May 4, 2025

Cybersec Feeds Overview, Apr 28 - May 4, 2025

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics

  • AI’s role in cybersecurity is rapidly expanding. Threat actors use GenAI for productivity tasks like recon and phishing. Defenders leverage AI for threat detection, analysis, and automation. New risks emerge from AI models, including prompt injection and data poisoning.
  • Actively exploited vulnerabilities remain a major concern. CISA added numerous vulnerabilities to its KEV catalog. Flaws in SAP NetWeaver, SonicWall SMA 100, Apache HTTP Server, and Yii Framework are seeing active exploitation. Organizations must prioritize patching these vulnerabilities.
  • ICS/OT security requires urgent attention. CISA issued advisories for multiple vulnerabilities in industrial control systems. Flaws were identified in KUNBUS Revolution Pi, MicroDicom DICOM Viewer, Delta Electronics ISPSoft, and Rockwell Automation ThinManager. These vulnerabilities could lead to RCE, DoS, or privilege escalation.
  • Software and human supply chain attacks are increasing. Malicious code was injected into GitHub Actions via compromised dependencies. Backdoors were found in NPM packages for Ripple and Solana. North Korean IT workers infiltrating Fortune 500 companies pose significant insider risks.

Critical Vulnerabilities

  • CISA KEV Catalog updated with actively exploited vulnerabilities. Includes Commvault Path Traversal (CVE-2025-34028), Yii Framework Path Protection Bypass (CVE-2024-58136). Also Apache HTTP Server Output Escaping (CVE-2024-38475), SonicWall SMA100 OS Command Injection (CVE-2023-44221). Added SAP NetWeaver File Upload (CVE-2025-31324) and others.
  • SAP NetWeaver Visual Composer has critical RCE flaw (CVE-2025-31324). Vulnerability stems from missing authorization check allowing unauthenticated file uploads. Attackers actively exploiting it to deploy webshells (e.g., helper.jsp) and install frameworks like Brute Ratel. Affects all NetWeaver 7.xx versions; patching or disabling Visual Composer urged.
  • SonicWall SMA 100 series appliances actively exploited. Attackers chain CVE-2024-38475 (Apache path traversal/file read) and CVE-2023-44221 (OS command injection). This allows session hijacking and potential full system compromise. Patching is critical.
  • Apple AirPlay SDK contains multiple critical vulnerabilities (“AirBorne”). Flaws (e.g., CVE-2025-24252, CVE-2025-24132, CVE-2025-24271) enable zero-click RCE, data theft, MitM. Affects billions of Apple devices (iPhone, Mac, CarPlay) and third-party hardware. Update all devices immediately.
  • Multiple vulnerabilities disclosed in Mozilla Firefox and Thunderbird. Most severe could allow arbitrary code execution (RCE). Memory safety bugs (CVE-2025-4092, CVE-2025-4093) and privilege escalation (CVE-2025-2817) are key risks. Update browsers and email clients promptly.
  • macOS vulnerability CVE-2025-31191 allows sandbox escape. Exploitation relies on security-scoped bookmarks. Enables unrestricted code execution on the system. Apple released a patch on March 31, 2025.
  • Multiple vulnerabilities found in Azure services. Includes Elevation of Privilege in Bot Framework SDK (CVE-2025-30389, CVE-2025-30392), Azure ML Compute (CVE-2025-30390), Azure Virtual Desktop (CVE-2025-21416). Also RCE in Azure Functions (CVE-2025-33074). Microsoft Dynamics vulnerable to Information Disclosure (CVE-2025-30391).

Major Incidents

  • Multiple major UK retailers experienced cyberattacks. Marks & Spencer, Co-op, and Harrods reported incidents causing operational disruptions. M&S faced halted online orders and stock issues, potentially linked to Scattered Spider ransomware group. NCSC is investigating potential connections.
  • Threat actor “rose87168” claims Oracle Cloud breach. Allegedly stole 6 million records with encrypted credentials and keys. Actor selling data and attempting extortion. Oracle notified customers, attributing data to old systems; breach potentially involves CVE-2021-35587.
  • Significant data leak from WorkComposer employee monitoring app. Over 21 million employee screenshots exposed via unsecured AWS S3 bucket. Exposed data included internal communications, potentially credentials, and business documents.
  • xAI developer accidentally exposed API key on GitHub. Leak persisted for two months, potentially granting access to private/unreleased Grok LLMs. Models appeared fine-tuned on SpaceX, Tesla, and X data. Repository removed after notification.
  • Iranian state-sponsored group conducted long-term intrusion. Targeted Critical National Infrastructure (CNI) in the Middle East. FortiGuard Incident Response team investigated the breach.
  • Large-scale power outage caused internet disruptions. Affected Spain nationally, with impacts observed in Portugal, France, and Morocco. Highlights critical infrastructure interdependencies.
  • Multiple healthcare data breaches reported. Yale New Haven Health (YNHHS) breach affected 5M individuals via third-party vendor PJ&A. Blue Shield of California leaked data of 4.7M members via Google Ads misconfiguration. Onsite Mammography breach impacted 357K patients via compromised email.

