cyberlights โ week 21/2025
A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!
News For All
๐จ UK government confirms massive data breach following hack of Legal Aid Agency data breach โ A major data breach at the Legal Aid Agency may expose sensitive information of legal aid applicants, affecting millions. Security measures are being intensified to prevent further incidents. https://therecord.media/uk-legal-aid-agency-data-breach
๐งฌ Pharma giant Regeneron to buy 23andMe and its customers' data for $256M privacy โ Regeneron plans to purchase 23andMe, including sensitive genetic data from 15 million customers, raising privacy concerns after a previous data breach. Compliance with privacy laws is promised. https://techcrunch.com/2025/05/19/pharma-giant-regeneron-to-buy-23andme-and-its-customers-data-for-256m/
๐ days demonstrated at Pwn2Own Berlin 2025 vulnerability โ Mozilla patched two critical zero-day vulnerabilities in Firefox that could allow sensitive data access or code execution. Users are urged to update their browsers immediately. https://securityaffairs.com/178064/security/mozilla-fixed-zero-days-demonstrated-at-pwn2own-berlin-2025.html
๐ Russia-linked disinformation floods Poland, Romania as voters cast ballots security news โ Ahead of presidential elections, Romania and Poland report increased Russian disinformation efforts aiming to sway voters. Authorities warn of impersonation tactics and funded campaigns on social media. https://therecord.media/russia-disinformation-poland-presidential-election
๐๏ธ Cocospy stalkerware apps go offline after data breach security news โ Cocospy, Spyic, and Spyzie, stalkerware apps spying on millions, have gone offline following a significant data breach exposing user emails. Users are advised to remove any remaining spyware from their devices. https://techcrunch.com/2025/05/19/cocospy-stalkerware-apps-go-offline-after-data-breach/
๐ช DoorDash Hack security research https://www.schneier.com/blog/archives/2025/05/doordash-hack.html
๐ Consumer Reports: Kroger using loyalty program to package, sell customer data privacy โ Kroger allegedly sells detailed consumer data from its loyalty program, creating potentially inaccurate profiles of shoppers for marketing. Consumer Reports urges stronger privacy protections against such practices. https://therecord.media/kroger-using-loyalty-program-to-sell-customer-data
๐ Chicago Sun-Times prints summer reading list full of fake books security news โ The Chicago Sun-Times published a summer reading list with fake books generated by AI, prompting backlash from readers and staff. The publication is investigating the incident and terminating its relationship with the creator. https://arstechnica.com/ai/2025/05/chicago-sun-times-prints-summer-reading-list-full-of-fake-books/
๐ 3 Teens Almost Got Away With Murder. Then Police Found Their Google Searches privacy โ Three teens set a house fire that killed five people, but police traced their Google searches for the address to solve the case. The investigation raises concerns about privacy and law enforcement's use of digital data. https://www.wired.com/story/find-my-iphone-arson-case/
๐ฌ Researchers Scrape 2 Billion Discord Messages and Publish Them Online privacy โ A database of over 2 billion Discord messages scraped from 3,167 servers has been published online, raising privacy concerns despite claims of anonymization. A separate tool reveals non-anonymized chat histories. https://www.404media.co/researchers-scrape-2-billion-discord-messages-and-publish-them-online/
๐ธ Signal says no to Windows 11โs Recall screenshots privacy โ Signal has implemented screen security in its Windows 11 client to prevent Microsoftโs Recall feature from capturing secured chats. This move highlights concerns over user privacy and accessibility issues. https://www.theverge.com/news/672210/signal-desktop-app-microsoft-recall-block-windows-11-ai
๐ Kids Say They're Using Photos of Trump and Markiplier to Bypass 'Gorilla Tag' Age Verification security news โ Players of the VR game Gorilla Tag are reportedly using images of Trump and Markiplier to circumvent age verification measures. https://www.404media.co/kids-say-theyre-using-photos-of-trump-and-markiplier-to-bypass-gorllia-tag-age-verification/
๐ค Should Children Use AI Chatbots? Google Thinks So, Critics Strongly Disagree privacy โ Google's rollout of its AI chatbot Gemini for children under 13 has sparked backlash from privacy advocates, who argue it may violate COPPA and poses risks to kids' mental health and well-being. https://thecyberexpress.com/google-gemini-ai-for-kids/
๐ฑ Russia to pass law to track migrants using their smartphone privacy โ A new Russian law will require migrants in Moscow to use a smartphone app for tracking and reporting their location. Critics raise concerns about privacy and potential abuse of power. https://www.theregister.com/2025/05/22/russia_expected_to_pass_experimental/
