WriteFreely is very similar to and may be a sister project of WordPress. However, after following the Fediverse instances, regardless of potential issues, the truth is that there is no such WordPress.org-based server that supports external accounts thus far.

Welcome to the Fediverse!

Hello! Welcome to the Fediverse!

WriteFreely is very similar to and may be a sister project of WordPress. However, after following the Fediverse instances, regardless of potential issues, the truth is that there is no such WordPress.org-based server that supports external accounts thus far.

WriteFreely is very similar to and may be a sister project of WordPress. However, after following the Fediverse instances, regardless of potential issues, the truth is that there is no such WordPress.org-based server that supports external accounts thus far.

WriteFreely is very similar to and may be a sister project of WordPress. However, after following the Fediverse instances, regardless of potential issues, the truth is that there is no such WordPress.org-based server that supports external accounts thus far.

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

---

News For All

🎭 Fake software activation videos on TikTok spread Vidar, StealC malware – Cybercriminals exploit TikTok to distribute Vidar and StealC malware through fake software activation videos, tricking users into running harmful PowerShell commands. https://securityaffairs.com/178269/cyber-crime/fake-software-activation-videos-on-tiktok-spread-vidar-stealc.html

🎀 A Starter Guide to Protecting Your Data From Hackers and Corporations privacy – With rising digital surveillance, this guide offers essential tips for enhancing personal privacy, including using multifactor authentication and privacy-focused tools. https://www.wired.com/story/guide-protect-data-from-hackers-corporations/

🦠 MathWorks’ ransomware disruptions rages on into second week cybercrime – MathWorks confirms a ransomware attack causing prolonged outages of MATLAB and other applications, disrupting users, particularly students, as recovery efforts continue with limited functionality. https://go.theregister.com/feed/www.theregister.com/2025/05/27/mathworks_ransomware_attack_leaves_ondeadline/

📝 Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites cybercrime – Cybercriminals exploit AI interest by creating fake video generator websites to distribute malware like infostealers and backdoors, targeting users through malicious ads on social media. https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/

🔂 The Privacy-Friendly Tech to Replace Your US-Based Email, Browser, and Search privacy – Amid growing concerns over US tech giants, alternatives like Mullvad and Vivaldi for browsing, Qwant and Mojeek for searching, and ProtonMail for email offer privacy-focused options. https://www.wired.com/story/the-privacy-friendly-tech-to-replace-your-us-based-email-browser-and-search/

🥺 Iranian man pleads guilty in Robbinhood ransomware scheme cybercrime – pleaded guilty to charges related to the Robbinhood ransomware scheme, which caused over $19 million in damages to Baltimore and other U.S. cities, facing up to 30 years in prison. https://cyberscoop.com/iranian-man-pleads-guilty-in-robbinhood-ransomware-scheme/

🦠 Crooks use a fake antivirus site to spread Venom RAT and a mix of malware security news – A fake Bitdefender site is distributing the Venom RAT, tricking users into downloading malware designed for password theft and remote access, targeting individuals for financial gain. https://securityaffairs.com/178366/malware/fake-antivirus-spreads-venom-rat.html

📅 Chinese hackers used Google Calendar to aid attacks on government entities security research – Google revealed that APT41, a China-backed hacker group, exploited Google Calendar for command and control in attacks on government entities, using malware dubbed TOUGHPROGRESS to blend in with legitimate activity. https://cyberscoop.com/google-calendar-apt-41-c2-winnti/

🔓 LexisNexis leaked social security numbers and other personal data of over 364,000 people data breach – LexisNexis reported a data breach exposing personal information of over 364,000 individuals, including Social Security numbers, after unauthorized access through a third-party software platform was discovered months later. https://www.theverge.com/news/675702/lexisnexis-data-broker-breach-social-security-numbers

🗺️ Oregon becomes second state to ban sale of precise geolocation data privacy – Oregon's legislature passed a law banning the sale of precise geolocation data, following Maryland's similar legislation, and strengthening protections for children's data privacy. https://therecord.media/oregon-passes-geolocation-kids-data-bill

🤏 Thousands of Asus routers are being hit with stealthy, persistent backdoors cybercrime – Thousands of Asus routers are infected with a persistent backdoor allowing unauthorized access via SSH, exploiting patched vulnerabilities, raising concerns of potential nation-state involvement in the ongoing campaign. https://arstechnica.com/security/2025/05/thousands-of-asus-routers-are-being-hit-with-stealthy-persistent-backdoors/

👙 Victoria's Secret hit by outages as it battles security incident security news – Victoria’s Secret is addressing a security incident causing website outages and disruptions to online orders, prompting precautionary measures including website takedown while in-store services remain operational. https://techcrunch.com/2025/05/28/victorias-secret-hit-by-outages-as-it-battles-security-incident/

📚 No One Knows How to Deal With 'Student-on-Student' AI CSAM security news – A Stanford report highlights the lack of preparedness among schools, parents, and law enforcement to handle cases of students using AI to create nonconsensual intimate imagery, emphasizing the normalization of such practices and the need for better training and reporting mechanisms. https://www.404media.co/no-one-knows-how-to-deal-with-student-on-student-ai-csam/

💸 US government sanctions tech company involved in cyber scams cybercrime – The U.S. government sanctioned Funnull for facilitating 'pig butchering' crypto scams, linked to $200 million in losses for victims. The company provided infrastructure for cybercriminals, including domain generation and web design templates. https://techcrunch.com/2025/05/29/us-government-sanctions-tech-company-involved-in-cyber-scams/

🏰 White House investigating how Trump's chief of staff's phone was hacked security news – The White House is investigating a hack involving chief of staff Susie Wiles' phone, where hackers accessed her contacts and impersonated her using AI to contact other officials. https://techcrunch.com/2025/05/30/white-house-investigating-how-trumps-chief-of-staffs-phone-was-hacked/

🌠 Ransomware kingpin “Stern” apparently IDed by German law enforcement cybercrime – German law enforcement has identified 'Stern,' the leader of the Trickbot ransomware group, linking him to significant cybercrime activities, including targeting hospitals and businesses. https://arstechnica.com/security/2025/05/german-police-say-theyve-identified-trickbot-ransomware-kingpin/

🔒 Chinese-Owned VPNs security news Comment: Don't really like the article, but the topic is essential. https://www.schneier.com/blog/archives/2025/05/chinese-owned-vpns.html

🪥 unlikely household item proved husband was cheating' privacy – Private investigator Paul Jones reveals how a smart toothbrush app exposed a husband's affair by tracking unusual brushing times, highlighting that digital clues can uncover infidelity beyond typical signs. https://www.mirror.co.uk/lifestyle/sex-relationships/relationships/im-private-investigator-unlikely-household-35256619

---

Some More, For the Curious

❄️ New Russia-affiliated actor Void Blizzard targets critical sectors for espionage security research – Void Blizzard, a new Russia-linked threat actor, targets NATO and Ukraine for espionage, using stolen credentials and spear phishing to access sensitive information across various sectors. https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/

🐻 Dutch intelligence unmasks previously unknown Russian hacking group 'Laundry Bear' security news – Dutch intelligence reveals 'Laundry Bear,' a Russian hacking group targeting organizations for espionage, notably impacting the police and NATO-related entities, using automated, stealthy techniques. https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlands

🔗 DragonForce operator chained SimpleHelp flaws to target an MSP and its customers security research – Sophos warns that DragonForce ransomware exploited three SimpleHelp vulnerabilities to target a managed service provider, gaining unauthorized access and enabling data theft. https://securityaffairs.com/178350/cyber-crime/dragonforce-operator-chained-simplehelp-flaws-to-target-an-msp.html

🚨 Pakistan Arrests 21 in ‘Heartsender’ Malware Service – Krebs on Security cybercrime – Pakistan arrested 21 individuals linked to the 'Heartsender' malware service, which facilitated cybercrime operations resulting in over $50 million in losses, primarily targeting business email compromise schemes. https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/

🐍 New PumaBot targets Linux IoT surveillance devices malware – PumaBot, a new Go-based botnet, targets Linux IoT devices using SSH brute-force attacks to steal credentials, spread malware, and mine cryptocurrency while employing stealthy evasion tactics. https://securityaffairs.com/178386/malware/pumabot-targets-linux-iot-devices.html

🤔 Questions mount as Ivanti tackles another round of zero-days vulnerability – Ivanti faces multiple attacks exploiting two zero-day vulnerabilities in its Endpoint Manager Mobile software, linked to the China-backed group UNC5221. https://cyberscoop.com/ivanti-epmm-defects-exploited/

🏞️ ConnectWise says nation-state attack targeted multiple ScreenConnect customers security news – ConnectWise is investigating a nation-state attack affecting a small number of its ScreenConnect customers, involving suspicious activity linked to sophisticated threat actors. https://therecord.media/connectwise-nation-state-attack-targeted-some-customers

⏳ Why Take9 Won’t Improve Cybersecurity security news – The Take9 campaign urging a nine-second pause before online actions is criticized for being unrealistic and ineffective, as it fails to address deeper issues in cybersecurity awareness and places undue blame on users for attacks. https://www.schneier.com/blog/archives/2025/05/why-take9-wont-improve-cybersecurity.html

