13 Cybersecurity News Worth Your Attention This Week (2/4 May 2025)

Each week I spend hours going throguh 20+ different cybersecurity news sources to find and summarise most interesting news from the week so you can quickly catch up on only the most interesting cyber news quickly. 

1. UK Government Moves to Replace SMS 2FA With Passkeys

Summary
The UK government is phasing out SMS-based two-factor authentication in favor of passkeys for logging into digital services. Passkeys use device-bound cryptographic keys and offer a far more secure and user-friendly alternative to passwords and SMS codes. The National Cyber Security Centre is backing the move, and the UK has formally joined the FIDO Alliance—marking one of the most significant government adoptions of passwordless technology to date.

Key Details

• Passkeys tie your identity to your device, eliminating the need for text codes or passwords altogether.
• The system uses asymmetric cryptography and is resistant to phishing, replay attacks, and SIM-swap fraud.
• The NCSC plans to mandate FIDO-compliant authentication across government platforms.

Next Steps

• Start preparing to support passkeys: If your organization integrates with GOV.UK or plans to, be ready to adopt the FIDO2 standard.
• Audit SMS and password-based logins to find opportunities to phase out unsecure SMS 2FA for your services.

Read more on NCSC, Gov InfoSecurity, and Infosecurity Magazine

2. Google Launches Android ‘Advanced Protection’ Mode to Protect High-risk Users

Summary
Google is rolling out “Advanced Protection” mode for Android 16 to defend high-risk users—like journalists and political targets—against commercial spyware and mobile malware. Much like Apple’s Lockdown Mode, this toggle enforces multiple protections at once, including disabling sideloading, blocking 2G networks and risky USB access, and logging any intrusion attempts for forensic review. 

Key Details

• Intrusion Logging also creates an encrypted, tamper-proof log vault to aid in post-incident investigations a long-missing tool for mobile threat forensics.
• Optional integrations include scam detection in Google Phone, safe browsing in Chrome, and AI-powered call screening.

Read more on SecurityWeek

3. Attackers Lace Fake Generative AI Tools With Malware

Summary
Threat actors are capitalizing on the buzz around generative AI by distributing fake AI apps that install remote access tools and password stealers. Posing as cracked versions of tools like OpenAI or Sora, these lures are distributed via SEO-poisoned pages, fake GitHub repos, and social media, particularly targeting users looking for free or unofficial AI tools. Once installed, the malware gives attackers full access to the victim’s system or browser data.

Next Steps

• Make AI tools officially available to employees to avoid shadow AI usage.
• Warn users against downloading AI tools from unofficial sources, especially if promoted as cracked or free versions.

Read more on Dark Reading

4. Malicious npm Package Uses Hidden Unicode to Pull Payloads via Google Calendar

Summary
A malicious npm package named os-info-checker-es6 was found disguising itself as a system utility while secretly embedding a payload dropper using invisible Unicode characters. It contacts a Google Calendar event to retrieve a hidden Base64-encoded command, effectively using the calendar as a stealthy command-and-control (C2) channel. The campaign appears to be a proof-of-concept or a targeted attack, with several related packages suggesting coordinated distribution.

Key Details

• The malware uses Unicode “Private Use” characters to hide execution code within preinstall.js, evading static detection.
• It accesses a Google Calendar shortlink, extracts a Base64 C2 address from the event title, and contacts that server for further instructions.
• Three other suspicious packages—vue-dev-serverr, vue-dummyy, and vue-bit—also reference the malicious package.

Next Steps

• Immediately audit your dependency tree for os-info-checker-es6 and its related packages.

Read more on The Hacker News

5. ‘Kaleidoscope’ Ad Fraud Network Infects 2.5 Million Devices Monthly

Summary
Researchers have uncovered a massive ad fraud operation called “Kaleidoscope” that is infecting more than 2.5 million devices each month via malvertising and fake browser extensions. Once installed, the malware simulates user activity like scrolling and clicking on ads in the background to generate ad revenue, while exfiltrating user data.

Key Details

• The malware is delivered via Google Ads and sketchy downloads disguised as Chrome updates, VPNs, and video players.
• It hijacks browsers to load ads invisibly and track mouse movement and clicks, all while harvesting sensitive data like IP addresses and user agents.
• The network uses compromised developer accounts to publish browser extensions and avoid detection on the Chrome Web Store.
• More than 71 million devices have been infected to date, making it one of the largest known ad fraud networks in recent memory.

Next Steps

• Check browser extension policies: Use Chrome’s enterprise management tools to restrict or block unauthorized extensions, especially on devices logged in with managed profiles.
• Audit for unmanaged profiles: Even with policies in place, users may switch to personal accounts evaluate whether to restrict using unmanaged (personal) Chrome profiles on work devices.

Read more on Risky Business Media

6. Scatter Spider Group Who Hit UK Retailers by Coordinated Cyberattacks Now Targeting the U.S Retail as Well

Summary
A wave of cyberattacks has disrupted some of the UK’s biggest retailers, with Marks & Spencer confirming customer data theft and reportedly seeking up to £100 million in insurance coverage. The attacks, which also impacted the Co-op and Harrods, are suspected to be part of a larger campaign attributed to the Scattered Spider group. Google warns that this actor has now pivoted to targeting US retail as well. 

Key Details

• The attackers are known for using social engineering, SIM-swapping, and affiliate ransomware tools like DragonForce to infiltrate networks.

