with phishing-resistant multi-factor authentication (MFA) recommended for all privileged and email accounts.

Cybersecurity training for employees also helps overcome the risks of phishing attacks. Additionally, monitoring PowerShell usage can help detect malicious activity early.

Organizations should also implement allowlisting to restrict the execution of unauthorized applications and scripts, reducing the risk of malware infiltration. Network monitoring is essential for identifying and investigating any abnormal behaviour that could indicate a security breach.

Furthermore, minimizing service exposure by disabling unnecessary ports and restricting access to essential services can significantly reduce vulnerabilities. Lastly, enhancing email security through advanced filtering and anti-spoofing measures helps prevent phishing attempts and other email-based threats.

As Juliette Hudson, CTO of CybaVerse, notes, _“_Ghost is a serious nation-state threat, exploiting known CVEs in widely used tech. Organizations must prioritize patching and remediation to prevent attacks. Unlike many ransomware groups relying on social engineering, Ghost exploits vulnerabilities for initial access. This highlights the urgency of timely security updates, as exploitation windows are shrinking. Strong cybersecurity hygiene, vulnerability testing, and security awareness training, especially against AI-driven phishing and deepfakes, are essential to defence._“_

1.  RansomHub: The New King of Ransomware?
2.  Lessons from the Holy Ghost Ransomware Attacks
3.  Fake GitHub Accounts Drop Malware in Stargazers Ghost Scheme
4.  New Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets
5.  US Sanctions Chinese Cybersecurity Firm for Ransomware Attacks

FBI and CISA Warn of Ghost Ransomware: A Threat to Firms Worldwide

Breeze Liu has been a prominent advocate for victims. But even she struggled to scrub nonconsensual intimate images and videos of herself from the web.

Breeze Liu’s online nightmare started with a phone call. In April 2020, a college classmate rang Liu, then 24 years old, to tell her an explicit video of her was on PornHub under the title “Korean teen.” Liu alleges it had been filmed without her permission when she was 17 and uploaded without her consent.

Over time, the video mushroomed and multiplied: it was saved, posted on other porn websites and, Liu claims, used to create intimate deepfake videos that spread across the web. The impact on Liu was profound. “I honestly had to struggle with suicidal thoughts, and I almost killed myself,” she says.

Wiping around 400 nonconsensual images and videos from the web would require a multiyear, intercontinental effort. During this time, Liu went from working as a venture capitalist to starting her own company to help fight digital abuse. But when dealing with her own content, the entrepreneur faced a wall of silence and continual delays from one of the internet’s biggest gatekeepers: Microsoft.

As images and videos are published on websites like PornHub, they’re often hosted on cloud infrastructure. A series of emails related to Liu’s case reviewed by WIRED, plus interviews with a French victims’ aid organization and other advocates working with her, show how Microsoft, despite repeated pleas, did not remove about 150 explicit images of Liu stored on its Azure cloud services. While other companies took down hundreds of images, Liu and a colleague say Microsoft only took action after the two confronted a senior member of the tech giant’s safety team at a content moderation conference.

The drawn-out process, which prolonged the emotional toll on Liu, provides a detailed illustration of the difficulties victims and survivors of intimate image abuse experience in trying to erase the content from the web. Liu’s ordeal also highlights the void some victims fall into when their age in the imagery is disputed or hard to discern, an overlooked problem that may become more pressing as nudify apps spread in high schools.

“It’s almost impossible for ordinary people to navigate the complex system and do damage control,” Liu says. While she has shared parts of her struggle before, many of the details in this story and the resolution of Microsoft’s prolonged failure to remove the intimate images have not been previously reported. “We’re facing an extremely broken system, and this is a global issue,” Liu says. “This is a huge problem.”

Courtney Gregoire, Microsoft’s chief digital safety officer, says the company has learned from miscommunications in Liu’s case and doesn’t want anyone to go through the agonizing experience she did. “This content is a priority area where we endeavor to be actioning within 12 hours,” Gregoire says. For Liu, the grueling process took eight months.

After being alerted to the first nonconsensual video of her online in April 2020, Liu says, it took her a whole day to calm down. On May 14 of that year, she contacted the Berkeley Police Department, where she lived in California at the time.

The state considers it a misdemeanor crime to share real or spoofed intimate images of someone without their consent while knowing it would cause them distress. Detectives obtained search warrants for some websites but couldn’t identify the people responsible for uploading the content “based on the limited information retained by the internet sites and the overseas nature of the accounts involved,” department spokesperson Byron White says. Liu says she had a suspicion of who was responsible for the uploads, but the detectives weren’t sure how to prove it.