๐ Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials malware โ A malware campaign has trojanized the KeePass password manager to deliver Cobalt Strike and exfiltrate credentials. The compromised installer mimicked the real one, making detection difficult. https://securityonline.info/trojanized-keepass-used-to-deploy-cobalt-strike-and-steal-credentials/
Some More, For the Curious
๐ OpenPGP.js bug enables encrypted message spoofing vulnerability โ A critical vulnerability in OpenPGP.js allows spoofing of signed and encrypted messages, undermining public key cryptography. Users are urged to upgrade to patched versions to mitigate risks. https://www.theregister.com/2025/05/20/openpgp_js_flaw/
๐ Does ENISA EUVD live up to all the hype? cyber defense โ The article critically examines the effectiveness and impact of the European Union Agency for Cybersecurity (ENISA) in relation to the EU's cybersecurity directives, questioning if it meets expectations. https://vulncheck.com/blog/enisa-euvd
๐ CISA, NIST Researchers Develop Metric to Determine Likelihood of Vulnerability Exploitation security research โ NIST and CISA researchers have created a new metric, Likely Exploited Vulnerabilities (LEV), to better predict which vulnerabilities may be exploited, enhancing existing systems like EPSS and KEV. https://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/
๐ Lumma Stealer toppled by globally coordinated takedown cybercrime โ Lumma Stealer, a notorious infostealer malware, was dismantled in a global operation that seized its core infrastructure, blocking 2,300 malicious domains. Microsoft and law enforcement aim to disrupt cybercrime operations. https://cyberscoop.com/lumma-stealer-infostealer-takedown/
โ ๏ธ Active Directory dMSA Privilege Escalation Attack Detailed by Researchers vulnerability โ Akamai researchers discovered a privilege escalation vulnerability in Windows Server 2025's dMSA feature, allowing attackers to compromise any Active Directory user with minimal permissions. Microsoft acknowledges the issue but rates it as moderate severity. https://thecyberexpress.com/active-directory-dmsa-attack/
๐ Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials cybercrime โ A recent indictment highlights how a Russian malware operation facilitates both criminal activities and state-sponsored hacking, with various cybersecurity issues and incidents, including a breach involving the Signal clone TeleMessage. https://www.wired.com/story/mysterious-database-logins-governments-social-media/
๐ป Oops: DanaBot Malware Devs Infected Their Own PCs cybercrime โ The U.S. government has charged 16 individuals linked to DanaBot malware, which has infected over 300,000 systems. Developers accidentally infected their own PCs, revealing their identities and leading to their arrest. https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/
๐ฐ Decentralized crypto platform Cetus hit with $223 million hack security news โ Cetus, a decentralized cryptocurrency exchange, was hacked for $223 million. The platform paused operations and secured $162 million of the stolen funds, while investigations into the attack continue. https://therecord.media/decentralized-crypto-platform-cetus-theft
๐ฉ Mysterious hacking group Careto was run by the Spanish government, sources say cybercrime โ Research indicates that Careto, a sophisticated hacking group targeting various nations, was operated by the Spanish government. Initially identified in 2014, the group has resurfaced with advanced malware capabilities. https://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/
๐ Operation RapTor led to the arrest of 270 dark web vendors and buyers cybercrime โ Operation RapTor resulted in the arrest of 270 individuals involved in dark web trafficking across 10 countries, seizing over โฌ184M in assets, drugs, and weapons. Law enforcement continues to target dark web activities. https://securityaffairs.com/178221/deep-web/operation-raptor-arrest-270-dark-web-vendors-and-buyers.html
๐ Large-scale sting tied to Operation Endgame disrupts ransomware infrastructure cybercrime โ Law enforcement from Europe and North America dismantled key ransomware infrastructure in Operation Endgame, taking down 300 servers and 650 domains, disrupting malware tools like Qakbot and Trickbot, and issuing arrest warrants for 20 suspects. https://cyberscoop.com/operation-endgame-ransomware-infrastructure-takedown-europol/
โ๏ธ Researchers cause GitLab AI developer assistant to turn safe code malicious vulnerability โ Researchers demonstrated how GitLab's AI assistant, Duo, could be manipulated into inserting malicious code through prompt injections, exposing private data. GitLab has since implemented measures to mitigate this vulnerability. https://arstechnica.com/security/2025/05/researchers-cause-gitlab-ai-developer-assistant-to-turn-safe-code-malicious/
