CyberSecurity Newsletter May 5th, 2025
In this week’s news: Dragonforce claims Co-op Cyberattack, Raytheon and Nightwing Group agreed to pay the government $8.4 million, 23 vulnerabilities in Apple AirPlay, Ascension reported a data breach impacting approximately 5.6 million, Former NSA cyber-boss Rob Joyce worried that AI is going to be a good bug finder and exploit developer, malicious Go modules with hidden code, threat actors actively leveraging known security vulnerabilities in SonicWall and Qantas is being targeted by criminals with fake emails.
The attackers behind the recent Co-op cyberattack, who go online with the name DragonForce, told the BBC that they had stolen data from the British retail and provided proof of the data breach. Hackers shared screenshots with BBC of their first extortion message to Co-op’s cyber chief via Microsoft Teams on 25 April. They also called the head of security at the company around a week ago.
https://securityaffairs.com/177376/cyber-crime/dragonforce-group-claims-the-theft-of-data-after-co-op-cyberattack.html
U.S. defense contractors Raytheon and Nightwing Group agreed to pay the government $8.4 million to settle allegations that Raytheon violated the terms of a contract with the Defense Department by not having ample cybersecurity protections.
https://therecord.media/defense-contractors-settle-with-dod-false-claims-act
M-Trends 2025: Data, Insights, and Recommendations From the Frontlines
https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025/
Oligo Security uncovers “AirBorne,” a set of 23 vulnerabilities in Apple AirPlay affecting billions of devices. Learn how these flaws enable remote control (RCE) and data theft on iPhones, Macs, CarPlay, and more.
https://hackread.com/apple-devices-risk-airborne-airplay-vulnerabilities/
Australian airline Qantas is being targeted by criminals with fake emails claiming to be from the airline. Security experts at Cofense Intelligence, who discovered this attack, found that these convincing emails trick users into giving away their credit card information and personal information like phone numbers and addresses.
https://hackread.com/phishing-emails-impersonate-qantas-credit-card-info/
Ascension, one of the largest healthcare systems in the United States, has reported a data breach impacting approximately 5.6 million patients and employees. The breach stemmed from a ransomware attack in May 2024, during which threat actors gained access to sensitive personal and medical data.
https://dailysecurityreview.com/security-spotlight/ascension-discloses-data-breach-affecting-5-6-million-individuals/
A supply chain attack involving 21 backdoored Magento extensions has compromised between 500 and 1,000 e-commerce stores, including one belonging to a $40 billion multinational. Sansec researchers who discovered the attack report that some extensions were backdoored as far back as 2019, but the malicious code was only activated in April 2025.
https://www.bleepingcomputer.com/news/security/magento-supply-chain-attack-compromises-hundreds-of-e-stores/
Former NSA cyber-boss Rob Joyce thinks today's artificial intelligence is dangerously close to becoming a top-tier vulnerability exploit developer. 'Don't worry about the zero-day AI armageddon,' but I am increasingly worried that AI is going to be a good bug finder this year, [and] an exploit developer in the near future,"
https://www.theregister.com/2025/04/30/exnsa_cyber_boss_ai_expoit_dev/
Microsoft has announced that it will discontinue the password storage and autofill feature in the Authenticator app starting in July and will complete the deprecation in August 2025. The decision is to streamline autofill support and consolidate credentials management under a single platform, Microsoft Edge.
https://www.bleepingcomputer.com/news/security/microsoft-ends-authenticator-password-autofill-moves-users-to-edge/
A major dark web drug operation and marketplace operating under the name “Pygmalion” has been disrupted by German law enforcement, with its infrastructure dismantled and several individuals arrested following a months-long investigation.
https://hackread.com/police-seize-dark-web-shop-pygmalion-user-data-orders/
During the RSA Conference was “Graphs and Algebras of Defense” by John Lambert, Corporate Vice President and CISO at Microsoft. This presentation introduced an elegant abstraction of graph algebra for cybersecurity defense, aligning with advanced concepts like manifold learning and graph embedding.
https://undercodetesting.com/graphs-and-algebras-of-defense-a-cybersecurity-framework/
Apple this week sent threat notifications advising users in 100 countries that their phones had been targeted by advanced commercial spyware, according to a victim of the attacks. Cyrus Pellegrino, an Italian journalist who received a notification, came forward in a column published Wednesday.