⚠️ New Apache InLong Vulnerability (CVE-2025-27522) Exposes Systems to Remote Code Execution Risks vulnerability – A new vulnerability (CVE-2025-27522) in Apache InLong allows for remote code execution due to insecure deserialization of data during JDBC processing. Users are urged to upgrade to version 2.2.0 or apply the necessary patch. https://thecyberexpress.com/apache-inlong-cve-2025-27522/

🚨 Top counter antivirus service disrupted in global takedown security news – Law enforcement seized the AVCheck service, used by cybercriminals to test malware against antivirus tools, as part of a global crackdown on cybercrime, disrupting operations of malicious tool providers. https://cyberscoop.com/avcheck-global-takedown/

🦆 Two Linux flaws can lead to the disclosure of sensitive data vulnerability – Qualys warns of two vulnerabilities in Ubuntu's Apport and systemd-coredump that allow local attackers to access sensitive data from core dumps. https://securityaffairs.com/178464/hacking/two-linux-flaws-can-lead-to-the-disclosure-of-sensitive-data.html

🥽 Deep Dive into a Dumped Malware without a PE Header malware – The article details the analysis of malware without a PE header, revealing its capabilities for remote access, data exfiltration, and communication with a C2 server. https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-header

⚠️ Researchers Drop PoC for Fortinet CVE-2025-32756, Urging Quick Patching vulnerability – A critical vulnerability (CVE-2025-32756) in Fortinet products allows unauthenticated remote code execution and is actively exploited. Researchers released a proof of concept, urging users to patch immediately. https://hackread.com/researchers-poc-fortinet-cve-2025-32756-quick-patch/

🖼️ SANS Internet Storm Center security news – The article discusses the use of steganography in SVG images, highlighting their advantages over bitmap formats for data hiding, while emphasizing the importance of encryption and potential risks from compression. https://isc.sans.edu/diary/rss/31978

🥃 FiberGateway GR241AG – Full Exploit Chain hacking write-up – The article details the discovery of vulnerabilities in the FiberGateway GR241AG router, allowing root access through physical and remote exploitation methods, impacting over 1.6 million households in Portugal. https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/

---

CISA Corner

🛡️ New Guidance for SIEM and SOAR Implementation security news – CISA and international partners released guidance for implementing SIEM and SOAR platforms, aiming to enhance cybersecurity through improved threat detection, incident response, and log prioritization. https://www.cisa.gov/news-events/alerts/2025/05/27/new-guidance-siem-and-soar-implementation

⚙️ CISA Releases One Industrial Control Systems Advisory vulnerability – CISA issued an advisory on the Johnson Controls iSTAR Configuration Utility tool, highlighting current security issues and vulnerabilities in Industrial Control Systems. Users are urged to review for mitigations. https://www.cisa.gov/news-events/alerts/2025/05/27/cisa-releases-one-industrial-control-systems-advisory ⚙️ CISA Releases Five Industrial Control Systems Advisories vulnerability – CISA issued five advisories regarding security vulnerabilities in various Industrial Control Systems, urging users to review the advisories for technical details and mitigation strategies. https://www.cisa.gov/news-events/alerts/2025/05/29/cisa-releases-five-industrial-control-systems-advisories

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

---

News For All

🚨 UK government confirms massive data breach following hack of Legal Aid Agency data breach – A major data breach at the Legal Aid Agency may expose sensitive information of legal aid applicants, affecting millions. Security measures are being intensified to prevent further incidents. https://therecord.media/uk-legal-aid-agency-data-breach

🧬 Pharma giant Regeneron to buy 23andMe and its customers' data for $256M privacy – Regeneron plans to purchase 23andMe, including sensitive genetic data from 15 million customers, raising privacy concerns after a previous data breach. Compliance with privacy laws is promised. https://techcrunch.com/2025/05/19/pharma-giant-regeneron-to-buy-23andme-and-its-customers-data-for-256m/

🔒 days demonstrated at Pwn2Own Berlin 2025 vulnerability – Mozilla patched two critical zero-day vulnerabilities in Firefox that could allow sensitive data access or code execution. Users are urged to update their browsers immediately. https://securityaffairs.com/178064/security/mozilla-fixed-zero-days-demonstrated-at-pwn2own-berlin-2025.html

💁 Russia-linked disinformation floods Poland, Romania as voters cast ballots security news – Ahead of presidential elections, Romania and Poland report increased Russian disinformation efforts aiming to sway voters. Authorities warn of impersonation tactics and funded campaigns on social media. https://therecord.media/russia-disinformation-poland-presidential-election

👁️ Cocospy stalkerware apps go offline after data breach security news – Cocospy, Spyic, and Spyzie, stalkerware apps spying on millions, have gone offline following a significant data breach exposing user emails. Users are advised to remove any remaining spyware from their devices. https://techcrunch.com/2025/05/19/cocospy-stalkerware-apps-go-offline-after-data-breach/

🚪 DoorDash Hack security research https://www.schneier.com/blog/archives/2025/05/doordash-hack.html

🛒 Consumer Reports: Kroger using loyalty program to package, sell customer data privacy – Kroger allegedly sells detailed consumer data from its loyalty program, creating potentially inaccurate profiles of shoppers for marketing. Consumer Reports urges stronger privacy protections against such practices. https://therecord.media/kroger-using-loyalty-program-to-sell-customer-data

📚 Chicago Sun-Times prints summer reading list full of fake books security news – The Chicago Sun-Times published a summer reading list with fake books generated by AI, prompting backlash from readers and staff. The publication is investigating the incident and terminating its relationship with the creator. https://arstechnica.com/ai/2025/05/chicago-sun-times-prints-summer-reading-list-full-of-fake-books/

🔍 3 Teens Almost Got Away With Murder. Then Police Found Their Google Searches privacy – Three teens set a house fire that killed five people, but police traced their Google searches for the address to solve the case. The investigation raises concerns about privacy and law enforcement's use of digital data. https://www.wired.com/story/find-my-iphone-arson-case/

💬 Researchers Scrape 2 Billion Discord Messages and Publish Them Online privacy – A database of over 2 billion Discord messages scraped from 3,167 servers has been published online, raising privacy concerns despite claims of anonymization. A separate tool reveals non-anonymized chat histories. https://www.404media.co/researchers-scrape-2-billion-discord-messages-and-publish-them-online/

📸 Signal says no to Windows 11’s Recall screenshots privacy – Signal has implemented screen security in its Windows 11 client to prevent Microsoft’s Recall feature from capturing secured chats. This move highlights concerns over user privacy and accessibility issues. https://www.theverge.com/news/672210/signal-desktop-app-microsoft-recall-block-windows-11-ai

🐒 Kids Say They're Using Photos of Trump and Markiplier to Bypass 'Gorilla Tag' Age Verification security news – Players of the VR game Gorilla Tag are reportedly using images of Trump and Markiplier to circumvent age verification measures. https://www.404media.co/kids-say-theyre-using-photos-of-trump-and-markiplier-to-bypass-gorllia-tag-age-verification/

🤖 Should Children Use AI Chatbots? Google Thinks So, Critics Strongly Disagree privacy – Google's rollout of its AI chatbot Gemini for children under 13 has sparked backlash from privacy advocates, who argue it may violate COPPA and poses risks to kids' mental health and well-being. https://thecyberexpress.com/google-gemini-ai-for-kids/

📱 Russia to pass law to track migrants using their smartphone privacy – A new Russian law will require migrants in Moscow to use a smartphone app for tracking and reporting their location. Critics raise concerns about privacy and potential abuse of power. https://www.theregister.com/2025/05/22/russia_expected_to_pass_experimental/

🔓 Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials malware – A malware campaign has trojanized the KeePass password manager to deliver Cobalt Strike and exfiltrate credentials. The compromised installer mimicked the real one, making detection difficult. https://securityonline.info/trojanized-keepass-used-to-deploy-cobalt-strike-and-steal-credentials/

---

Some More, For the Curious

🔑 OpenPGP.js bug enables encrypted message spoofing vulnerability – A critical vulnerability in OpenPGP.js allows spoofing of signed and encrypted messages, undermining public key cryptography. Users are urged to upgrade to patched versions to mitigate risks. https://www.theregister.com/2025/05/20/openpgp_js_flaw/

🌃 Does ENISA EUVD live up to all the hype? cyber defense – The article critically examines the effectiveness and impact of the European Union Agency for Cybersecurity (ENISA) in relation to the EU's cybersecurity directives, questioning if it meets expectations. https://vulncheck.com/blog/enisa-euvd

📊 CISA, NIST Researchers Develop Metric to Determine Likelihood of Vulnerability Exploitation security research – NIST and CISA researchers have created a new metric, Likely Exploited Vulnerabilities (LEV), to better predict which vulnerabilities may be exploited, enhancing existing systems like EPSS and KEV. https://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/

🔒 Lumma Stealer toppled by globally coordinated takedown cybercrime – Lumma Stealer, a notorious infostealer malware, was dismantled in a global operation that seized its core infrastructure, blocking 2,300 malicious domains. Microsoft and law enforcement aim to disrupt cybercrime operations. https://cyberscoop.com/lumma-stealer-infostealer-takedown/