Liu contacted the Cyber Civil Rights Initiative, a US-based nonprofit that helps to tackle abusive content. While the organization found another webpage with violative content of her, the entrepreneur says it couldn’t aid her with takedown requests because she appeared potentially under the age of 18 in the images. The Cyber Civil Rights Initiative declined to comment about Liu but confirmed that it is legally barred from reviewing sexual imagery of minors.

By this point, it had been months since Liu first learned of the images and videos, and she needed a break. The original video hadn’t been quickly removed, and Liu suspected it had already spread far and wide. She felt powerless. She decided to let the case go, citing the stress of the pandemic, her frantic work schedule in venture capital, and the toll on her health. Embarrassed and terrified, the only confidant she told her story to was her cat.

“I always had this gut feeling that there’s more, but I was not mentally stable enough to handle any more brutal truths,” Liu says, adding that she did not feel comfortable searching for them herself. “You don’t want to see that of yourself.” That changed after Liu left her VC job in 2022 and decided to fully pursue her own startup, Alecto AI, which aims to develop face-recognition tools to help people find and remove nonconsensual images that have been shared on digital platforms.

It took about three years before Liu was ready to revisit efforts to get the explicit content of her taken down. Toward the end of 2023, she enlisted the help of her Alecto AI cofounder, Andrea Powell, a longtime trafficking and abuse victims’ advocate. That October, they sought out the help of a researcher at a victim helpline funded by the UK government. The researcher’s manual and automated image searching discovered 832 links appearing to show Liu in intimate states. “I couldn’t even look at the file, because that was just too much,” Liu says. She dialed up her therapist while a friend downloaded the spreadsheet of URLs for her. “She wasn’t even clicking into the content; she was just looking at the name of the URLs and she started crying,” Liu says.

Powell says the links contained “violent Asian-centric” language. But the UK-funded helpline can’t help victims abroad with takedowns, leaving Liu stranded with the spreadsheet. She thought about using StopNCII, a popular tool that uses matching algorithms to find abusive images, but felt it wasn’t a good fit. She feared it might not be able to spot potential deepfakes.

Liu then contacted the FBI, which preserved some of the links as evidence but in her view did not demonstrate further progress toward arresting the original uploader. The agency declined WIRED’s request for comment.

At one point, Liu turned to the National Center for Missing & Exploited Children, or NCMEC, a nonprofit established by the US Congress to work with child sexual abuse imagery, to see if it could help. But the nonprofit could not engage, Liu says. Even though Liu looked young in the content, she could not prove she was under 18 at the time, a prerequisite for NCMEC to pursue takedowns.

Lauren Coffren, NCMEC’s executive director, says it relies on partner law enforcement agencies to assess the age of victims. Age-borderline cases are rare, Coffren says, but “that stinks for a survivor” who should qualify for the organization’s help. “It speaks to just how difficult it is for survivors to be able to navigate this.”

Liu felt stuck between groups that seemingly couldn’t pursue takedowns for her. And she was tired of being judged. “What difference would it make if I was 17 or just two days over 18?” she says. “The damage for me is the same. It’s beyond frustrating.”

That’s when Powell, at the Paris Peace Forum, pleaded to a French victims’ aid organization, Point de Contact, which assists people in reporting illegal content. “I was sort of threatening that I just fly Breeze to France and make the case she’s French,” Powell says. Ultimately, on November 13, 2023, Point de Contact agreed to step up where other organizations had not. In the following days, emails show, the hotline analyzed the URLs and by the middle of December had started to send legal takedown demands to hosting providers. Liu was overcome—progress at last. “I'm literally shaking as I'm typing this,” Liu wrote in an email as the work began.

Etienne Dirani, operations manager at Point de Contact, says it found 395 nonconsensual images in the links Liu provided. The majority of the remaining 437 had already been deleted or made inaccessible. Others did not clearly identify Liu, or did not depict her intimately. Dirani says “tens” of unique images were published across multiple websites and that Point de Contact’s investigation at the time didn’t find any content “likely” generated by AI.

Some companies and hosting providers moved quickly; by the first week of January 2024, 155 URLs were dead. Microsoft, according to emails from Point de Contact to Liu, requested additional identifying information, such as her full name and social media handles, so the company could verify the content was associated with her. Liu provided these details, including a copy of her passport, but nothing happened.

More than a month later, a few dozen additional pieces of content had been removed. Of the 202 that remained online, 142 were hosted on Microsoft’s Azure services. A Point de Contact investigator emailed Liu and alleged, “Microsoft's abuse team did not answer our notification emails” and said the team was trying some of its individual contacts at the company. Around that time, a frustrated Liu mentioned Microsoft’s slow response in an interview with The Street. An unnamed Microsoft spokesperson told the news outlet that the company was investigating and noted that any potential violations of its acceptable use policy are taken seriously. Yet again, no action followed.

