We scour more than 15 cybersecurity news portals every week to surface only the stories worth your attention. This week was a busy one \u2014 from Russia\u2019s foiled cyber-sabotage in the Netherlands to Google\u2019s surprise U-turn on third-party-cookie prompts and rollout of IP Protection.<\/p>\n\n\n\n
Dutch military intelligence (MIVD) says it thwarted the first<\/strong><\/em> confirmed Russian cyber\u2011sabotage attempt on a Dutch public service and uncovered a separate<\/strong> operation against critical infrastructure that appeared to be reconnaissance for future sabotage.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- No disruption occurred; the public\u2011service target was not named. The second operation aimed to pre\u2011position inside OT networks that power ports and energy sites.<\/li>\n<\/ul>\n\n\n\n
\n
- Activity mirrors Moscow\u2019s broader hybrid campaign against NATO logistics hubs.<\/li>\n<\/ul>\n\n\n\n
Read more from The Record<\/strong><\/a><\/p>\n<\/div>\n\n\n\n
\n\n\n\n2. British Retailer M&S Confirms Being Hit by \u2018Cyber Incident\u2019 Amid Store Delays<\/strong><\/strong><\/h3>\n\n\n\n
Marks & Spencer disclosed a cyber\u2011attack that from 21\u202f April \u202f2025<\/strong> disrupted Click\u2011and\u2011Collect and contactless payments nationwide. Although some systems were impacted and down, this is actually a pretty good example of a system that is resillient to attacks.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- Card terminals and some card systems failed intermittently, forcing staff to switch to manual checkout flows.<\/li>\n\n\n\n
- External IR firms and the UK NCSC are assisting; no evidence yet of customer\u2011data compromise.<\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- If you process M&S loyalty data, enable credential\u2011stuffing monitoring.<\/li>\n<\/ul>\n\n\n\n
Read more from The Record<\/a> <\/strong><\/p>\n\n\n\n
\n\n\n\n3. Ransomware Groups Test New Business Models to Hit More Victims, Increase Profits<\/strong><\/h3>\n\n\n\n
Secureworks observed DragonForce and Anubis rolling out franchise\u2011style RaaS (Ransomware as a Service) offerings after the LockBit takedown.
One-click locker builders, white-label leak-site hosting and even VOIP \u201cpressure-call\u201d services mean low-skill crooks can start extorting immediately, driving attacks toward SMBs.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- Menu now includes encryption\u2011plus\u2011leak, leak\u2011only extortion, and pure access resale to other gangs.<\/li>\n\n\n\n
- Revenue splits vary (e.g., 70\/30 for encryption, 90\/10 for raw access resale), broadening appeal to low\u2011skill crooks.<\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- Stress-test insurance & IR playbooks:<\/strong> confirm policies cover leak-only extortion and rehearse response plans that start with public-data disclosure, not decryption.<\/li>\n<\/ul>\n\n\n\n
Read more from The Record<\/strong><\/a><\/p>\n\n\n\n
<\/p>\n\n\n\n
4. Beware of Video-Call Links That Are Attempts to Steal Microsoft 365 Access, Researchers Tell NGOs<\/strong><\/h3>\n\n\n\n
Russia\u2011linked actors lure Ukrainian NGOs to fake video\u2011call portals that harvest OAuth device\u2011code tokens, bypassing passwords and MFA.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- Campaign active since Feb\u202f2025; at least 22 civil\u2011society groups targeted.<\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- Disable or restrict Device Code flow to trusted IP ranges.<\/li>\n\n\n\n
- Train staff: real invites never require signing in on unmanaged browsers.<\/li>\n<\/ul>\n\n\n\n
Read more: <\/strong>https:\/\/therecord.media\/russia-linked-phishing-microsoft365-ukraine-ngos<\/a><\/p>\n\n\n\n
<\/p>\n\n\n\n
5. <\/strong>Two Top Cyber Officials Resign From CISA<\/h3>\n\n\n\n
Senior advisers Bob Lord and Lauren Zabierek resigned, warning of possible staff cuts and policy slowdowns.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- Both helped launch the Secure\u2011by\u2011Design initiative; continuity now uncertain.<\/li>\n\n\n\n
- Departure comes amid a federal hiring freeze that has delayed JCDC workstreams.<\/li>\n<\/ul>\n\n\n\n
Read more: <\/strong>https:\/\/therecord.media\/two-top-cyber-officials-resign-from-cisa<\/a><\/p>\n\n\n\n
<\/p>\n\n\n\n
6. New Payment-Card Scam Involves a Phone Call, Some Malware and a Personal Tap<\/strong><\/h3>\n\n\n\n