⚠️ Active Directory dMSA Privilege Escalation Attack Detailed by Researchers vulnerability – Akamai researchers discovered a privilege escalation vulnerability in Windows Server 2025's dMSA feature, allowing attackers to compromise any Active Directory user with minimal permissions. Microsoft acknowledges the issue but rates it as moderate severity. https://thecyberexpress.com/active-directory-dmsa-attack/

📂 Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials cybercrime – A recent indictment highlights how a Russian malware operation facilitates both criminal activities and state-sponsored hacking, with various cybersecurity issues and incidents, including a breach involving the Signal clone TeleMessage. https://www.wired.com/story/mysterious-database-logins-governments-social-media/

💻 Oops: DanaBot Malware Devs Infected Their Own PCs cybercrime – The U.S. government has charged 16 individuals linked to DanaBot malware, which has infected over 300,000 systems. Developers accidentally infected their own PCs, revealing their identities and leading to their arrest. https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/

💰 Decentralized crypto platform Cetus hit with $223 million hack security news – Cetus, a decentralized cryptocurrency exchange, was hacked for $223 million. The platform paused operations and secured $162 million of the stolen funds, while investigations into the attack continue. https://therecord.media/decentralized-crypto-platform-cetus-theft

🐩 Mysterious hacking group Careto was run by the Spanish government, sources say cybercrime – Research indicates that Careto, a sophisticated hacking group targeting various nations, was operated by the Spanish government. Initially identified in 2014, the group has resurfaced with advanced malware capabilities. https://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/

🚔 Operation RapTor led to the arrest of 270 dark web vendors and buyers cybercrime – Operation RapTor resulted in the arrest of 270 individuals involved in dark web trafficking across 10 countries, seizing over €184M in assets, drugs, and weapons. Law enforcement continues to target dark web activities. https://securityaffairs.com/178221/deep-web/operation-raptor-arrest-270-dark-web-vendors-and-buyers.html

🔒 Large-scale sting tied to Operation Endgame disrupts ransomware infrastructure cybercrime – Law enforcement from Europe and North America dismantled key ransomware infrastructure in Operation Endgame, taking down 300 servers and 650 domains, disrupting malware tools like Qakbot and Trickbot, and issuing arrest warrants for 20 suspects. https://cyberscoop.com/operation-endgame-ransomware-infrastructure-takedown-europol/

⚙️ Researchers cause GitLab AI developer assistant to turn safe code malicious vulnerability – Researchers demonstrated how GitLab's AI assistant, Duo, could be manipulated into inserting malicious code through prompt injections, exposing private data. GitLab has since implemented measures to mitigate this vulnerability. https://arstechnica.com/security/2025/05/researchers-cause-gitlab-ai-developer-assistant-to-turn-safe-code-malicious/

🦠 Compromised RVTools Installer Spreading Bumblebee Malware malware – A compromised RVTools installer was found spreading Bumblebee malware, detected by security researcher Aidan Leon. The malicious file originated from the official website, which has since been taken offline temporarily. https://hackread.com/compromised-rvtools-installer-drop-bumblebee-malware/

🔓 Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more… hacking writeup – Red Teamers demonstrate methods to circumvent SharePoint's Restricted View, allowing data exfiltration through techniques like screenshots, OCR, and using AI tools like Microsoft Copilot. The findings highlight the inadequacy of relying on Restricted View for data security. https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-view-to-exfiltrate-data-using-copilot-ai-and-more/

🔑 Passwords are okay, impulsive Internet isn't security news – The article criticizes the push for passwordless authentication, arguing that passkeys create vendor lock-in and compromise user security. It emphasizes that the real issue lies in human behavior and impulse control, rather than technology itself. Comment: missed this one. thankfully cert.at pushed it this week. https://www.dedoimedo.com/life/passwords-passkeys.html

😡 Red Team Gold: Extracting Credentials from MDT Shares hacking write-up – The article explores how Microsoft Deployment Toolkit (MDT) can be targeted during Red Team engagements to extract credentials. It discusses misconfigurations in MDT shares that can lead to unauthorized access to sensitive information. https://trustedsec.com/blog/red-team-gold-extracting-credentials-from-mdt-shares

---

CISA Corner

⚠️ CISA Adds Six Known Exploited Vulnerabilities to Catalog warning – CISA has added six vulnerabilities to its catalog due to active exploitation, highlighting serious risks to federal systems. Agencies are required to remediate these vulnerabilities promptly. https://www.cisa.gov/news-events/alerts/2025/05/19/cisa-adds-six-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog warning – CISA has added a new vulnerability, CVE-2025-4632, related to Samsung MagicINFO 9 Server, to its Known Exploited Vulnerabilities Catalog, urging organizations to prioritize remediation efforts. https://www.cisa.gov/news-events/alerts/2025/05/22/cisa-adds-one-known-exploited-vulnerability-catalog

⚙️ CISA Releases Thirteen Industrial Control Systems Advisories vulnerability – CISA issued thirteen advisories on May 20, 2025, addressing security vulnerabilities in various Industrial Control Systems. Users are urged to review these advisories for important technical details and mitigations. https://www.cisa.gov/news-events/alerts/2025/05/20/cisa-releases-thirteen-industrial-control-systems-advisories ⚙️ CISA Releases Two Industrial Control Systems Advisories vulnerability – CISA has issued two advisories on security vulnerabilities affecting Lantronix Device Installer and Rockwell Automation FactoryTalk Historian. Users are urged to review the advisories for details and mitigation strategies. https://www.cisa.gov/news-events/alerts/2025/05/22/cisa-releases-two-industrial-control-systems-advisories

🎯 Russian GRU Cyber Actors Targeting Western Logistics Entities and Tech Companies security news – CISA and other agencies issued a Cybersecurity Advisory on Russian GRU cyber actors targeting Western tech and logistics firms, particularly those supporting Ukraine. The advisory highlights their espionage tactics. https://www.cisa.gov/news-events/alerts/2025/05/21/russian-gru-cyber-actors-targeting-western-logistics-entities-and-tech-companies 🎯 Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware security news – CISA and the FBI issued a Cybersecurity Advisory on LummaC2 malware, which targets U.S. critical infrastructure by infiltrating networks and exfiltrating sensitive data. Organizations are urged to implement recommended mitigations. https://www.cisa.gov/news-events/alerts/2025/05/21/threat-actors-target-us-critical-infrastructure-lummac2-malware

🔐 New Best Practices Guide for Securing AI Data Released security news – CISA, NSA, and FBI released a Cybersecurity Information Sheet outlining best practices for securing AI data. It emphasizes the importance of data security throughout the AI lifecycle for accuracy and trustworthiness. https://www.cisa.gov/news-events/alerts/2025/05/22/new-best-practices-guide-securing-ai-data-released 🔒 Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic) security news – Commvault is investigating potential unauthorized access to customer data in their Metallic SaaS solution on Azure. CISA urges users to apply mitigations, monitor logs, and implement security best practices. https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

I've been using Ubuntu daily for a few months. I was a bit afraid of having some major issue and having to try another distro before thinking about returning to Arch, but the balance is positive so far.

I admit there have been a few things that've annoyed me. Then again, I've had that on any OS I've used, so... yeah, computers... At least they're not printers, right?! 👀

✔️ The positives

I find the default GNOME experience on Ubuntu to be good. Back in the day, I enjoyed the hell out of Unity, and having a similar experience is nice. Of course, we're talking about GNOME here; extensions are necessary, but I didn't install that many, and some were only to improve the interface's bling (I like pretty things 🤷).

It's also nice to have a free tier for the Ubuntu Pro program. If, for whatever reason, I decide to stick with this version, I'll have 10 years of security updates (at the time of writing). The specifics are on the link above, so don't forget to check it out to know more about them.

When it comes to regular home users, Pro's free tier can be a nice thing to have. This way, they can slowly prepare the migration to a newer LTS and still stay reasonably secure. Well, to be honest, also because they don't tend to like changes, and keeping a stable environment for some time reduces the stress of computing for them.

This, of course, is also beneficial for self-hosters, for example. But it might not be for you, and that's fair, too. 🍻

Snaps have also improved quite a lot. You may find the occasional exception, but they have become quite performant compared to just a few years ago. Even the Steam snap has improved; however, it can take a little bit more time to launch than the native package when you have a lot of games installed and/or they take up a lot of disk space.

Another plus for the Steam snap is being able to change Mesa versions. There might be some games that require more recent versions than the included one, so this is a nice feature to have.

❌ The negatives

There's an issue with the Steam snap, where right-clicking on something to show a menu and then clicking on a menu entry just closes the menu and doesn't perform the action. This one can be annoying as hell sometimes! 💢

I do miss having some utilities I use already packaged or from a trusted enough source on the AUR, but I compiled them from source, and I keep tabs on new updates occasionally.

It's also a shame there is no official gamescope package, and you're left compiling it from source. I do think there are a few issues with that on the 24.04 LTS version, but I'm just remembering this as I type, so I might be misremembering.

I was also having the best KDE experience I've had in ~20 years with Plasma 6.x on Arch, but it's not packaged for Ubuntu 24.04. One time, I tried using a repo from Kubuntu or something, but I ended up borking the package and dependency lists, and couldn't remove the upgraded packages. 💀 I ended up reinstalling, which was faster than spending a day debugging dependency issues and force-installing some packages manually.

