CyberSecurity Newsletter May 12th 2025
In this week’s news: Google implementing Chrome security feature using LLM to detect and block tech support scams, Neptune RAT is among the smartest malware threats targeting Windows devices, flaw in Microsoft Entra ID’s legacy login allowed attackers to bypass MFA, affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, United Nations (UN) has developed a new cyber-attack assessment framework, Google has agreed to pay the U.S. state of Texas nearly $1.4 billion to settle two lawsuits that accused the company of tracking users' personal location, Fake AI-powered video generation tools are being used to distribute a new information-stealing malware family called 'Noodlophile,' data breach at Ascension, and Bluetooth Special Interest Group (SIG) has announced Bluetooth Core Specification 6.1.
Google is implementing a new Chrome security feature that uses the built-in 'Gemini Nano' large-language model (LLM) to detect and block tech support scams while browsing the web. Tech support scams are malicious websites that trick users into thinking their computer has a virus infection or other problem. These alerts are shown as full-screen browser windows or will display additional pop-ups, making them difficult to close.
https://www.bleepingcomputer.com/news/security/google-chrome-to-use-on-device-ai-to-detect-tech-support-scams/
Neptune RAT is among the smartest malware threats targeting Windows devices. It exploits sites like YouTube and Telegram to bypass Windows Defender and other antivirus tools. Its effects include ransomware-locking files, stealing passwords, and erasing the Windows 11 Master Boot Record (MBR). Despite its severity, protecting your Windows device from Neptune RAT is surprisingly easy.
https://www.maketecheasier.com/neptune-rat-malware-in-windows/
A flaw in Microsoft Entra ID’s legacy login allowed attackers to bypass MFA, targeting admin accounts across finance, healthcare, and tech sectors. Cybersecurity firm Guardz has discovered a targeted campaign exploiting a weakness in Microsoft Entra ID’s legacy authentication protocols, allowing attackers to bypass modern security measures like Multi-Factor Authentication (MFA).
https://hackread.com/legacy-login-microsoft-entra-id-breach-cloud-accounts/
The affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, showing a link to a MySQL database dump ostensibly containing leaked data relating to the group’s operations. The breach has been confirmed by LockBitSupp – the creator, developer and administator of the LockBit ransomware group – who downplayed the attack by saying that decryptors, stolen company data, and the ransomware source code haven’t been compromised.
https://www.helpnetsecurity.com/2025/05/09/lockbit-hacked-data-leaked/
The United Nations (UN) has developed a new cyber-attack assessment framework, building on and complementing existing models like the MITRE ATT&CK framework. The new United Nations Institute for Disarmament Research (UNIDR) Intrusion Path framework is designed to analyze both malicious and security activities in the ICT environment. It aims to help UN member states and non-technical stakeholders better understand malicious IT activities, amid the use of “complex language” in the technical community.
https://www.infosecurity-magazine.com/news/un-cyber-assessment-framework/
Education technology provider, PowerSchool, has confirmed it paid a ransomware demand in an attempt to prevent cybercriminals from publishing stolen teacher and student data in the US and Canada. The North American school software supplier admitted to making the payment as it revealed that a threat actor contacted multiple school district customers in a fresh attempt to extort them using data from the December 2024 incident.
https://www.infosecurity-magazine.com/news/powerschool-ransom-payment/
The FBI released a FLASH alert warning about 5Socks and Anyproxy malicious services targeting end-of-life (EOL) routers. Attackers target EoL devices to deploy malware by exploiting vulnerabilities and create botnets for attacks or proxy services. The alert urges replacing compromised routers or preventing infection by disabling remote admin and rebooting. End-of-life (EOL) routers lack security updates and are vulnerable to cyber attacks. The lack of security updates makes them easy targets for threat actors who exploit known vulnerabilities, often via exposed remote management.
https://securityaffairs.com/177648/cyber-crime/malware-targets-end-of-life-routers.html
Google has agreed to pay the U.S. state of Texas nearly $1.4 billion to settle two lawsuits that accused the company of tracking users' personal location and maintaining their facial recognition data without consent. The $1.375 billion payment dwarfs the fines the tech giant has paid to settle similar lawsuits brought by other U.S. states. In November 2022, it paid $391 million to a group of 40 states.
https://thehackernews.com/2025/05/google-pays-1375-billion-to-texas-over.html
A known Russian cybercrime outfit has armed itself with a new malware suite that allows for the theft of user accounts and credentials, posing a substantial threat to organizations in the West. The group known as "ColdRiver" has been spotted in the wild using a previously unknown piece of data-stealing malware designated as “LostKeys.” According to the Google Threat Intelligence Group (GTIG) the malware is able to covertly swipe credentials for specific services from target machines.
https://www.scworld.com/news/google-warns-of-russian-hackers-coldriver-wielding-new-malware-tools
Fake AI-powered video generation tools are being used to distribute a new information-stealing malware family called 'Noodlophile,' under the guise of generated media content. The websites use enticing names like the "Dream Machine" and are advertised on high-visibility groups on Facebook, posing as advanced AI tools that generate videos based on uploaded user files.