๐ฆ Compromised RVTools Installer Spreading Bumblebee Malware malware โ A compromised RVTools installer was found spreading Bumblebee malware, detected by security researcher Aidan Leon. The malicious file originated from the official website, which has since been taken offline temporarily. https://hackread.com/compromised-rvtools-installer-drop-bumblebee-malware/
๐ Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and moreโฆ hacking writeup โ Red Teamers demonstrate methods to circumvent SharePoint's Restricted View, allowing data exfiltration through techniques like screenshots, OCR, and using AI tools like Microsoft Copilot. The findings highlight the inadequacy of relying on Restricted View for data security. https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-view-to-exfiltrate-data-using-copilot-ai-and-more/
๐ Passwords are okay, impulsive Internet isn't security news โ The article criticizes the push for passwordless authentication, arguing that passkeys create vendor lock-in and compromise user security. It emphasizes that the real issue lies in human behavior and impulse control, rather than technology itself. Comment: missed this one. thankfully cert.at pushed it this week. https://www.dedoimedo.com/life/passwords-passkeys.html
๐ก Red Team Gold: Extracting Credentials from MDT Shares hacking write-up โ The article explores how Microsoft Deployment Toolkit (MDT) can be targeted during Red Team engagements to extract credentials. It discusses misconfigurations in MDT shares that can lead to unauthorized access to sensitive information. https://trustedsec.com/blog/red-team-gold-extracting-credentials-from-mdt-shares
CISA Corner
โ ๏ธ CISA Adds Six Known Exploited Vulnerabilities to Catalog warning โ CISA has added six vulnerabilities to its catalog due to active exploitation, highlighting serious risks to federal systems. Agencies are required to remediate these vulnerabilities promptly. https://www.cisa.gov/news-events/alerts/2025/05/19/cisa-adds-six-known-exploited-vulnerabilities-catalog โ ๏ธ CISA Adds One Known Exploited Vulnerability to Catalog warning โ CISA has added a new vulnerability, CVE-2025-4632, related to Samsung MagicINFO 9 Server, to its Known Exploited Vulnerabilities Catalog, urging organizations to prioritize remediation efforts. https://www.cisa.gov/news-events/alerts/2025/05/22/cisa-adds-one-known-exploited-vulnerability-catalog
โ๏ธ CISA Releases Thirteen Industrial Control Systems Advisories vulnerability โ CISA issued thirteen advisories on May 20, 2025, addressing security vulnerabilities in various Industrial Control Systems. Users are urged to review these advisories for important technical details and mitigations. https://www.cisa.gov/news-events/alerts/2025/05/20/cisa-releases-thirteen-industrial-control-systems-advisories โ๏ธ CISA Releases Two Industrial Control Systems Advisories vulnerability โ CISA has issued two advisories on security vulnerabilities affecting Lantronix Device Installer and Rockwell Automation FactoryTalk Historian. Users are urged to review the advisories for details and mitigation strategies. https://www.cisa.gov/news-events/alerts/2025/05/22/cisa-releases-two-industrial-control-systems-advisories
๐ฏ Russian GRU Cyber Actors Targeting Western Logistics Entities and Tech Companies security news โ CISA and other agencies issued a Cybersecurity Advisory on Russian GRU cyber actors targeting Western tech and logistics firms, particularly those supporting Ukraine. The advisory highlights their espionage tactics. https://www.cisa.gov/news-events/alerts/2025/05/21/russian-gru-cyber-actors-targeting-western-logistics-entities-and-tech-companies ๐ฏ Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware security news โ CISA and the FBI issued a Cybersecurity Advisory on LummaC2 malware, which targets U.S. critical infrastructure by infiltrating networks and exfiltrating sensitive data. Organizations are urged to implement recommended mitigations. https://www.cisa.gov/news-events/alerts/2025/05/21/threat-actors-target-us-critical-infrastructure-lummac2-malware
๐ New Best Practices Guide for Securing AI Data Released security news โ CISA, NSA, and FBI released a Cybersecurity Information Sheet outlining best practices for securing AI data. It emphasizes the importance of data security throughout the AI lifecycle for accuracy and trustworthiness. https://www.cisa.gov/news-events/alerts/2025/05/22/new-best-practices-guide-securing-ai-data-released ๐ Advisory Update on Cyber Threat Activity Targeting Commvaultโs SaaS Cloud Application (Metallic) security news โ Commvault is investigating potential unauthorized access to customer data in their Metallic SaaS solution on Azure. CISA urges users to apply mitigations, monitor logs, and implement security best practices. https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.
(by @wrzlbrmpft@infosec.exchange) Obviously, the opinions inside these articles are not my own. No guarantee for correct- or completeness in any way.