I had forgotten how PPAs can be a headache if you just YOLO it. 😅

👋 Conclusion

At least for now, I'm sticking with the latest stable LTS. When I switched, my goal was to have a system that doesn't change much over time and, in doing so, doesn't bother me every day to install a ton of updates. I also wanted something more reliable. While the verdict is yet to be reached on the latter, it has been reached on the former — most days, I only have flatpak updates.

I'll stick with Ubuntu LTS for a few more months, so I can safely say if it is what I'm looking for or if I need to find another distribution. Although I think I'll probably stick to it until the next LTS — unless I have a major issue with it —and then reevaluate it.

#Ubuntu #Linux #Arch #KDE #GNOME #Steam #Gaming #LinuxGaming #DesktopLinux

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

---

News For All

🎭 Threat actors use fake AI tools to deliver the information stealer Noodlophile cybercrime – Threat actors exploit AI trends to distribute Noodlophile, an information stealer, via fake AI tools on social media, tricking users into downloading malware disguised as legitimate applications. https://securityaffairs.com/177719/security/threat-actors-use-fake-ai-tools-to-deliver-the-information-stealer-noodlophile.html

✈️ Charter airline helping Trump's deportation campaign pwned data breach – GlobalX, a charter airline involved in deportations, reported a cybersecurity breach affecting its network. While the full impact remains unclear, it may include stolen flight records and passenger data. https://www.theregister.com/2025/05/12/globalx_security_incident/

💰 Google to pay Texas nearly $1.4 billion over alleged data privacy violations privacy – Google has agreed to a $1.37 billion settlement with Texas over lawsuits alleging illegal tracking of user data, including location and Incognito searches, without admitting wrongdoing. https://therecord.media/google-texas-privacy-violations-billions

🍏 Wide-ranging Apple security update addresses over 30 vulnerabilities vulnerability – Apple's latest security update addresses over 30 vulnerabilities across iOS, iPadOS, and macOS, including critical baseband flaws and privacy issues affecting various components. No active exploitation has been reported. https://cyberscoop.com/apple-security-update-c1-modem-privacy-fixes-may-2025/

📞 Android launches new protections against phone call scammers security news – Google is introducing features on Android to prevent phone call scams, including blocking app sideloading and accessibility permissions during calls, and warning users about likely scams when accessing banking apps. https://www.theverge.com/news/665706/google-phone-call-scam-protection-banking-apps

🔒 Zero Day Initiative — The May 2025 Security Update Review vulnerability – Adobe and Microsoft released significant security updates in May 2025, addressing numerous vulnerabilities across their software. Adobe patched 40 CVEs, while Microsoft addressed 75, including several critical flaws under active attack. https://www.thezdi.com/blog/2025/5/13/the-may-2025-security-update-review

🚫 Google Is Using On-Device AI to Spot Scam Texts and Investment Fraud security news – Google is enhancing its AI Scam Detection feature in the Messages app to identify various types of scams, running locally on devices to protect user privacy. This aims to combat the rising tide of digital fraud. https://www.wired.com/story/google-io-on-device-ai-scam-texts/

🚘 License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows privacy – Flock is developing a product called Nova that combines license plate data with personal information from data brokers, allowing law enforcement to track individuals without warrants. Employees express ethical concerns over using hacked data. https://www.404media.co/license-plate-reader-company-flock-is-building-a-massive-people-lookup-tool-leak-shows/

💻 North Korean IT Workers Are Being Exposed on a Massive Scale cybercrime – Researchers have identified North Korean IT workers infiltrating Western companies to fund the regime, revealing their lavish lifestyles and connections to cybercrime. A recent leak exposes over 1,000 email addresses linked to their activities. https://www.wired.com/story/north-korean-it-worker-scams-exposed/

⚖️ Meta's still violating GDPR rules with latest plan to train AI on EU user data, says noyb privacy – Noyb has sent a cease and desist letter to Meta, challenging its plans to use EU user data for AI training without explicit consent. The group threatens legal action if Meta does not comply with GDPR requirements. https://www.theregister.com/2025/05/14/metas_still_violating_gdpr_rules/

🛑 White House scraps plan to block data brokers from selling Americans' sensitive data privacy – The CFPB has withdrawn a plan to regulate data brokers under the Fair Credit Reporting Act, citing misalignment with current interpretations. This move follows industry lobbying against the rule, raising concerns over privacy. https://techcrunch.com/2025/05/14/white-house-scraps-plan-to-block-data-brokers-from-selling-americans-sensitive-data/

💰 Who needs VC funding? How cybercriminals spread their ill-gotten gains to everyday business ventures cybercrime – Cybercriminals are reinvesting their profits into ordinary businesses like coffee shops and real estate to launder money. An investigation reveals a network of collaboration among criminals to diversify and legitimize their income streams. https://cyberscoop.com/what-cybercriminals-do-with-their-money-sophos/

👟 Meta plans to train AI on EU user data from May 27 without consent privacy – Meta intends to train its AI models using EU user data starting May 27 without explicit consent, prompting privacy group noyb to threaten legal action for violating GDPR regulations by relying on an 'opt-out' system. https://securityaffairs.com/177920/security/meta-plans-to-train-ai-on-eu-user-data-from-may-27-without-consent.html

🔒 Google Chrome’s May Update: What You Need to Know About CVE-2025-4372 and More vulnerability – Google's latest Chrome update addresses critical vulnerabilities, including CVE-2025-4664, which is actively exploited, and CVE-2025-4372, a use-after-free flaw. Users are urged to update immediately for security. https://thecyberexpress.com/google-chrome-update-fixe-cve-2025-4372/

🚫 EU court rules that tracking-based online ads are illegal privacy – The Brussels Court of Appeal ruled that tracking for online ads violates GDPR, stating that existing consent models are inadequate. This decision significantly impacts major tech companies relying on real-time bidding. https://therecord.media/eu-court-rules-tracking-based-ads-illegal

⚖️ Bahn vor Gericht: Warum der DB Navigator ein Fall für die Justiz ist privacy – The Frankfurt court case against Deutsche Bahn focuses on the DB Navigator app, which allegedly collects and shares user data without consent, raising significant GDPR compliance issues and consumer rights concerns. https://www.kuketz-blog.de/bahn-vor-gericht-warum-der-db-navigator-ein-fall-fuer-die-justiz-ist/

👿 US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials security news – The FBI warns that ex-government officials are being targeted by cybercriminals using AI-generated deepfake texts and voice messages to impersonate senior U.S. officials, aiming to gain access to personal accounts. https://securityaffairs.com/177987/cyber-crime/us-government-officials-targeted-texts-and-ai-generated-deepfake.html

⚡ Experts found rogue devices, including hidden cellular radios, in Chinese security research – Investigators discovered hidden 'kill switches' and rogue cellular radios in Chinese-made power inverters used in US solar farms, raising concerns about potential remote control over critical energy infrastructure by Beijing. https://securityaffairs.com/178005/hacking/rogue-devices-in-chinese-made-power-inverters-used-worldwide.html

---

Some More, For the Curious

🕐 One-Click RCE in ASUS’s Preinstalled Driver Software hacking write-up – ASUS’s DriverHub software has a serious vulnerability that allows remote code execution due to weak origin checks, posing a significant security threat. https://mrbruh.com/asusdriverhub/

🤖 New 'Defendnot' tool tricks Windows into disabling Microsoft Defender security research – The 'Defendnot' tool exploits a Windows API to disable Microsoft Defender by registering a fake antivirus, showcasing vulnerabilities in system security features. https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/

🔐 The cryptography behind passkeys security research – Passkeys enhance authentication security by using cryptographic key pairs and the WebAuthn specification, eliminating phishing risks and password reuse while ensuring user authenticity. https://blog.trailofbits.com/2025/05/14/the-cryptography-behind-passkeys/

🚨 CVE-2024-26809: Critical nftables Vulnerability in Linux Kernel Could Lead to Root Access vulnerability – A critical double-free vulnerability in the Linux kernel's nftables subsystem allows local attackers to escalate privileges and execute arbitrary code. Users should update their systems to mitigate this risk. https://thecyberexpress.com/cve-2024-26809-nftables-vulnerability/

🔍 EU Vulnerability Database Officially Launches Amid CVE Program Concerns security news – The EU has launched its vulnerability database to improve management of cybersecurity threats, coinciding with uncertainty over MITRE's CVE Program future. It will aggregate critical vulnerability information and facilitate better transparency. https://thecyberexpress.com/eu-vulnerability-database-officially-launches-amid-cve-program-concerns/

⚠️ New VMware Tools Vulnerability Allows Attackers to Tamper with Virtual Machines, Broadcom Issues Urgent Patch vulnerability – A moderate vulnerability in VMware Tools (CVE-2025-22247) allows attackers with limited access to compromise VMs by tampering with local files. Broadcom has released patches; no workarounds are available. https://thecyberexpress.com/vmware-tools-vulnerability-cve-2025-22247/

🔧 Commvault Command Center patch incomplete: researcher vulnerability – A critical flaw in Commvault's Command Center remained exploitable for free trial users despite a patch. Following a researcher's discovery, Commvault has changed its update policy to allow immediate access for all users. https://www.theregister.com/2025/05/13/patch_commvault_cvss_10/