https://www.bleepingcomputer.com/news/security/fake-ai-video-generators-drop-new-noodlophile-infostealer-malware/
The North Korean threat actors behind the Contagious Interview campaign have been observed using updated versions of a cross-platform malware called OtterCookie with capabilities to steal credentials from web browsers and other files. NTT Security Holdings, which detailed the new findings, said the attackers have "actively and continuously" updated the malware, introducing versions v3 and v4 in February and April 2025, respectively.
https://thehackernews.com/2025/05/ottercookie-v4-adds-vm-detection-and.html
Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. SAP released an out-of-band emergency patch on April 24 to address this unauthenticated file upload security flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer, days after cybersecurity company ReliaQuest first detected the vulnerability being targeted in attacks.
https://www.bleepingcomputer.com/news/security/chinese-hackers-behind-attacks-targeting-sap-netweaver-servers/
Germany's Federal Criminal Police Office (aka Bundeskriminalamt or BKA) has seized the online infrastructure and shutdown linked to the eXch cryptocurrency exchange over allegations of money laundering and operating a criminal trading platform.
https://thehackernews.com/2025/05/germany-shuts-down-exch-over-19b.html
The Bluetooth Special Interest Group (SIG) has announced Bluetooth Core Specification 6.1, bringing important improvements to the popular wireless communication protocol. One new feature highlighted in the latest release is the increased device privacy via randomized Resolvable Private Addresses (RPA) updates.
https://www.bleepingcomputer.com/news/security/bluetooth-61-enhances-privacy-with-randomized-rpa-timing/
A data breach at Ascension, caused by a former partner’s compromise, exposed the health information of over 430,000 patients. Ascension is one of the largest private healthcare systems in the United States, ranking second in the United States by the number of hospitals as of 2019.
https://securityaffairs.com/177676/data-breach/ascension-reveals-personal-data-of-437329-patients-exposed-in-cyberattack.html
Authorities dismantled a 20-year-old botnet tied to Anyproxy and 5socks as part of an international operation codenamed “Operation Moonlander”; four men, including three Russians, were indicted for running the illegal proxy networks. The U.S. Justice Department charged Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani national, with Conspiracy and Damage to Protected Computers for conspiring with others to maintain, operate, and profit from Anyproxy and 5socks services.
https://securityaffairs.com/177664/malware/operation-moonlander-dismantled-the-botnet-behind-anyproxy-and-5socks-cybercriminals-services.html
Microsoft is working on adding a new Teams feature that will prevent users from capturing screenshots of sensitive information shared during meetings. Those joining from unsupported platforms will be automatically placed in audio-only mode to protect shared content. The company plans to start rolling out this new Teams feature to Android, desktop, iOS, and web users worldwide in July 2025.
https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-will-soon-block-screen-capture-during-meetings/
The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. iClicker is a subsidiary of Macmillan and is a digital classroom tool that allows instructors to take attendance, ask live questions or surveys, and track student engagement. It is widely used by 5,000 instructors and 7 million students at colleges and universities across the United States.
https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-students-with-malware-via-fake-captcha/
Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. This campaign was orchestrated by the threat actors behind Lampion malware, an infostealer that focuses on sensitive banking information.
https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/
Why Hexadecimal Systems Will Be Far Superior to Binary Packet Systems. The debate between hexadecimal and binary systems in computing and cybersecurity is not new, but advancements in AI, cryptography, and data storage are reigniting discussions on efficiency, security, and future-proof architectures.
https://undercodetesting.com/why-hexadecimal-systems-will-be-far-superior-to-binary-packet-systems/
More than 38,000 different sub-domains have been utilized to host fraudulent cryptocurrency wallet websites on Amazon S3 and Azure Web Apps as part of the far-reaching FreeDrain cryptocurrency phishing campaign, reports The Hacker News.
https://www.scworld.com/brief/massive-freedrain-cryptophishing-campaign-uncovered
A Texas firm recently charged with conspiring to distribute synthetic opioids in the United States is at the center of a vast network of companies in the U.S. and Pakistan whose employees are accused of using online ads to scam westerners seeking help with trademarks, book writing, mobile app development and logo designs, a new investigation reveals.
https://krebsonsecurity.com/2025/05/pakistani-firm-shipped-fentanyl-analogs-scams-to-us/
Using Blob URLs to Bypass SEGs and Evade Analysis
https://cofense.com/blog/using-blob-urls-to-bypass-segs-and-evade-analysis
What DragonForce Taught Us About Zero Trust
https://www.mitiga.io/blog/hackers-in-aisle-5-what-dragonforce-taught-us-about-zero-trust
Ads with the Apple logo and a link purportedly leading to CNN have been used to promote the fake cryptocurrency token dubbed "iToken" across X, formerly Twitter, as part of an ongoing cryptocurrency scam, Cybernews reports.
https://www.scworld.com/brief/malicious-x-ads-fuel-new-cryptocurrency-scam