https://therecord.media/apple-spyware-victims-notified-countries
London luxury retailer Harrods has confirmed it was the target of a cyberattack, becoming the third major UK retail brand affected by cyber incidents within a week—following Marks & Spencer and Co-op.
https://dailysecurityreview.com/security-spotlight/harrods-confirms-cyberattack-amid-growing-wave-targeting-uk-retail-sector/
Pro-Russian hacktivist group NoName057(16) has been linked to a wave of distributed denial-of-service (DDoS) attacks targeting multiple public and private organizations across the Netherlands, BleepingComputer reports.
https://www.scworld.com/brief/pro-russian-hacktivists-intensify-ddos-attacks-on-dutch-orgs
Researchers found 3 malicious Go modules with hidden code that can download payloads to wipe a Linux system’s main disk, making it unbootable.
https://securityaffairs.com/177411/malware/malicious-go-modules-designed-to-wipe-linux-systems.html
The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements. The latest version of StealC was actually made available to cybercriminals in March 2025, but Zscaler researchers who analyzed it just published a detailed write-up.
https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with-stealth-upgrades-and-data-theft-tools/
Cybersecurity researchers at watchTowr have spotted malicious threat actors actively leveraging known security vulnerabilities in SonicWall’s widely used SMA 100 (Secure Mobile Access) appliances.
https://hackread.com/watchtowr-exploits-target-sonicwall-sma-100-devices/
The Rhysida ransomware gang claims responsibility for hacking the Government of Peru, breaching Gob.pe, which is the country’s official digital platform.
https://securityaffairs.com/177388/cyber-crime/rhysida-ransomware-gang-claims-the-hack-of-the-government-of-peru.html
iHeartMedia has confirmed a data breach that occurred in December 2024, exposing sensitive personal information including Social Security numbers, passport numbers, and financial account details. The breach affected data stored on systems at a small number of local radio stations.
https://dailysecurityreview.com/security-spotlight/iheartmedia-breach-exposes-personal-data-including-ssns-and-passport-numbers/
Seven malicious packages were identified on PyPI, utilizing Gmail’s SMTP servers and WebSockets for data exfiltration and remote command execution.The threat research team at Socket discovered these packages and reported their findings to PyPI, leading to their removal. Some of these packages had been available for over four years, with one package downloaded more than 18,000 times.
https://dailysecurityreview.com/security-spotlight/malicious-pypi-packages-exploit-gmail-and-websockets-to-hijack-systems/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities (KEV) catalog.
https://securityaffairs.com/177367/hacking/u-s-cisa-adds-yii-framework-and-commvault-command-center-flaws-to-its-known-exploited-vulnerabilities-catalog.html
An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years. The activity, which lasted from at least May 2023 to February 2025, entailed "extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future strategic advantage,"
https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.html
A possible cyberattack on Poland's state registry systems on Wednesday temporarily disrupted access to key digital government services, including identity verification and tax reporting platforms, according to a report by The Record, a news site by cybersecurity firm Recorded Future.
https://www.scworld.com/brief/suspected-cyberattack-disrupts-polish-state-registry-systems
The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States.
https://thehackernews.com/2025/05/us-charges-yemeni-hacker-behind-black.html
Nova Scotia Power has confirmed that customer personal data was accessed and exfiltrated during a cybersecurity incident that occurred on April 25. The utility provider disclosed the breach in an update posted late Thursday, stating that the investigation into the full scope of the intrusion is ongoing.
https://dailysecurityreview.com/security-spotlight/nova-scotia-power-confirms-customer-data-compromised-in-cyberattack/
Ireland’s Data Protection Commission (DPC) fined the popular video-sharing platform TikTok €530 million for violating data laws by transferring data belonging to European users to China. TikTok violated GDPR by transferring EEA user data to China and lacking transparency. TikTok was given 6 months to comply with data rules, or face suspension of data transfers to China.
https://securityaffairs.com/177349/laws-and-regulations/irelands-dpc-fined-tiktok-e530m-for-sending-eu-user-data-to-china.html