Cleafy researchers uncovered a scam in which attackers pose as your bank, talk you through installing a bogus \u201csecurity\u201d app, then persuade you to tap your contactless card to the phone\u2014at which point Android malware \u201cSuperCard X\u201d skims the data in real time and empties the account.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- Kill\u2011chain: SMS \u279c call\u2011centre \u279c sideloaded APK \u279c card tap \u279c instant drain.<\/li>\n\n\n\n
- The malware is sold as a service on Telegram for about \u20ac1,200 a month, complete with dashboards for affiliates. <\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- Block sideloading via MDM; enforce Play Protect.<\/li>\n\n\n\n
- Educate: banks never request card taps to phones.<\/li>\n<\/ul>\n\n\n\n
Read more from The Record<\/a> <\/strong><\/p>\n\n\n\n
7. North Korean Operatives Use Deepfakes in IT Job Interviews<\/strong><\/h3>\n\n\n\n
Unit\u202f42 shows DPRK IT workers using real\u2011time deepfakes to secure remote jobs and infiltrate networks.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- Building a convincing synthetic identity takes ~70\u202fminutes with free tools.<\/li>\n\n\n\n
- One operator can interview repeatedly under different personas.<\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- Record interviews; watch for lip\u2011sync and lighting artifacts.<\/li>\n\n\n\n
- Run document\u2011to\u2011face ID checks pre\u2011hire.<\/li>\n\n\n\n
- Log applicant IPs\/phone numbers to flag anonymizers.<\/li>\n<\/ul>\n\n\n\n
Read more from Dark Reading<\/a><\/strong><\/p>\n\n\n\n
<\/p>\n\n\n\n
8. Kubernetes Pods Are Inheriting Too Many Permissions<\/strong><\/h3>\n\n\n\n
Dark Reading reports that default cloud\u2011provider IAM lets pods inherit node\u2011level rights, enabling lateral movement<\/strong>.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- AKS, EKS, and GKE are all affected; attackers can escalate via over\u2011privileged service accounts.<\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- Enable GKE Workload Identity \/ EKS IRSA \/ AKS managed identities.<\/li>\n\n\n\n
- Restrict RBAC; avoid wild\u2011card roles.<\/li>\n\n\n\n
- Scan for pods running privileged or hostNetwork=true.<\/li>\n<\/ul>\n\n\n\n
Read more from Dark Reading<\/a><\/strong><\/p>\n\n\n\n
<\/p>\n\n\n\n
9. Android Phones Shipped With Pre-Downloaded Malware Targeting Crypto Wallets<\/strong><\/h3>\n\n\n\n
Dark Reading cites Doctor Web: budget Android phones ship with pre\u2011loaded malware that steals crypto by hijacking wallet addresses.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- At least 300\u202fk devices sold in SE Asia carry the Trojan; it activates when popular wallet apps are installed.<\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- Advise staff to avoid off\u2011brand phones; use hardware wallets.<\/li>\n\n\n\n
- Block registration of unknown OEM device IDs via MDM.<\/li>\n\n\n\n
- Re\u2011flash affected phones with clean ROMs or decommission them if you really need to use them.<\/li>\n<\/ul>\n\n\n\n
Read more Dark Reading<\/a><\/strong><\/p>\n\n\n\n
<\/p>\n\n\n\n
10. CVE Program Budget Cuts Rattle Cybersecurity Sector<\/strong><\/h3>\n\n\n\n
Context<\/strong>: A proposed 40 % budget cut nearly shut down the 25-year-old CVE Program on 16 April 2025. After a loud industry backlash, CISA signed an 11-month bridge contract<\/strong> with MITRE and endorsed a newly formed CVE Foundation<\/strong> to take the project independent.<\/pre>\n\n\n\nRead more from Dark Reading<\/a><\/strong> <\/p>\n\n\n\n
<\/p>\n\n\n\n
11. WhatsApp\u2019s New Advanced Chat Privacy Feature to Protect Sensitive Conversations<\/strong>
<\/strong><\/h3>\n\n\n\nContext<\/strong>: WhatsApp now lets users lock specific chats behind an extra passcode and hides previews.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- Rollout began 24 \u202fApril \u202f2025 on Android and iOS<\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- Note: screenshots remain possible<\/li>\n\n\n\n
- Update WhatsApp<\/li>\n\n\n\n
- Require latest WhatsApp on BYOD via MDM if WhatsApp is used for bussiness and has internal or confidential data.<\/li>\n<\/ul>\n\n\n\n
Read more from Cyber Security News<\/a> <\/strong><\/p>\n\n\n\n
<\/p>\n\n\n\n
12. The Shadow\u2011AI Surge: Study Finds 50% of Workers Use Unapproved AI Tools<\/strong><\/h3>\n\n\n\n
