{"id":19317,"date":"2025-05-09T09:54:05","date_gmt":"2025-05-09T07:54:05","guid":{"rendered":"https:\/\/kordon.app\/?p=19317"},"modified":"2025-07-17T09:53:10","modified_gmt":"2025-07-17T07:53:10","slug":"18-cyber-security-news-worth-your-attention-in-first-week-of-may","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/18-cyber-security-news-worth-your-attention-in-first-week-of-may\/","title":{"rendered":"18 Cyber Security News Worth Your Attention in First Week of May"},"content":{"rendered":"\r\n<p>Fourth week in a row, I spent hours going throguh 20+ different cyber security news sources to find <strong>most interesting articles from last week so you can quickly catch up on only the most interesting cyber news quickly.<\/strong><\/p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>1. Germany Most Targeted Country in Q1 2025 DDoS Attacks<\/strong><\/h2>\r\n\r\n\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\n<strong>DDoS attacks surged 358% year-over-year in early 2025,<\/strong> with Germany facing the brunt of global activity. While attackers increasingly rely on short, high-volume bursts to overwhelm systems, many organizations still lack the automated defenses needed to respond in time. The report also highlights a growing mix of motivations behind DDoS attacks\u2014including competitors, insiders, and state-backed actors.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Germany was the most targeted country, followed by Turkey and China.<\/li>\r\n<li>Most attacks were under 10 minutes long and smaller than 1 Gbps\u2014but still effective when defenses weren\u2019t always-on.<\/li>\r\n<li>Cloudflare blocked over 700 hyper-volumetric attacks in Q1 alone, including one peaking at 4.8 Bpps.<\/li>\r\n<li>Attacker motivations varied: 39% cited competitive disruption, with additional threats from insiders and nation-state actors.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p><strong>Next Steps<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Prioritize automated DDoS mitigation<\/strong>: Brief, high-speed attacks can succeed if defenses aren\u2019t always on.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/hackread.com\/germany-most-targeted-country-q1-2025-ddos-attacks\/\" target=\"_blank\" rel=\"noopener\">HackRead<\/a><\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>2. Breach of Government-Modified Signal App Exposes Risks of Archiving Compliance Tools<\/strong><\/h2>\r\n\r\n\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\n<strong>A hacker breached TM SGNL, a compliance-focused, modified version of Signal used by U.S. government officials<\/strong> and built by Israeli-American firm TeleMessage. <strong>The attacker accessed archived plaintext messages, admin credentials, and contact data<\/strong>\u2014exposing the risks of modifying end-to-end encrypted apps to meet government retention requirements. The app\u2019s design decrypted and stored messages on cloud infrastructure, bypassing Signal\u2019s security guarantees. The breach raises broader concerns about how government agencies adapt consumer secure apps for official use.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>The hacker claimed to access TeleMessage\u2019s backend in under 20 minutes<\/strong> and leaked messages, credentials, and screenshots.<\/li>\r\n<li><strong>Exposed data<\/strong> included contact information tied to CBP, Coinbase, and U.S. financial institutions\u2014but <strong>not Trump cabinet officials<\/strong> themselves.<\/li>\r\n<li>Security flaws included <strong>hardcoded credentials and the storage of decrypted messages on an AWS server.<\/strong><\/li>\r\n<li>TM SGNL was removed from TeleMessage\u2019s website, and the service has been suspended following the breach.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/hackread.com\/telemessage-hack-exposes-modified-signal-app-data\/\" target=\"_blank\" rel=\"noopener\">HackRead<\/a> and <a href=\"https:\/\/www.404media.co\/the-signal-clone-the-trump-admin-uses-was-hacked\/\" target=\"_blank\" rel=\"noopener\">404 Media<\/a><\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>3. ClickFix Malware Uses Fake Prompts and CAPTCHAs to Trick Users Into Running Payloads<\/strong><\/h2>\r\n\r\n\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nClickFix is a growing <strong>malware technique that disguises itself behind everyday interface elements like CAPTCHA forms, login prompts, or fake software activations.<\/strong> It waits for users to perform what seems like a routine action\u2014then quietly executes a PowerShell script or drops a payload. The approach is highly evasive because the malware activates only after real human interaction, making it difficult for traditional automated scanners to detect.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>ClickFix typically hides behind pop-ups, fake account verifications, or browser security warnings, waiting for the user to click or paste a command.<\/li>\r\n<li>ANY.RUN sandbox testing showed how <strong>clicking a fake CAPTCHA led to execution of a malicious PowerShell script via Windows Run.<\/strong><\/li>\r\n<li><strong>The malware delays action<\/strong> until interaction occurs, avoiding detection by static or passive scanning tools.