“The main issue we had was the lack of response from Microsoft,” Dirani says. He alleges that Microsoft’s abuse team believed that it needed more information, but he says the company never communicated what that information was. Even a higher-up contact wouldn’t give a straight answer on what additional details could trigger a takedown. Point de Contact tried to “push” Microsoft more, including opening a new case, according to Dirani. “We were sending reminders of all the URLs that were still online,” he says. “But unfortunately, even the new reports we sent were not responded to.”

As months went by, Liu could do little but wonder how many people each day were encountering the violative imagery of her. She was terrified about her career being derailed and was generally disheartened. Powell says she was in touch with Microsoft’s director of public policy for digital safety, Liz Thomas, at the time, but she was told it was difficult to verify the content showed Liu.

However, in late July last year, Powell and Liu concocted a plan to speak with Thomas at a San Francisco hotel hosting TrustCon, a conference for people working on online trust and safety issues. They hadn’t registered for the event, but Powell located Thomas at the hotel’s public bar with a group of colleagues. Once the colleagues left, Powell approached Thomas and urged for action, pointing toward Liu as she made her case. Seeing Liu in the same room made an impact.

Within days of the event, a Microsoft staffer emailed Powell that the case had been escalated, and the 142 URLs with Liu’s image started disappearing. “I don't ideally want to be chasing trust and safety people up and down the halls at TrustCon to deal with a case,” Powell says. “But it was what had to be done.”

At the start of last August, Point de Contact told WIRED that only two images on four different Microsoft servers remained. “We deeply regret that this issue took almost 10 months of communication between the victim, Microsoft and us as an NGO to be resolved,” the NGO said in an email at the time.

Microsoft digital safety chief Gregoire says Liu’s situation has spurred her team to try to improve reporting processes and relationships with victim aid groups. Point de Contact initially flagged links over which the company didn’t have control, according to Gregoire. She declined to elaborate on the circumstances. Dirani says this explanation was never communicated to him, and it remains unclear why the links were not “actionable.”

Only after Powell cornered Thomas over Liu’s case did Microsoft obtain the URLs upon which it could act. “We’re thankful, to be perfectly honest, to the spontaneous connection at TrustCon,” Gregoire says. But it shouldn’t be needed again: Point de Contact now has a more direct way to stay in touch, she says.

Other victim aid groups say their relationships with tech giants remain challenging. Last year, a WIRED investigation revealed that executives at Google rejected numerous ideas raised by staff and outside advocates that aimed to proactively counter access to problematic imagery in search results. Some survivors have found that the fastest way to get content removed is by filing copyright claims, a tactic those working in the online safety industry say is inadequate.

The lack of consistency in policies and processes among tech companies contributes to delays in securing takedowns, according to Emma Pickering, the head of technology facilitated abuse at Refuge, the UK’s largest domestic abuse organization. “They all just respond however they choose to—and the response usually is incredibly poor,” she says. (Google introduced new policies in July 2024 to accelerate removals.)

Pickering claims Microsoft, in particular, has been difficult. “I’ve recently been told if I want to engage with them, we need to provide evidence that we use their platform and we promote them,” she says, adding Refuge is trying to engage with as many tech platforms as possible.

Microsoft’s Gregoire says she will look into these concerns and is open to dialogue. The company hopes to stem the need for takedowns, in part, by scaring off perpetrators. This past December, Microsoft sued a group of 10 unknown individuals who allegedly circumvented safeguards on Azure and used an AI tool to generate offensive images, including some Gregoire described as sexually harmful. “We don't want our services to be abused to cause harm,” she says.

For Liu, the challenges haven’t ended. Videos and images depicting her naked remain available on at least one self-styled “free porn” website, according to links reviewed by WIRED. She also has had to pour her savings into developing Alecto AI because investor support has been lackluster. Some investors allegedly told her not to use her own experience in her pitch. Liu says that when she pitched one male-female pair who were considering investing, they burst into laughter at the idea of building a business around the use of AI to detect online image abuse. Even responding that she had almost killed herself after being victimized did little to sway them, Liu says.

In December 2024, more than four and a half years since her nightmare began, Liu found a glimmer of hope. A proposal she has advocated for in the US Congress to require websites to remove unwanted explicit images within 48 hours nearly ended up on then-President Joe Biden’s desk. It was ultimately shelved, but real progress had never felt so close. Liu and a bipartisan group of over 20 lawmakers haven’t given up; in January, they reintroduced the proposal, which threatens potential penalties of up to $50,000 per violation. Despite objections from rights groups worried about over-censorship, the bill passed the Senate last week. Even Microsoft has gotten behind it.