Next Steps

• Retail and supply chain organizations should revalidate business continuity plans and be at high alert

Read more on The Record, The Record, and Dark Reading

7. EU Launches European Vulnerability Database to Enhance Cybersecurity Autonomy

Summary
The European Union has officially launched the European Vulnerability Database (EUVD), developed by ENISA under the NIS2 Directive. Initiated in 2022, the EUVD aims to provide a centralized platform for publicly known ICT vulnerabilities, enhancing the EU's cybersecurity resilience and reducing reliance on external databases like the U.S.-based CVE system.

Key Details

• Unlike existing systems, the EUVD integrates data from multiple sources, including CSIRTs, vendors, and other databases, and provides enriched, contextualized information tailored to the European cybersecurity landscape.

See it in action: https://euvd.enisa.europa.eu/

Read more on ENISA, Infosecurity Magazine, and Heise Online

8. AI-Generated Spam Flooding Bug Bounty Platforms With Fake Vulnerability Reports

Summary
Bug bounty platforms are facing a surge of AI-generated vulnerability reports that waste researcher time, slow down triage teams, and in some cases closely mimic actual bugs found in open-source code. Researchers warn that generative AI is now being used to produce convincing—but fake—proof-of-concept code and vulnerability writeups, sometimes designed to trick programs into paying bounties for nonexistent flaws.

Key Details

• Some fake reports are partially copied from real bugs and altered just enough to appear novel, making them harder to detect.
• Platform operators are concerned about signal-to-noise ratio, especially as bounty hunters and scammers alike automate submissions.

Next Steps

• Enhance triage playbooks: Train reviewers to spot AI-generated signs like hallucinated CVEs or inconsistent technical logic.
• Cross-reference submissions with known bugs and changelogs to detect slight repackaging of public vulnerabilities.

Read more on 404 Media

9. No-one’s Safe: LockBit Ransomware Gang Hacked

Summary
LockBit, once one of the most prolific ransomware-as-a-service (RaaS) gangs, has suffered another major blow: an unknown party breached its infrastructure and leaked the group’s affiliate panel and internal communications. The 60,000-record SQL dump reveals affiliate chats, victim negotiations, affiliate identities, build configurations, and tactical insights—offering defenders a rare look into the operational guts of a ransomware outfit just months after Operation Cronos had already disrupted it.

Key Details

• The leak includes Bitcoin wallet addresses, affiliate credentials, LockBit malware configurations, and over 4,000 chat logs between affiliates and victims.
• Researchers discovered affiliate tactics such as killing backup services, removing domain admins, and preferring Monero over Bitcoin for anonymity and discounts.
• The most active affiliates were targeting APAC, with ransom demands typically ranging from $4K to $150K, far less than LockBit’s historic demands, signaling a decline in influence.

Read more on Dark Reading

10. Flock Is Quietly Building a People Lookup Engine for Police

Summary
Leaked documents reveal that Flock, the company behind 5,000+ license plate reader networks across the U.S., is developing a powerful new surveillance platform called “Nova.” The tool combines license plate data with breached information, public records, and people search services to let police “jump from plate to person”—and then to that person’s broader network. Internal Slack messages show even Flock employees are questioning the ethics of this system.

Key Details

• Nova supports 20+ data sources, enabling cross-referencing of license plates with public and commercial identity datasets, including breached data.
• Some agencies are already using Nova in an “early access” phase, without public oversight or known legal safeguards.

Read more on 404 Media

11. 442% Increase in Voice Phishing Between the First and Second Halves of 2024

Summary
As deepfake technology accelerates, attackers are using AI-generated voices and videos to impersonate trusted individuals in real time—particularly in high-stakes virtual meetings and job interviews. The scale and realism of these attacks has outpaced detection tools, with security researchers urging a shift from reactive deepfake detection to proactive identity verification using cryptographic proof and device compliance checks.

Key Details

• CrowdStrike observed a 442% increase in voice phishing between the first and second halves of 2024, largely driven by AI-generated impersonation.
• North Korean threat actors have been caught using deepfakes to infiltrate companies by impersonating IT job candidates on video calls.
• Most deepfake defenses today rely on heuristics and facial analytics, which are often bypassed by high-quality synthetic media.

Read more on The Hacker News

12. WhatsApp’s “Private Processing” Tries to Balance AI Features With End-to-End Encryption

Summary
WhatsApp is introducing a system called “Private Processing” to power new AI features like message summarization without breaking its core promise of end-to-end encryption. Built on hardware-backed Trusted Execution Environments, the system processes user prompts in isolated cloud infrastructure that Meta says even it can’t access. While researchers praise the design, others warn that shifting private chats closer to cloud AI inference makes them a high-value surveillance target, regardless of good intentions.

Key Details

• The system is opt-in, and a new “Advanced Chat Privacy” control lets users block AI features in shared conversations.

Next Steps

• Understand what “AI-safe” really means: Private Processing is secure by design, but still moves encrypted interactions closer to inference engines that must be trusted.
• Review opt-in defaults and user education: Organizations using WhatsApp for sensitive work should verify AI features are clearly explained and easy to disable

Read more on WIRED

13. Coca-Cola’s AI-Powered Ad Shows Why We Need AI Use Policies by Getting Basic Facts Wrong

Summary
Coca-Cola’s new “Classic” ad campaign uses AI to celebrate famous authors by highlighting book excerpts that mention the brand—except one ad attributed a quote to J.G. Ballard that he didn’t write, from a book he didn’t author, dated in a year that doesn’t match. 

This is another case that underscores the importance of having effective AI use policies in place as when not used responsibly the collateral damage to the organisations reputation can be substantial. This is already the second time Coca Cola has a similar issue with AI generated ads, last being just last christmas.

Next Steps:

• Review your AI use Policy templates or reference our free and editable policy tempates to create onw

Read more on 404 Media