<\/li>\r\n<li>Popular lures include \u201cverify your account,\u201d \u201cfix your system,\u201d or \u201cactivate your trial,\u201d all guiding the user to manually trigger the infection.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/hackread.com\/clickfix-scam-how-to-protect-business-againt-threat\/\" target=\"_blank\" rel=\"noopener\">HackRead<\/a><\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>4. OttoKit WordPress Plugin Exploited to Gain Admin Access<\/strong><\/h2>\r\n<blockquote>\r\n<p><strong>Update \u2013 July 14, 2025:<br \/><\/strong><em>OttoKit has clarified that there is no evidence of real-world exploitation related to CVE-2025-27007 or CVE-2025-3102. The issue was responsibly reported, patched within hours, and users were force-updated to version 1.0.83. You can read the\u00a0<\/em><a href=\"https:\/\/h1.pxl-mailtracker.com\/link\/U2d5c1MydVZlQ05CSWQyS1NoRU5SbnhFZ0VleDZTRlhrR1FxTzRXOEZTQjZhVE9CTlFtamczVUwrdmRkbFMwUDg0NXgrdUtoQjJBak9MUkdwNHd5U2c9PS0tRmY1RUt3UlR2cmVaeUNDK3pYdkJZUT09--01f55af5130ced1b1f26a88da749eb5a98a2bd2a\/88258ba600a647d95013a0be4a439e476fe39fbe\" target=\"_blank\" rel=\"noreferrer noopener\"><em>full official statement here<\/em><\/a><em>.<\/em><\/p>\r\n<\/blockquote>\r\n\r\n\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nTwo critical vulnerabilities in<strong> OttoKit (formerly SureTriggers)\u2014a WordPress automation plugin with over 100,000 installs<\/strong>\u2014have come under active exploitation. Attackers are using a logic flaw in the plugin\u2019s authentication process to create unauthorized admin accounts. One of the bugs allows unauthenticated users to forge a connection with the site, then elevate privileges through the API. These exploits highlight how plugin misconfigurations can silently undermine WordPress site security at scale.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>CVE-2025-27007<\/strong> (CVSS 9.8): Lets attackers forge application connections without proper auth checks, leading to privilege escalation.<\/li>\r\n<li><strong>CVE-2025-3102<\/strong> (CVSS 8.1): Another API-related flaw that attackers are chaining with CVE-27007 to take control of admin functions.<\/li>\r\n<li>Attacks were observed just 91 minutes after public disclosure, suggesting bots are scanning for targets en masse.<\/li>\r\n<li>Wordfence and <a href=\"https:\/\/patchstack.com\" target=\"_blank\" rel=\"noopener\">Patchstack<\/a> confirmed active exploitation and recommend immediate patching to version 1.0.83 or later.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p><strong>Next Steps<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Update OttoKit immediately<\/strong>: All sites running versions \u2264 1.0.82 are at risk of full compromise.<\/li>\r\n<li><strong>Audit admin accounts<\/strong>: Check for suspicious users created recently via automation or unknown IPs.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/thehackernews.com\/2025\/05\/ottokit-wordpress-plugin-with-100k.html\" target=\"_blank\" rel=\"noopener\">The Hacker News<\/a><\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>5. Trump Picks Private Sector Cybersecurity Veteran for Pentagon CIO Role<\/strong><\/h2>\r\n\r\n\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\n<strong>President Trump has nominated Kirsten Davies\u2014a cybersecurity executive with experience at Unilever, Est\u00e9e Lauder, Barclays Africa, HP, and Siemens\u2014to serve as the Department of Defense\u2019s next Chief Information Officer.<\/strong> If confirmed, she would bring deep private-sector expertise to a role that has been vacant since June 2024, during a time when the Pentagon is pushing to modernize and accelerate software acquisition.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>The Pentagon CIO role was reinstated as a Senate-confirmable position in 2019<\/strong> but has seen gaps in permanent leadership.<\/li>\r\n<li>The nomination comes as the Pentagon rolls out its <strong>\u201cSWIFT\u201d program to overhaul software procurement frameworks.<\/strong><\/li>\r\n<li>Defense Secretary Pete Hegseth has pushed for faster, tech-forward modernization across the DoD.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/therecord.media\/trump-picks-private-sector-veteran-for-dod-cio-position\" target=\"_blank\" rel=\"noopener\">The Record<\/a><\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>6. Scam Campaign Abuses X\/Twitter Ad Loophole to Impersonate CNN and Promote Fake Apple Crypto\u00a0<\/strong><\/h2>\r\n\r\n\r\n\r\n<figure id=\"attachment_19319\" aria-describedby=\"caption-attachment-19319\" style=\"width: 665px\" class=\"wp-caption alignnone\"><img fetchpriority=\"high\" decoding=\"async\" class=\"size-full wp-image-19319\" src=\"https:\/\/kordon.app\/wp-content\/uploads\/2025\/05\/x-twit-apple-ad-image-1.webp\" alt=\"\" width=\"665\" height=\"715\" srcset=\"https:\/\/kordon.app\/wp-content\/uploads\/2025\/05\/x-twit-apple-ad-image-1.webp 665w, https:\/\/kordon.app\/wp-content\/uploads\/2025\/05\/x-twit-apple-ad-image-1-558x600.webp 558w, https:\/\/kordon.app\/wp-content\/uploads\/2025\/05\/x-twit-apple-ad-image-1-83x88.webp 