_If you or someone you know needs help, call 1-800-273-8255_ _for free, 24-hour support from the National Suicide Prevention Lifeline. You can also text HOME to 741-741 for the Crisis Text Line. Outside the US, visit the International Association for Suicide Prevention_ _for crisis centers around the world._

How One AI Startup Founder Cornered Microsoft Into Finally Taking Down Explicit Videos of Her

For decades, Microsoft Exchange has been the backbone of business communications, powering emailing, scheduling and collaboration for organizations worldwide. Whether deployed on-premises or in hybrid environments, companies of all sizes rely on Exchange for seamless internal and external communication, often integrating it deeply with their workflows, compliance policies and security frameworks

Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now

Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild.
The vulnerabilities are listed below -

CVE-2025-21355 (CVSS score: 8.6) - Microsoft Bing Remote Code Execution Vulnerability
CVE-2025-24989 (CVSS score: 8.2) - Microsoft Power Pages Elevation of Privilege Vulnerability

"

Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability

These sorts of attacks reveal growing adversary interest in secure messaging apps used by high-value targets for communication, Google says.

Source: aily\_creativity via Shutterstock

Multiple Russia-aligned threat groups are actively targeting the Signal Messenger application of individuals likely to exchange sensitive military and government communications related to the country's war with Ukraine.

For now, the activity appears limited to persons of interest to Russia's intelligence services, according to researchers at Google's Threat Intelligence Group (GTIG), who spotted it recently. But the tactics the threat actors are using in the campaign could well serve as a blueprint for other groups to follow in broader attacks on Signal, WhatsApp, Telegram, and other popular messaging apps, GTIG warned in a blog post this week.

**Likely to Become More Prevalent**

"We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war," Google threat analyst Dan Black wrote in the post.

Two of the Russian cyber-espionage groups that Google observed targeting Signal are UNC5792 — a threat actor that Ukraine's CERT tracks as UAC-0195 — and UNC4221 (aka UAC-0185). The goal of the attackers in both cases is to trick targeted victims into unknowingly linking their Signal account to an attacker-controlled device so any incoming messages are simultaneously available on the linked device.  

The attacks are taking advantage of "linked devices," a feature of the Signal app that allows users to securely connect and synchronize their account across multiple devices. However, the tactics that each threat group uses to get targets to unwittingly link their accounts have been slightly different.

UNC5782's ploy has been to send invitations asking targeted individuals to join a Signal group by sharing a malicious QR code with them. While the invitations look identical to Signal's group invite, the threat actors have modified them so that anyone social-engineered into scanning the QR code ends up linking their account to a UNC592-controlled device instead.

The other threat group, UNC4221, is using a customized phishing kit that impersonates parts of Kropyva, an application that Ukraine's military uses for artillery guidance, to try and social-engineer Signal Messenger users of interest. The threat actor has established Kropyva-themed phishing sites with the QR code directly embedded on them. It has also set up phishing sites pretending to contain legitimate Signal instructions for device linking to encourage scam victims into scanning their malicious QR code.

**Broad Threat Actor Interest**

Google identified UNC4221 and UNC5782 as two of several Russian and Belarusian groups that are targeting Signal Messenger to spy on persons of interest. Not all attacks by UNC4221 and UNC578 have involved device linking. Russia's infamous Sandworm cyber-sabotage group (which Google tracks as APT44) has been stealing Signal messages from a target's Signal database or local storage files, using a combination of malware tools. Similarly, Turla, a threat actor that the US government has tied to Russia's Federal Security Service (FSB), is doing the same using a lightweight PowerShell script that it deploys after gaining access to a target environment. Another threat actor from the region targeting Signal Messenger, according to Google, is Belarus-linked UNC1151, which uses the Robocopy Windows file-copying tool to copy and store Signal messages and attachments for future theft.

The flurry of activity targeting Signal is a sign of broader attacker interest in secure messaging apps used by those in espionage and intelligence gathering, including politicians, military personnel, activists, privacy advocates, and journalists. The apps' security features, which include end-to-end encryption of text, voice, and video with minimal data collection practices, have made it a popular tool for at-risk individuals and communities. It has also made the app "a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements," Google's Black wrote.

Signal is not the only target. Russian groups have also targeted Telegram and WhatsApp users in the same way, Black said. He pointed to a recent Microsoft report on attacks by Russian group Star Blizzard (aka Coldriver, Blue Charlie, Callisto, and UNC4057) that targeted WhatsApp accounts belonging to current and former government officials and diplomats.

Significantly, attacks targeting WhatsApp can affect businesses as well. Although WhatsApp — like Signal, Telegram and other messenger apps — is primarily consumer-focused, numerous businesses worldwide use the app. WhatsApp even has a business version that it has positioned as a tool that businesses can use to engage with customers, accelerate sales, and deliver customer support.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#microsoft