🌟 Zero-Day Vulnerabilities in Ivanti EPMM vulnerability – Ivanti disclosed two zero-day vulnerabilities in their Endpoint Manager Mobile (EPMM) products, allowing unauthenticated remote code execution. CERT-EU recommends immediate updates, especially for internet-facing devices. https://cert.europa.eu/publications/security-advisories/2025-018/

🔍 Intel data-leaking Spectre defenses scared off once again vulnerability – Researchers discovered a new attack vector exploiting Intel's Spectre defenses, allowing unauthenticated remote code execution via branch predictor race conditions. Intel has released a microcode update to address this vulnerability. https://www.theregister.com/2025/05/13/intel_spectre_race_condition/

💝 Spies hack high-value mail servers using an exploit from yesteryear cybercrime – Recent reports indicate that spies have successfully compromised high-value mail servers by exploiting older vulnerabilities, demonstrating the ongoing risk posed by outdated security flaws. https://arstechnica.com/security/2025/05/spies-hack-high-value-mail-servers-using-an-exploit-from-yesteryear/

💵 Coinbase flips $20M extortion demand into bounty for info on attackers cybercrime – After cybercriminals extorted Coinbase for $20 million following a data breach, the company offered the same amount as a reward for information leading to the attackers' arrest, marking a proactive response to the incident. https://cyberscoop.com/coinbase-cyberattack-extortion-counter-reward/

💻 Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi security research – On day two of Pwn2Own Berlin 2025, hackers earned $435,000 for demonstrating zero-day exploits in various products, including VMware ESXi, with one researcher earning $150,000 for an integer overflow exploit. https://securityaffairs.com/177943/hacking/pwn2own-berlin-2025-day-two-researcher-earned-150k-hacking-vmware-esxi.html

🛡️ ClickFix Fixes Ranked cyber defense – The 'ClickFix' attack technique exploits user coercion to execute malicious commands via the Windows Run dialog. Mitigations are ranked by effectiveness and annoyance, highlighting the balance between security and usability. https://taggart-tech.com/clickfix/

©️ How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes security news – TeleMessage, a Signal clone used by U.S. officials, was hacked, exposing user message logs in plaintext. The app has been disabled by Customs and Border Protection amid security concerns. https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/

---

CISA Corner

📢 Update to How CISA Shares Cyber-Related Alerts and Notifications security news – CISA is revamping its cybersecurity alerts by sharing updates solely through social media and email, focusing on urgent threats on its webpage to improve visibility and user experience. https://www.cisa.gov/news-events/alerts/2025/05/12/update-how-cisa-shares-cyber-related-alerts-and-notifications

⚠️ CISA Adds Five Known Exploited Vulnerabilities to Catalog warning – CISA has added five Microsoft Windows vulnerabilities to its Known Exploited Vulnerabilities Catalog due to active exploitation risks, urging federal agencies to remediate them promptly. https://www.cisa.gov/news-events/alerts/2025/05/13/cisa-adds-five-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog warning – CISA has added CVE-2025-32756, a stack-based buffer overflow vulnerability in Fortinet products, to its Known Exploited Vulnerabilities Catalog due to active exploitation risks, urging federal agencies to remediate it promptly. https://www.cisa.gov/news-events/alerts/2025/05/14/cisa-adds-one-known-exploited-vulnerability-catalog ⚠️ CISA Adds Three Known Exploited Vulnerabilities to Catalog warning – CISA has included three new vulnerabilities in its Known Exploited Vulnerabilities Catalog: a command injection in DrayTek routers, an enforcement issue in Google Chromium, and a deserialization vulnerability in SAP NetWeaver, highlighting significant risks for federal agencies. https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-adds-three-known-exploited-vulnerabilities-catalog

⚙️ CISA Releases Twenty-Two Industrial Control Systems Advisories vulnerability – CISA has released twenty-two advisories regarding vulnerabilities in industrial control systems, aimed at enhancing security measures within critical infrastructure sectors. https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-releases-twenty-two-industrial-control-systems-advisories

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

---

News For All

🤦‍♂️ WhatsApp provides no cryptographic management for group messages security research – WhatsApp's group messaging lacks cryptographic safeguards, allowing potential unauthorized users to join chats unnoticed, raising privacy concerns for sensitive discussions. https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic-management-for-group-messages/

🚫 Mr. Deepfakes, the Biggest Deepfake Porn Site on the Internet, Says It’s Shutting Down for Good cybercrime – Mr. Deepfakes, notorious for nonconsensual deepfake porn, has announced its permanent shutdown due to loss of service and data, leaving users with no access. https://www.404media.co/mr-deepfakes-the-biggest-deepfake-porn-site-on-the-internet-says-its-shutting-down-for-good/

🔑 Passkeys for Normal People cyber defense – Passkeys offer a phishing-resistant alternative to traditional passwords and OTPs for secure logins, enhancing online safety, but still require careful management across devices. https://www.troyhunt.com/passkeys-for-normal-people/

🔓 The modified Signal app used by Mike Waltz was reportedly hacked data breach – A breach involving a modified Signal app used by Mike Waltz has led to the exposure of message contents and contact information of government officials. https://www.theverge.com/news/661173/telemessage-signal-clone-hacked-mike-waltz

📱 Smishing on a Massive Scale: ‘Panda Shop’ Chinese Carding Syndicate cybercrime – Resecurity has uncovered a new smishing kit, ‘Panda Shop,’ linked to a Chinese syndicate, capable of sending millions of fraudulent messages daily and targeting vast consumer data. https://securityaffairs.com/177502/cyber-crime/smishing-on-a-massive-scale-panda-shop-chinese-carding-syndicate.html

🎓 Fake Student Fraud in Community Colleges cybercrime – Community colleges face rising fraud from fake students using AI-generated work to exploit financial aid, challenging detection efforts and disrupting class structures. https://www.schneier.com/blog/archives/2025/05/fake-student-fraud-in-community-colleges.html

🚨 Samsung MagicINFO flaw exploited days after PoC publication vulnerability – A high-severity vulnerability (CVE-2024-7399) in Samsung MagicINFO was exploited shortly after a proof-of-concept was released, allowing unauthenticated users to execute code with system-level access. https://securityaffairs.com/177529/hacking/samsung-magicinfo-vulnerability-exploited-after-poc-publication.html

🕵️‍♂️ Meta awarded $167.25 million over Pegasus spyware attack security news – Meta has been awarded $167.25 million after suing the NSO Group for using Pegasus spyware to target over 1,400 WhatsApp users. https://www.theverge.com/news/662242/meta-nso-group-pegasus-whatsapp-hack-damages

🔑 Tulsi Gabbard Reused the Same Weak Password on Multiple Accounts for Years security news – Tulsi Gabbard reportedly used the same easily cracked password across multiple accounts for years, raising concerns about her cybersecurity practices following a sensitive incident involving a Signal group chat. https://www.wired.com/story/tulsi-gabbard-dni-weak-password/

💻 COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs cybercrime – Google's Threat Intelligence Group reports on COLDRIVER's new malware, LOSTKEYS, used to steal files from Western targets, utilizing a multi-stage infection process involving social engineering techniques. https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos/

💰 PowerSchool customers hit by downstream extortion threats cybercrime – After PowerSchool paid a ransom to delete stolen data, some of its school district customers are now facing extortion threats to leak that data, highlighting ongoing supply chain risks. https://cyberscoop.com/powerschool-customers-hit-by-downstream-extortion-threats/

🔒 Polish authorities arrested 4 people behind DDoS cybercrime – Polish police arrested four individuals operating DDoS-for-hire platforms used in global attacks, offering services for as little as €10, as part of an international crackdown on cybercrime. https://securityaffairs.com/177590/cyber-crime/polish-police-arrested-4-people-behind-ddos-for-hire-platforms.html

🎭 NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked security news – Following ransomware attacks on Marks & Spencer and Co-op, the NCSC warns that hackers are using social engineering to impersonate employees and exploit helpdesk staff for account access. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked

🐕‍🦺 DOGE software engineer’s computer infected by info-stealing malware security news – Kyle Schutt, a software engineer at CISA, had his login credentials exposed multiple times in public leaks from info-stealing malware, raising concerns about potential access to sensitive government information. https://arstechnica.com/security/2025/05/doge-software-engineers-computer-infected-by-info-stealing-malware/

✈️ Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for “Donnie” Trump cybercrime – Hacktivists claiming to be part of Anonymous breached GlobalX Airlines, leaking flight records and passenger manifests related to US deportation flights while defacing the airline's website with a message targeting Trump. https://www.bitdefender.com/en-us/blog/hotforsecurity/hackers-globalx-message-trump

🛡️ FBI and Dutch police seize and shut down botnet of hacked routers cybercrime – A joint operation by the FBI and Dutch police dismantled a botnet of hacked routers used for cybercrime, indicting four individuals for running proxy services Anyproxy and 5Socks built on compromised devices. https://techcrunch.com/2025/05/09/fbi-and-dutch-police-seize-and-shut-down-botnet-of-hacked-routers/

💰 German operation shuts down crypto mixer eXch, seizes millions in assets cybercrime – German police seized over $30 million in assets from the crypto mixer eXch, which was linked to laundering funds from the $1.46 billion Bybit hack, as part of a crackdown on money laundering activities. https://therecord.media/exch-cryptocurrency-mixer-germany-takedown