Emerging Threats

  • Threat actors leverage AI for enhanced efficiency, not novel attacks. GenAI used for recon, vulnerability research, coding assistance (malware, evasion scripts), and phishing lure creation/localization. Iranian, North Korean, and Chinese APTs actively using these tools.
  • Zero-day exploitation trends shifting towards enterprise targets. Fewer exploits seen against browsers and mobile OSes in 2024. Increased focus on enterprise software, security appliances (VPNs, firewalls), and cloud infrastructure. Attackers prioritize high-privilege access points.
  • New malware families and updates observed. StealC infostealer v2 adds stealth features and enhanced data theft. Pentagon Stealer (Go/Python) targets browser/crypto data. HijackLoader modular loader distributes payloads like DanaBot/RedLine. Gremlin Stealer (C#) sold on Telegram. Outlaw botnet uses SSH brute-force for cryptomining.
  • Advanced Persistent Threat (APT) activity continues globally. TheWizards APT uses SLAAC spoofing for MitM attacks in Asia. Billbug (Lotus Panda) expands cyber-espionage in Southeast Asia. Chinese APT suspected in targeting Uyghur community with Windows backdoor. Iranian state-sponsored group targeted Middle East CNI.
  • Phishing and social engineering tactics remain highly effective. Fake Social Security Administration emails used to distribute ScreenConnect remote access tool. Qantas airline impersonated in phishing campaign targeting Australians. Scattered Spider group continues using SMS phishing and SIM swapping despite arrests.
  • New attack vectors and techniques demonstrated. SOCKS5 proxy tunneling via Azure Blob Storage bypasses network restrictions. Adversary-in-the-Middle (AiTM) attacks used for Windows Hello for Business (WHFB) persistence. Attackers targeting AI agent frameworks through prompt injection and tool exploitation.
  • Attackers increasingly scan for exposed developer secrets. Credentials, API keys, and sensitive configuration files sought in repositories and configuration files. Focus includes SMS gateway credentials (e.g., Twilio).

Regulatory and Policy Updates

  • US government faces cybersecurity policy debates. Proposed CISA budget cuts raise concerns about agency effectiveness. NSC lead advocates normalizing offensive cyber operations. Trump administration’s potential impact on intel sharing discussed. Cybersecurity Information Sharing Act (CISA 2015) reauthorization efforts underway.
  • New legislation targets online harms. US Take It Down Act passes Congress, criminalizing non-consensual intimate imagery (NCII) and AI deepfakes. Mandates platform removal within 48 hours. Concerns raised about potential overreach and impact on lawful speech/privacy.
  • European Union strengthens cybersecurity regulations. EU Cybersecurity Act under consultation for revision. First EU Common Criteria (EUCC) cybersecurity certificates issued by France (ANSSI). Highlights growing focus on standardized security certification.
  • New York DFS updates cybersecurity rules for financial firms. Mandates protections against unauthorized access to IT systems. Affects all financial companies operating within New York state.
  • Microsoft mandates bulk email compliance for Outlook.com users. Deadline set for May 5. Affects senders of large volumes of email, requiring adherence to authentication standards (SPF, DKIM, DMARC).
  • US government considers ROUTERS Act. Legislation aims to safeguard communication networks from foreign adversary-controlled technology. Targets routers, modems, and combined devices.
  • Department of Justice introduces Data Security Program compliance rules. Highlights challenges in secure data sharing practices for organizations handling DOJ data.

Security Operations

  • Shift from passwords to passkeys gains momentum. Microsoft champions passkeys for simpler, safer sign-ins, aligning with the first World Passkey Day. Authenticator app’s password autofill feature deprecated, users pushed to Edge.
  • Advancements in AI aim to improve SOC efficiency. Tools introduced for automated alert triage (Rapid7 InsightIDR), attack verification (Cisco XDR), and security-focused LLMs (Cisco Foundation-sec-8b). Goal is reducing alert fatigue and speeding up response.
  • Focus shifts from Vulnerability Management to Exposure Management. Emphasizes continuous threat exposure management (CTEM). Requires integrating business context and comprehensive attack surface visibility. Tools like Rapid7 Exposure Command aim to unify data and streamline remediation.
  • New open-source tools released for security analysis. YARA Playground enables client-side YARA rule testing via WASM. HANAlyzer assists in securing SAP HANA databases.
  • UK NCSC provides guidance on advanced cryptography techniques. Includes homomorphic encryption, ZKP, MPC. Advises clear problem definition before adopting complex techniques. Warns against custom implementation due to complexity.
  • Metasploit Framework updated to fix vulnerability. CVE-2025-3095 addressed potential file overwrite in clipboard monitoring (extapi). Update requires explicit directory for file downloads. Adds module for WonderCMS RCE (CVE-2023-41425).
  • Google DeepMind introduces CaMeL framework for prompt injection defense. Treats LLMs as untrusted components within a secure architecture. Uses capability-based access control and data flow tracking. Aims to create effective boundaries against malicious instructions.

Wins

  • Law enforcement disrupts cybercrime operations. German police seized Pygmalion dark web drug marketplace infrastructure. Gained access to customer data from over 7,000 orders. Four individuals arrested.
  • Alleged Scattered Spider member Tyler Buchanan extradited. Brought from Spain to the US to face charges. Charges include wire fraud, conspiracy, and identity theft related to hacking campaigns.
  • RansomHub ransomware-as-a-service operation goes offline. Chat infrastructure and data leak site have been inactive since March 31. Represents a disruption to a prolific RaaS group.
  • Leaders of child sextortion group 764 arrested and charged. Leonidas Varagiannis and Prasan Nepal face charges for directing CSAM distribution and victim exploitation. Group described as nihilistic violent extremists.
  • Legal victory for privacy-focused VPN provider Windscribe. Founder Yegor Sak acquitted in Greece. Charges related to alleged criminal use of a Windscribe IP address dismissed due to the company’s no-log policy.
  • WhatsApp vs. NSO Group lawsuit sees procedural win for WhatsApp. US judge limits evidence NSO Group can present. Prevents NSO from revealing customer identities or claiming WhatsApp had insufficient security.
  • Former Disney employee sentenced for cyber sabotage. Michael Scheuer received three years prison time. Convicted for computer fraud and identity theft after tampering with systems and doxing co-workers post-termination.

Disclaimer

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created by BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.