Month: March 2025

Pennsylvania’s largest Workers and Teachers’ Union, PSEA, has exposed the personal information of over half a million individuals. PSEA is a labor union that represents public school teachers, higher education faculty members, school support staff, and retired educators across the Keystone State.

“PSEA experienced a security incident on or about July 6, 2024 that impacted our network environment,” the organization said in breach notification letters sent on March 17, 2025 to 517,487 individuals. “Through a thorough investigation and extensive review of impacted data which was completed on February 18, 2025, we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network.”

PSEA says the stolen information varies by individual and consists of personal, financial, and health data, including driver’s license or state IDs, social security numbers, account numbers and PINs, account usernames and passwords, security codes, payment card information, passport information, taxpayer ID numbers, health insurance and medical information.

While the workers and teachers’ union has not disclosed the threat actor’s identity, the Rhysida ransomware took credit for the PSEA data breach in September 2024 and listed the labor union on its data leak site.

A law firm is currently investigating whether affected individuals are entitled to compensation.

Read more about it here.

On March 9, 2025, threat intelligence firm GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms. At least 400 IP addresses have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts. The top countries receiving SSRF exploitation attempts during the surge were the US, Germany, Singapore, India, and Japan. GreyNoise has observed Grafana path traversal attempts preceding the coordinated SSRF surge, indicating attackers may be using Grafana as a foothold for deeper exploitation.

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location, either internally towards the organization’s network or externally to exfiltrate data. It is one of the OWASP Top 10 Application Security Risks.

Historical parallels: SSRF vulnerabilities played a key role in the 2019 Capital One breach, which exposed 100M+ records.

GreyNoise has identified active exploitation attempts against the following flaws:

• CVE-2017-0929 (CVSS score: 7.5) – DotNetNuke
• CVE-2020-7796 (CVSS score: 9.8) – Zimbra Collaboration Suite
• CVE-2021-21973 (CVSS score: 5.3) – VMware vCenter
• CVE-2021-22054 (CVSS score: 7.5) – VMware Workspace ONE UEM
• CVE-2021-22175 (CVSS score: 9.8) – GitLab CE/EE
• CVE-2021-22214 (CVSS score: 8.6) – GitLab CE/EE
• CVE-2021-39935 (CVSS score: 7.5) – GitLab CE/EE
• CVE-2023-5830 (CVSS score: 9.8) – ColumbiaSoft DocumentLocator
• CVE-2024-6587 (CVSS score: 7.5) – BerriAI LiteLLM
• CVE-2024-21893 (CVSS score: 8.2) – Ivanti Connect Secure
• OpenBMCS 2.4 Authenticated SSRF Attempt (No CVE)
• Zimbra Collaboration Suite SSRF Attempt (No CVE)

Organizations should promptly patch and secure affected systems, apply mitigations for targeted CVEs, and restrict outbound access to necessary endpoints. They should also monitor for suspicious outbound requests by setting up alerts for any unexpected activity.

Read more about it here.

Meta has fired “roughly” 20 employees for leaking confidential information, The Verge reports.

“We tell employees when they join the company, and we offer periodic reminders, that it is against our policies to leak internal information, no matter the intent,” Meta spokesperson Dave Arnold told the publication. “We recently conducted an investigation that resulted in roughly 20 employees being terminated for sharing confidential information outside the company, and we expect there will be more. We take this seriously, and will continue to take action when we identify leaks.”

The move comes in response to a surge of news stories that shared leaked details about Meta’s internal meetings and undisclosed product plans, including a recent all-hands led by Meta CEO Mark Zuckerberg. Following the leaks, Meta warned employees that leakers would be fired.

Meta did non disclose any details about the content leaked.

Read more about it here.