🔒 How to turn on Lockdown Mode for your iPhone and Mac privacy – Apple's Lockdown Mode enhances security for those facing sophisticated threats, limiting device functionality. It can be easily enabled or disabled on iPhones, iPads, and Macs through settings. https://www.theverge.com/tech/663794/lockdown-mode-iphone-mac-how-to

💰 Google will pay Texas $1.4 billion over its location tracking practices privacy – Google will pay Texas $1.4 billion to settle lawsuits over unauthorized location tracking and biometric data retention, marking a significant victory for user privacy against Big Tech violations. https://securityaffairs.com/177683/laws-and-regulations/google-will-pay-texas-1-4-billion-over-its-location-tracking-practices.html

---

Some More, For the Curious

⚠️ Security Researchers Warn a Widely Used Open Source Tool Poses a 'Persistent' Risk to the US security research – Researchers highlight security concerns over easyjson, an open source tool linked to a Russian company, fearing it could be exploited for espionage or cyberattacks against the US. https://www.wired.com/story/easyjson-open-source-vk-ties/

5️⃣ 5 Common Cybersecurity Mistakes That Attackers Love cyber defense – Cybersecurity experts highlight five common mistakes—improper secrets management, excessive user privileges, lack of network segmentation, overreliance on user training, and poor security detections—that leave organizations vulnerable to attacks. https://bishopfox.com/blog/before-red-team-fix-these-5-common-mistakes

💳 Hundreds of e-commerce sites hacked in supply-chain attack security research – A supply-chain attack has compromised hundreds of e-commerce sites, injecting malware that steals payment information from visitors, linked to three software providers over six years. https://arstechnica.com/security/2025/05/hundreds-of-e-commerce-sites-hacked-in-supply-chain-attack/

⚖️ Lawmakers grill Noem over CISA funding cuts, demand Trump cyber plan security news – Homeland Security Secretary Kristi Noem faced bipartisan criticism over a proposed $491 million budget cut to CISA, with lawmakers demanding details on the Trump administration's cyber strategy amid rising threats. https://therecord.media/noem-house-hearing-proposed-cisa-funding-cuts

🛡️ New 'Bring Your Own Installer (BYOI)' technique allows to bypass EDR vulnerability – A new BYOI technique allows attackers to exploit SentinelOne's upgrade process, disabling EDR protection and enabling Babuk ransomware deployment by interrupting the installation. https://securityaffairs.com/177494/hacking/new-bring-your-own-installer-byoi-technique-allows-to-bypass-edr.html

➰ Curl takes action against time-wasting AI bug reports security news – Curl founder Daniel Stenberg implements a checkbox for bug reports to filter out AI-generated submissions, citing their overwhelming volume and lack of validity as a drain on maintainers' resources. https://www.theregister.com/2025/05/07/curl_ai_bug_reports/

🔓 Play ransomware affiliate leveraged zero cybercrime – The Play ransomware gang exploited a Windows zero-day vulnerability (CVE-2025-29824) to gain SYSTEM privileges and deploy malware, including the Grixba infostealer, in targeted attacks. https://securityaffairs.com/177573/cyber-crime/play-ransomware-affiliate-leveraged-zero-day-to-deploy-malware.html

💻 CVE-2024-44236: Remote Code Execution vulnerability in Apple macOS vulnerability – A remote code execution vulnerability in macOS allows attackers to exploit ICC Profile files, potentially executing code on victims' machines. A patch has been released, but no attacks have been detected yet. https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos

🔐 CVE-2025-20188: Cisco Fixes 10.0-Rated Wireless Controller Flaw vulnerability – Cisco has patched a critical vulnerability (CVE-2025-20188) in its IOS XE Wireless Controller software that allows unauthenticated attackers to gain root access. Administrators are urged to apply fixes and check configurations. https://thecyberexpress.com/cisco-patches-cve-2025-20188/

🫦 The LockBit ransomware site was breached, database dump was leaked online cybercrime – The LockBit ransomware group's dark web site was breached, leaking a database with victim data, negotiation logs, and configurations, revealing insights into their operations and potential decryption keys. https://securityaffairs.com/177619/cyber-crime/the-lockbit-ransomware-site-was-breached-database-dump-was-leaked-online.html

📅 A timeline of South Korean telco giant SKT's data breach data breach – SK Telecom suffered a major data breach affecting 23 million customers, prompting investigations and customer backlash, as the company works to mitigate damage and replace compromised SIM cards. https://techcrunch.com/2025/05/08/a-timeline-of-south-korean-telco-giant-skts-data-breach/

🔒 SonicWall fixed SMA 100 flaws that could be chained to execute arbitrary code vulnerability – SonicWall patched three critical vulnerabilities in SMA 100 that could allow remote attackers to chain them for arbitrary code execution, including a potential zero-day. Users are advised to update to the latest version. https://securityaffairs.com/177626/hacking/sonicwall-fixed-sma-100-flaws-that-could-be-chained-to-execute-arbitrary-code.html

🔒 CVSS 10.0 Vulnerability Found in Ubiquity UniFi Protect Cameras vulnerability – Ubiquity disclosed critical vulnerabilities in UniFi Protect, including a CVSS 10.0 flaw (CVE-2025-23123) allowing remote code execution. Users are urged to update firmware and applications immediately to mitigate risks. https://thecyberexpress.com/ubiquity-unifi-protect-flaws-cve-2025-23123/

---

CISA Corner

😶 Unsophisticated Cyber Actor(s) Targeting Operational Technology cyber defense – CISA warns of unsophisticated cyber actors targeting ICS/SCADA systems in U.S. critical infrastructure, urging asset owners to improve cyber hygiene to prevent potential operational disruptions and physical damage. https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology

⚠️ CISA Adds One Known Exploited Vulnerability to Catalog warning – CISA has added CVE-2025-3248, a missing authentication vulnerability in Langflow, to its catalog, highlighting its active exploitation and risks to federal networks. https://www.cisa.gov/news-events/alerts/2025/05/05/cisa-adds-one-known-exploited-vulnerability-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog warning – CISA has included CVE-2025-27363, an out-of-bounds write vulnerability in FreeType, in its catalog due to evidence of active exploitation posing risks to federal networks. https://www.cisa.gov/news-events/alerts/2025/05/06/cisa-adds-one-known-exploited-vulnerability-catalog ⚠️ CISA Adds Two Known Exploited Vulnerabilities to Catalog warning – CISA has included two new OS command injection vulnerabilities (CVE-2024-6047 and CVE-2024-11120) in its catalog, highlighting their active exploitation and risks to federal networks. https://www.cisa.gov/news-events/alerts/2025/05/07/cisa-adds-two-known-exploited-vulnerabilities-catalog

⚙️ CISA Releases Three Industrial Control Systems Advisories vulnerability – CISA has issued three advisories regarding vulnerabilities in industrial control systems, urging users to review the advisories for technical details and recommended mitigations. https://www.cisa.gov/news-events/alerts/2025/05/06/cisa-releases-three-industrial-control-systems-advisories ⚙️ CISA Releases Five Industrial Control Systems Advisories vulnerability – CISA has issued five advisories regarding vulnerabilities in various Industrial Control Systems, urging users to review the details and recommended mitigations for enhanced security. https://www.cisa.gov/news-events/alerts/2025/05/08/cisa-releases-five-industrial-control-systems-advisories

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

I bought one so you don't have to. (Edit: at least until Eaton supports Matter over WiFi)

These devices connect to Azure IOT Platform. While I am sure Eaton has a great deal for that, it means that every time I turn the lights on or off, Azure gets paid a small amount of money.

The switch, while not multi-touch capable, will wait 0.5s before turning the load on or off.

In an event of a network connection disruption, when you are back online the switch will take ~5 minutes to become available in the app. There is no local control even though the ESP32-C3-MINI1 (datasheet) module can do this. The unit is provisioned with WiFi credentials over Bluetooth but other than that Bluetooth is not used.

And when you use schedules, the status LED does not correspond to the actual state of the switch.

I am still debating whether to give Schneider Electric Matter-over-WiFi a try, but the more I read the specs the more I become convinced that Z-Wave network I already have is the best.

Edit: https://www.eaton.com/us/en-us/products/wiring-devices-connectivity/Matter.html suggests that at some point these WiFi devices will gain Matter support. If/when that happens, these switches, dimmers, and receptacles will become much more useful.