Context<\/strong>: CyberArk survey: half of employees paste sensitive data into consumer AI tools without sign\u2011off.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- 36\u202f% admitted pasting source code; 26\u202f% shared customer data.<\/li>\n\n\n\n
- Only 22\u202f% of orgs have formal AI\u2011usage policies.<\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- Draft AI\u2011acceptable\u2011use policy; block risky domains. You can download free simple ai use policy from us here.<\/li>\n\n\n\n
- Offer a logged, sanctioned GPTs.<\/li>\n<\/ul>\n\n\n\n
Read more from Security Week <\/a><\/strong><\/p>\n\n\n\n
<\/p>\n\n\n\n
13. Google Drops Cookie Prompt in Chrome, Adds IP Protection to Incognito<\/strong><\/h3>\n\n\n\n
Context<\/strong>: Google killed the idea of a pop-up that would have asked every Chrome user to allow or block third-party cookies, but the wider cookie phase-out is only delayed (pending U.K. regulator approval), and Chrome will instead test **IP Protection**<\/strong>\u2014a two-hop proxy relay (Google + Cloudflare) that hides Incognito users\u2019 IP addresses from trackers\u2014starting in Canary builds in May 2025, with stable release no earlier than July.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- Decision comes after Google scrapped its new cookie-consent prompt and postponed broader cookie deprecation to avoid breaking ad-tech workflows.<\/li>\n\n\n\n
- IP Protection masks users\u2019 addresses via a double proxy run by Cloudflare and Google; enterprises can disable it and it is off by default in managed Chrome.<\/li>\n\n\n\n
- Move helps satisfy EU Digital Markets Act privacy expectations without completely overhauling web-tracking economics.<\/li>\n<\/ul>\n\n\n\n
Read more from the Hacker News <\/a><\/strong><\/p>\n\n\n\n
<\/p>\n\n\n\n
14. Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials<\/strong><\/h3>\n\n\n\n
Context<\/strong>: Until Google closed the loophole on 22 Apr 2025<\/strong>, attackers were grabbing a *legitimate*<\/em> Google-signed email, replaying the same DKIM signature on a doctored message, and pointing users to credential-harvest pages hosted on Sites.google.com\u2014so every message looked 100 % authentic to mail filters.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- How the trick works:<\/strong> the gang captures a real no-reply@google.com message, swaps out the body and From-name inside a Google OAuth app, then replays the signed headers; DKIM and DMARC still pass because the signature matches the original hash.<\/li>\n\n\n\n
- Why it lands:<\/strong> security tools trust both the DKIM signature ja<\/strong> the sites.google.com domain hosting the fake login page, so the mail bypasses most enterprise gateways.<\/li>\n\n\n\n
- Who was hit:<\/strong> campaigns focused on finance teams and SaaS help-desk inboxes, aiming to reuse cloud creds in BEC and payroll-diversion fraud.<\/li>\n<\/ul>\n\n\n\n
Read more from The Hacker News<\/a><\/strong><\/p>\n\n\n\n
<\/p>\n\n\n\n
15. Gartner: 85 % of CEOs now view cybersecurity as a growth driver<\/strong><\/h3>\n\n\n\n
Context<\/strong>: Gartner\u2019s 2025 CEO & Senior Executive Survey<\/strong> (\u2248 450 global leaders) shows cybersecurity has shifted from cost centre to strategic enabler of revenue expansion and new-market entry.<\/pre>\n\n\n\nKey Details<\/strong><\/p>\n\n\n\n
\n
- 85 %<\/strong> of CEOs say robust security is *critical for business growth*<\/em> and competitive differentiation.<\/li>\n\n\n\n
- Risk back on the agenda:<\/strong> \u201centerprise risk\u201d returned to CEOs\u2019 top-10 priorities for the first time since 2017, driven by cyber-threats and regulation.<\/li>\n\n\n\n
- Leadership anxiety:<\/strong> 45 % admit they would not feel comfortable defending a breach to the media, highlighting reputational stakes.<\/li>\n\n\n\n
- AI double-edge:<\/strong> executives see AI as both a growth lever and a source of new attack surface, increasing demand for mature security programs.<\/li>\n<\/ul>\n\n\n\n
Next Steps<\/strong><\/p>\n\n\n\n
\n
- Link security KPIs to growth metrics<\/strong> (faster product launches, quicker market entry) when pitching budgets.<\/li>\n<\/ul>\n\n\n\n
\n
- Rehearse breach-response messaging<\/strong> so leaders can confidently address incidents with press and regulators.<\/li>\n<\/ul>\n\n\n\n