The DOT Report: DOGE Site Hacked, Lee Enterprises Hit by Ransomware

The DOT Report is a monthly news series from DOT Security covering the latest headlines and biggest stories in the cybersecurity space. Investigating these stories gives us an opportunity to discuss the technical and human elements at play, exploring how cybersecurity mechanisms, and cyberattacks, work in the wild.

Understanding the cybersecurity measures at play, and how threat-actors maneuver around them, gives us a deeper insight into the ever-evolving world of cybersecurity. Let’s jump right in.

Subscribe to the DOT Security blog for regular coverage on all things cybersecurity, from the latest headlines and biggest stories to the newest technologies and industry standards.

DOGE Site Hack Reveals Lack of Cybersecurity Protocols

The website for Elon Musk’s DOGE initiative has come under scrutiny after security researchers discovered a major vulnerability allowing unauthorized users to modify its content.

Two independent web developers found that DOGE.gov, which claims to be an official U.S. government site, was using an unprotected database, enabling public edits. To prove the flaw, they posted messages on the site, one stating, “This is a joke of a .gov site,” while another read, “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN.” The unauthorized messages reportedly remained live for at least 12 hours before being removed.

The DOGE website, which launched in January, contained minimal information until this month, when it began displaying figures purportedly representing the size of the U.S. government. This followed a pledge for “maximal transparency” from Musk. However, this goes beyond a gesture of transparency, as classified documents were also accessible to the public through the site.

In addition to security concerns, WIRED found that the site prioritizes X, Musk’s social media platform. The homepage features a live feed of DOGE’s X posts, and the website’s code reportedly directs search engines to X.com rather than DOGE.gov. There is even a canonical URL on the site that points toward X.com, which are designed specifically for duplicate web pages and are typically used on retail sites. Misusing fundamental technical features on the site like this indicates there could be other larger issues with the implementation of more advanced technical mechanisms, resulting in additional security flaws.

While the initial messages left by hackers have been cleared, and the site should be going through a security overhaul, this highlights the necessity of strong website security protocols and the importance of a security-first mindset when building a website from scratch, no matter the timeline.

Lee Enterprises Hit by Ransomware – Operations Disrupted

Lee Enterprises has revealed that the cyberattack disrupting dozens of its local newspapers was a ransomware incident, according to an update shared with the Securities and Exchange Commission (SEC).

The media company, which owns 350 weekly and specialty publications across 25 states, initially described the February 3 attack as a “cyber incident.” However, its latest statement confirms that threat actors accessed Lee’s network, encrypted critical applications, and exfiltrated certain files—a pattern consistent with ransomware attacks.

At least 75 newspapers were affected, according to the Press Freedom Tracker.

The cyberattack caused significant operational disruptions, impacting print distribution, subscription accounts, billing, collections, and vendor payments. While Lee reports that core products have resumed normal distribution, some weekly and ancillary publications—accounting for 5% of the company’s operating revenue—remain offline. A phased recovery is expected over the coming weeks.

Lee is conducting a forensic analysis to determine whether personal or sensitive data was compromised. The company has not disclosed whether it has paid or is considering paying a ransom but confirmed that it holds cybersecurity insurance covering costs related to incident response, forensic investigations, and potential regulatory fines.

The full financial impact of the attack remains unclear, but Lee acknowledged it could be significant.

Flaw in Xerox Printers Exposes Directory Credentials

Security researchers have disclosed critical vulnerabilities in Xerox VersaLink C7025 Multifunction Printers (MFPs) that could allow attackers to capture authentication credentials via pass-back attacks using Lightweight Directory Access Protocol (LDAP) and SMB/FTP services.

According to Rapid7 security researcher Deral Heiland, the flaw enables attackers to alter printer configurations, redirect authentication credentials to a rogue server, and potentially compromise Windows Active Directory systems. This could allow attackers to move laterally within an organization, posing a significant security risk.

The vulnerabilities, affecting firmware versions 57.69.91 and earlier, are:

• CVE-2024-12510 (CVSS score: 6.7) – Exploits LDAP to redirect authentication credentials.
• CVE-2024-12511 (CVSS score: 7.6) – Targets the user address book to modify SMB/FTP server settings and capture login credentials.

Successful exploitation requires access to the printer’s configuration settings via the web interface or physical access to the device. However, the risks are heightened if user-level access to the remote-control console is enabled.

Xerox released a fix in Service Pack 57.75.53 for VersaLink C7020, 7025, and 7030 series printers. However, if patching is not yet possible for any reason, security experts recommend:

• Setting a strong admin password
• Avoiding Windows authentication accounts with elevated privileges
• Disabling remote-control console access for unauthenticated users

These discoveries underscore the urgent need for security updates to enterprise hardware and the need for properly configured network segmentation.

Health Net Federal Services (HNFS) Pays $11M in Settlement

Health Net Federal Services, a Department of Defense (DoD) contractor, and its parent company Centene Corporation have agreed to pay $11.2 million to settle allegations that they falsely claimed compliance with federal cybersecurity requirements.

According to the US government, between 2015 and 2018, HNFS—responsible for administering the TRICARE health insurance program for military personnel and their families—failed to implement required cybersecurity controls and misrepresented its compliance.

The company allegedly neglected vulnerability scans, failed to address security flaws, and ignored third-party audit reports identifying deficiencies in asset management, access control, firewalls, patch management, password policies, and outdated hardware and software. Despite these issues, HNFS is accused of filing three false annual compliance certifications with the government.

While HNFS and Centene both deny any wrongdoing, they agreed to pay the settlement, which includes $5.6 million in restitution. The government noted that no determination of liability has been made, and the settlement does not constitute an admission of fault.

The case highlights growing federal scrutiny over cybersecurity compliance among defense contractors, as government agencies seek to enforce stricter security standards to protect sensitive systems and data.

The DOT Report Signing Off

That wraps up this month’s DOT Report, where we explored the real-world impact of cyber threats—from ransomware disrupting major media operations to critical security flaws in enterprise hardware, and false claims of compliance in government contracting.

These stories highlight the constant push and pull between cybersecurity advancements and threat-actor strategies, reminding us that the two are forever entwined.

To stay updated on everything cybersecurity, from the latest headlines and biggest stories to the newest technology, subscribe to The DOT Security blog, where we cover it all.