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

---

News For All

🎣 Zoom attack tricks victims into allowing remote access to install malware and steal money cybercrime – The ELUSIVE COMET group exploits Zoom to trick victims into granting remote access, allowing malware installation and asset theft. A recent attack succeeded on one CEO but failed on another. https://www.malwarebytes.com/blog/news/2025/04/zoom-attack-tricks-victims-into-allowing-remote-access-to-install-malware-and-steal-money

💳 NFC Fraud Wave: Evolution of Ghost Tap on the Dark Web cybercrime – NFC fraud is surging as cybercriminals exploit contactless payment systems for large-scale theft. The 'Ghost Tap' technique enables remote access to stolen data, posing serious security risks. https://www.resecurity.com/blog/article/nfc-fraud-wave-evolution-of-ghost-tap-on-the-dark-web

🐡 Beware of this sneaky Google phishing scam warning – Scammers are using Google and PayPal tools to craft convincing fake emails that bypass security checks, making them harder to detect. Stay vigilant against these phishing attempts. https://www.theverge.com/news/652509/google-no-reply-dkim-phishing-scam

💂 How to Protect Yourself From Phone Searches at the US Border privacy – As border searches intensify, travelers should consider using a travel phone or modifying their primary device to minimize personal data. Simple precautions can help protect privacy during crossings. https://www.wired.com/story/how-to-protect-yourself-from-phone-searches-at-the-us-border/

🛍️ Marks & Spencer confirms cybersecurity incident amid ongoing disruption cybercrime – Marks & Spencer has confirmed a cybersecurity incident affecting its operations, causing disruptions in payment systems and order pickups. The retailer is investigating with external experts, but details on customer data impact remain unclear. https://techcrunch.com/2025/04/22/marks-spencer-confirms-cybersecurity-incident-amid-ongoing-disruption/

🎥 Beware of video call links that are attempts to steal Microsoft 365 access, researchers tell NGOs security news – Researchers warn that Russia-linked hackers are targeting NGOs with phishing attempts disguised as video call invitations to capture Microsoft 365 access tokens via OAuth. Vigilance is advised against unsolicited contacts. https://therecord.media/russia-linked-phishing-microsoft365-ukraine-ngos

⛪ The Tech That Safeguards the Conclave’s Secrecy security news – As the Vatican prepares for the conclave to elect a new pope, advanced security measures like signal jammers, opaque window films, and thorough inspections are in place to ensure secrecy and integrity. https://www.wired.com/story/technology-used-to-shield-conclave-pope-francis/

💰 EU fines Apple €500 million and Meta €200 million for breaking digital market rules security news – The European Commission fined Apple €500 million and Meta €200 million for violating the Digital Markets Act, marking the first penalties under the new regulations. Both companies plan to appeal the decisions. https://therecord.media/eu-fines-apple-steering-meta-data-privacy-dma

🧿 Blue Shield of California shared the private health data of millions with Google for years data breach – Blue Shield of California disclosed a data breach involving the sharing of sensitive health information with Google since 2021, affecting 4.7 million individuals. The data sharing ended in January 2024 due to a misconfiguration. https://techcrunch.com/2025/04/23/blue-shield-of-california-shared-the-private-health-data-of-millions-with-google-for-years/

©️ WhatsApp now lets you block people from exporting your entire chat history privacy – WhatsApp's new 'Advanced Chat Privacy' feature allows users to prevent others from exporting chat histories and automatically downloading media, enhancing privacy in conversations, although it won't stop screenshots. https://www.theverge.com/news/654592/whatsapp-advanced-chat-privacy-block-exporting-chats

⚰️ Crooks exploit the death of Pope Francis cybercrime – Cybercriminals are exploiting the death of Pope Francis to launch scams and spread malware, leveraging public emotion and curiosity. Strong security practices are essential to counter these risks. https://securityaffairs.com/176917/cyber-crime/crooks-exploit-the-death-of-pope-francis.html

🌍 Even the U.S. Government Says AI Requires Massive Amounts of Water security news – A new GAO report highlights the significant environmental costs of generative AI, emphasizing its heavy demand for power and water, raising concerns about its long-term societal impact. https://www.404media.co/even-the-u-s-government-says-ai-requires-massive-amounts-of-water/

🎮 UK bans export of video game controllers to Russia to hinder attack drone pilots security news – The UK government has banned the export of video game controllers to Russia to prevent their use in piloting drones in Ukraine. This is part of a broader sanctions package aimed at limiting Russia's war efforts. https://therecord.media/uk-bans-video-game-controllers

🤌 Gmail’s New Encrypted Messages Feature Opens a Door for Scams cybercrime – Google's new end-to-end encrypted email feature may enhance security but raises concerns about phishing scams targeting non-Gmail users, as scammers could exploit the invitation system to steal credentials. https://www.wired.com/story/gmail-end-to-end-encryption-scams/

💻 North Korean IT workers seen using AI tools to scam firms into hiring them cybercrime – North Korean IT workers are leveraging generative AI tools to secure jobs at U.S. and European tech firms, facilitating their onboarding and communication while funneling earnings back to the DPRK government. https://therecord.media/north-korean-it-workers-seen-using-ai-recruitment-scams

🥴 Government officials are kind of bad at the internet security news – U.S. officials, including Secretary of Defense Pete Hegseth, have mishandled sensitive information through tech blunders, such as sharing military plans in unsecured messaging apps, highlighting poor digital security practices. https://techcrunch.com/2025/04/26/government-officials-are-kind-of-bad-at-the-internet/

🎒 Storm-1977 targets education sector with password spraying security news – Microsoft reports that the threat actor Storm-1977 is conducting password spraying attacks on the education sector, using AzureChecker.exe to validate credentials and create resources for cryptomining. https://securityaffairs.com/177067/hacking/storm-1977-targets-education-sector-with-password-spraying-microsoft-warns.html

🔑 Who needs phishing when your login's already in the wild? security news – Mandiant's report reveals that stolen credentials have become a major infection vector, surpassing email phishing. The rise in infostealers and cloud attacks emphasizes the need for multi-factor authentication. https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/

🥏 A Look at a Novel Discord Phishing Attack cybercrime – Researchers from Binary Defense investigated MalenuStealer, an infostealer exploiting compromised Discord accounts to distribute malware disguised as a beta game. The attack uses social engineering to trick users into downloading malicious software. https://www.binarydefense.com/resources/blog/a-look-at-a-novel-discord-phishing-attack/

---

Some More, For the Curious

🤬 Microsoft’s patch for CVE-2025–21204 symlink vulnerability introduces another symlink vulnerability vulnerability – A fix for a symlink vulnerability inadvertently creates another, allowing users to block future Windows updates, risking security. Microsoft has not yet addressed this issue. https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741

🔍 CERT.at – DOGE, CISA, Mitre und CVE Published security news – Concerns arose when funding for the CVE system was threatened, but a solution was found. The CVE identifiers remain vital for effective vulnerability management across organizations. https://www.cert.at/de/blog/2025/4/doge-cisa-mitre-und-cve

🎭 Example of a Payload Delivered Through Steganography malware – This article illustrates how steganography conceals malicious payloads in seemingly harmless images, making detection by security tools challenging. It explores obfuscation techniques used in malware. https://isc.sans.edu/diary/rss/31892

🦠 How Lumma Stealer sneaks into organizations malware – Lumma Stealer exploits fake CAPTCHA pages and other social engineering tactics to infiltrate systems, primarily targeting individuals and organizations. Its methods include DLL sideloading and malicious payload injections. https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/

⏳ Eight days from patch to exploitation for Microsoft flaw vulnerability – Just eight days after Microsoft patched CVE-2025-24054, attackers exploited it in campaigns against targets in Poland and Romania, highlighting urgent patching needs for NTLM vulnerabilities. https://www.theregister.com/2025/04/21/microsoft_apple_patch/

🏗️ Attacker Infrastructure cyber defense – The article discusses the various components and setups used by cybercriminals to conduct attacks, including servers, tools, and networks that facilitate malicious activities. https://vulncheck.com/blog/attacker-infrastructure

🃏 Attackers stick with effective intrusion points, valid credentials and exploits security news – IBM X-Force's report reveals that identity-based attacks and exploitation of public-facing applications remain the top intrusion methods. Credential theft and phishing continue to rise, particularly in critical infrastructure sectors. https://cyberscoop.com/ibm-x-force-threat-intelligence-index-2025/

🧑‍🏫 Ex-NSA boss: AI devs' lesson to learn from early infosec security news – Former NSA chief Mike Rogers urges AI developers to integrate security from the start, learning from cybersecurity's past mistakes, to avoid costly fixes later and ensure responsible use in national security. https://www.theregister.com/2025/04/23/exnsa_boss_ai/

🔮 A Vulnerable Future: MITRE’s Close Call in CVE Management cyber defense – MITRE faced a crisis regarding the CVE program's future but secured an 11-month contract extension. The incident highlights the need for robust vulnerability management practices amid uncertainty. https://jfrog.com/blog/mitres-close-call-in-cve-management/

🃏 M-Trends 2025: Data, Insights, and Recommendations From the Frontlines security news – Mandiant's M-Trends 2025 report highlights evolving attack sophistication, particularly by China-linked groups using custom malware and zero-day vulnerabilities, while also noting a rise in credential theft as a major infection vector. https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025/

⛓️‍💥 Ripple NPM supply chain attack hunts for private keys cybercrime – Compromised versions of the Ripple NPM package, xrpl, have been found to contain malware designed to steal private keys from users, affecting developers who interact with the cryptocurrency ledger. https://www.theregister.com/2025/04/23/ripple_npm_supply_chain/

⚖️ DOGE Worker’s Code Supports NLRB Whistleblower security research – A whistleblower alleges that Elon Musk's DOGE group illegally downloaded sensitive data from the NLRB using privileged accounts, raising concerns about unfair advantages in labor disputes and data security. https://krebsonsecurity.com/2025/04/doge-workers-code-supports-nlrb-whistleblower/

🃏 VulnCheck spotted 159 actively exploited vulnerabilities in first few months of 2025 security news – In Q1 2025, VulnCheck reported that attackers exploited nearly a third of vulnerabilities within a day of disclosure, identifying 159 actively exploited vulnerabilities and highlighting the need for rapid response to emerging threats. https://cyberscoop.com/vulncheck-known-exploited-cves-q1-2025/

⛓️ Operation SyncHole: Lazarus APT targets supply chains in South Korea security research – The Lazarus Group has launched Operation SyncHole, targeting at least six South Korean firms through cyber espionage, using malware like ThreatNeedle and exploiting vulnerabilities in local software for data theft. https://securityaffairs.com/176964/apt/operation-synchole-lazarus-apt-targets-supply-chains-in-south-korea.html

⚠️ Critical Commvault Flaw Rated 10/10: CSA Urges Immediate Patching vulnerability – The CSA of Singapore warns of a critical vulnerability (CVE-2025-34028) in Commvault Command Center, rated 10/10, allowing remote code execution. Users are urged to update to patched versions immediately. https://thecyberexpress.com/commvault-vulnerability-cve-2025-34028/

🚨 SAP zero-day vulnerability under widespread active exploitation vulnerability – A critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver systems allows unauthorized file uploads, leading to full system compromise. Active exploitation is reported, urging immediate patching for affected customers. https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/

📱 How to Root Android Phones hacking write-up – This guide explains rooting Android devices, detailing the process for both emulators and physical phones like the Pixel 6. It discusses the pros and cons of rooting, including the benefits for testing applications and the associated security risks. https://www.blackhillsinfosec.com/how-to-root-android-phones/

🐞 How a 20 year old bug in GTA San Andreas surfaced in Windows 11 24H2 security news – A long-standing bug in GTA San Andreas caused the Skimmer plane to disappear on Windows 11 24H2 due to changes in how the OS handles stack memory, exposing uninitialized variables and corrupting game data. https://cookieplmonster.github.io/2025/04/23/gta-san-andreas-win11-24h2-bug/

🛡️ io_uring Rootkit Bypasses Linux Security Tools security research – ARMO researchers reveal a significant security gap in Linux due to the io_uring interface, allowing rootkits to evade detection by traditional security tools. Their rootkit, Curing, exploits this blind spot, underscoring the need for improved detection methods like KRSI. https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security/

---

CISA Corner

⚙️ CISA Releases Five Industrial Control Systems Advisories vulnerability – CISA issued five advisories on April 22, 2025, addressing vulnerabilities in various ICS products, including Siemens and Schneider Electric systems. Users are urged to review for mitigation strategies. https://www.cisa.gov/news-events/alerts/2025/04/22/cisa-releases-five-industrial-control-systems-advisories ⚙️ CISA Releases Seven Industrial Control Systems Advisories vulnerability – CISA issued seven advisories on April 24, 2025, addressing vulnerabilities in various ICS products, including Schneider Electric and Johnson Controls. Users are urged to review for technical details and mitigations. https://www.cisa.gov/news-events/alerts/2025/04/24/cisa-releases-seven-industrial-control-systems-advisories

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

In case you want more #IOT in your life, Eaton ships remotely actuated circuit breakers.

The breakers are provisioned using a “BlinkUp” system through your phone. You start the provisioning on your device, then put your screen to the sensor on the circuit breaker, your screen blinks a number of times sending WiFi credentials to the device, and then the latter connects to the Electric Imp servers. Eaton is using impOs as the basis of their offering, and Electric Imp is adamant they are secure.

Now, Eaton provides API to these circuit breakers – https://api.em.eaton.com/docs, but there is no true local access – there is apparently a way to get local control, but your device must phone home weekly to receive configuration that would allow you to talk to your device locally.

As I was writing this I decided to scan GitHub for the URLs I found so far, and, well, people smarter than me have already written a home_assistant integration against #SEW, but it is a bit different from what I saw in the field:

• https://github.com/cnecrea/hidroelectrica

I'd still like to describe how to locate the endpoints and the login process, so here we go...

This is the second post about #SEW SCM API – Smart Customer Mobile API by Smart Energy Water, this time we will learn about different APIs using real world utility websites.

It appears that there are at least two different API “flavors”. The one that uses ModuleName.svc/MethodNameMob naming convention and usually resides under PortalService endpoint, and the newer one, which lives under /API/.

So e.g. Nebraska Public Power District has endpoints at https://onlineaccount.nppd.com/PortalService/, e.g. https://onlineaccount.nppd.com/PortalService/UserLogin.svc/help. Rochester Public Utilities runs a different set of endpoints, with the root at https://connectwith.rpu.com/api.

The endpoints for the latter API can also be browsed at https://scmcx.smartcmobile.com/API/Help/.

Different utilities pay for different set of modules, and here's some of the modules I have discovered so far:

• AdminBilling
• CompareSpending
• ConnectMe
• EnergyEfficiency
• Generation
• Notifications
• Outage
• PaymentGateway
• Usage
• UserAccount
• UserLogin

For /PortalService/ endpoints you can visit BASE_URL + /PortalService/ + ModuleName + .svc + /help to get the list of RPC calls you can issue. In order to find out what to send in the requests, you need to look into the calls within the apps for your utility. Note that some utilities opted out of the AES/CBC/PKCS5Padding PasswordPassword encryption, so let's hope this will be a trend forward. Currently SEW web portals talk to a completely different set of APIs to populate the interface, even though they are querying the same thing.

So to start, here's how to login to your favorite utility:

from typing import Mapping, Any

import base64
import json
import hashlib
import requests
import urllib.parse

from Crypto.Cipher import AES

BASE_URL = "https://example.com/PortalService"


def _encrypt_query(
    params: Mapping[str, str], encryption_key: str = "PasswordPassword"
) -> str:
    """Encrypt with AES/CBC/PKCS5Padding."""
    cipher = AES.new(encryption_key, AES.MODE_CBC, IV=encryption_key)

    cleartext = urllib.parse.urlencode(params).encode()

    # PKCS5 Padding - https://www.rfc-editor.org/rfc/rfc8018#appendix-B.2.5
    padding_length = 16 - len(cleartext) % 16
    cleartext += padding_length * chr(padding_length).encode()

    return base64.b64encode(cipher.encrypt(cleartext)).decode("ascii")


def request(module: str, method: str, data: Mapping[str, Any]) -> Mapping[str, str]:
    enc_query = _encrypt_query(data)
    # Or module + '.svc/'
    url = BASE_URL + "/" + module + "/" + method

    resp = requests.post(url, json={"EncType": "A", "EncQuery": enc_query})
    if not resp.ok:
        raise Exception(resp.status_code)
    return resp.json()


password_digest = hashlib.sha256("PASSWORD".encode()).hexdigest()
# Or ValidateUserLoginMob
response = request(
    "UserLogin",
    "ValidateUserLogin",
    {"UserId": "USERNAME", "Password": password_digest},
)
print(response)

response will contain some object, you will need LoginToken and AccountNumber to proceed with most of the other calls.

It's a bit awkward that different utilities have different endpoints, which makes creating a universal client challenging, so for now I am researching the ways to get info from the Usage module. The parameters are weird (“type”: “MI”, or “HourlyType”: “H”), but we will get there.

Once upon a time I learned about Opower HomeAssistant integration. But my utility does not use Opower, it was using something called “Smart Energy Water”.

Smart Energy Water, or #SEW is a SaaS provider, and they ship the whole thing – the backend, frontend, and the phone apps, the latter under the name SCM, which means Smart Customer Mobile.

So I embarked on a journey to figure out how these phone apps worked and, if successful, get my data out and into homeassistant.

APK

I pulled an APK of my utility from Google Play Store and found that something secret is hidden in a libnative-lib.so binary, under com.sew.scm.gcm.SecureConstant, under a few methods returning String, and some methods that decrypt these strings using a heavily obfuscated set of routines, which essentially XOR'd (in case of Android APK) the values of gcm_default_sender_id + google_app_id + Android_App_RatingConstant_File, all the values from the strings.xml within the app resources.

One of the decoded tokens contains a key for request encryption. It was ...

PasswordPassword

SCM apps use private APIs. In order to remain private and hard to use the requests are encrypted.

You urlencode the parameters into key=value&key1=value1... form, then encrypt the resulting string using AES-CBC with PKCS5 Padding (16 bytes variant) using PasswordPassword as both the key and IV.

Then you send {"EncType": "A", "EncQuery": "base64-encoded-encrypted-string"}, and receive response from one of the .../API/Module/MethodName endpoints. The response will be JSON with no extra encryption, so it is definitely a deterrent against making requests, not a security feature.

Login

Armed with that knowledge, and some help from exposed API listing on one of the utility websites I found that I need to use ValidateUserLoginMob call expecting userid and password.

However, password had to be base64-encoded result of applying a secret scheme from that SecurityConstant module above. It is always SHA256.

So my first https://utility.example.net/API/UserLogin/ValidateUserLogin was a success, I got LoginToken and AccountNumber, which was all we needed to start poking APIs.

Tada!

If your utility uses SEW SCM, i.e. one of these at https://play.google.com/store/apps/developer?id=Smart+Energy+Water, you should be able to get API listing by visiting the web interface, and appending /API/Help. Or, if your utility runs an older version of SCM, replace /portal/ with /portalservice/UserLogin.svc/help or /portalservice/Usage.svc/help. You may get the .NET API definitions.