83w, https:\/\/kordon.app\/wp-content\/uploads\/2025\/05\/x-twit-apple-ad-image-1-85x90.webp 85w, https:\/\/kordon.app\/wp-content\/uploads\/2025\/05\/x-twit-apple-ad-image-1-11x12.webp 11w\" sizes=\"(max-width: 665px) 100vw, 665px\" \/><figcaption id=\"caption-attachment-19319\" class=\"wp-caption-text\">Image by Silent Push<\/figcaption><\/figure>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nThreat actors exploited a loophole in X\/Twitter\u2019s ad system to display \u201cFrom CNN.com\u201d on scam ads promoting a fake Apple \u201ciToken\u201d cryptocurrency. <strong>By manipulating how Twitter\u2019s bot processes redirect metadata, the attackers made scam ads appear legitimate while sending users to phishing sites designed to steal crypto funds.<\/strong> Silent Push analysts found the campaign is part of a broader infrastructure involving at least 90 spoofed domains and reused design elements\u2014suggesting it\u2019s a scalable, ongoing operation likely to reappear under different names.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Attackers used Twitter\u2019s preview system and URL shorteners (e.g., Bitly) to make ads appear as if they linked to CNN.com,<\/strong> while secretly redirecting to domains like ipresale[.]world and itokensale[.]live.<\/li>\r\n<li><strong>The scam pages used Apple branding, fake quotes from Tim Cook, and a dashboard prompting users to register and buy \u201ciTokens.\u201d<\/strong><\/li>\r\n<li><strong>Silent Push identified over 90 related domains u<\/strong>sing shared CSS, favicons, and redirect paths, many hosted via Hetzner and Cloudflare.<\/li>\r\n<li>Wallet addresses were set up to accept dozens of cryptocurrencies, including Bitcoin, ETH, XRP, USDT, and others\u2014none of which are recoverable if funds are sent.<\/li>\r\n<li>The campaign reused infrastructure across multiple waves, showing signs of rapid redeployment under new domain names.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p><strong>Next Steps<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Warn users not to trust \u201cFrom\u201d labels in social media ads<\/strong>: These can be spoofed using preview metadata tricks.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/www.silentpush.com\/blog\/x-twitter-ad-scam\/\" target=\"_blank\" rel=\"noopener\">Silent Push<\/a> and <a href=\"https:\/\/cybersecuritynews.com\/new-attack-exploiting-x-twitter-advertising\/\" target=\"_blank\" rel=\"noopener\">CyberSecurity News<\/a><\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>7. Ransomware Attacks on Food and Agriculture Sector Double in 2025<\/strong><\/h2>\r\n\r\n\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\n<strong>Ransomware attacks on the food and agriculture industry more than doubled in Q1 2025<\/strong>, with 84 incidents reported versus just 39 in the same period last year. Experts attribute the surge to opportunistic targeting by groups like Clop, Akira, and RansomHub, and warn that the real number is likely higher due to underreporting. <strong>The sector\u2019s widespread legacy systems, lack of visibility, and tight supply chains make it an appealing target for both criminal and state-aligned threat actors.<\/strong><\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>The group Clop was responsible<\/strong> for a large share of Q1 attacks, but other groups continued targeting the sector even after Clop\u2019s activity slowed.<\/li>\r\n<li>High-profile incidents include attacks on a South African poultry producer (costing $1 million) and Siberia\u2019s largest dairy plant.<\/li>\r\n<li>Food and Ag-ISAC\u2019s Braley said <strong>ransomware now accounts for 53% of all attacks on the sector<\/strong>, but many incidents remain unreported.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/therecord.media\/ransomware-attacks-food-and-ag-double-2025\" target=\"_blank\" rel=\"noopener\">The Record<\/a><\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>8. \u201cBring Your Own Installer\u201d Exploit Bypasses SentinelOne EDR via Upgrade Interruption<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nResearchers at Aon\u2019s Stroz Friedberg uncovered a technique that allows attackers to <strong>bypass SentinelOne\u2019s EDR by exploiting its local upgrade process<\/strong>. By carefully timing the interruption of the upgrade\u2014after old protection is stopped but before the new version starts\u2014attackers can leave a system temporarily unprotected. This window allows malware like ransomware to be deployed undetected. SentinelOne has since released updated guidance and mitigation steps to prevent the attack, but the flaw highlights how endpoint tools can be vulnerable to logic abuse even without traditional exploits.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>The attack relies on running a different SentinelOne installer version locally, then killing the installer process during the 50\u201360 second \u201cno protection\u201d window between uninstall and reinstall.<\/strong><\/li>\r\n<li>This technique does not require exploiting the anti-tamper code; it only needs local admin access and a misconfigured policy.<\/li>\r\n<li>Stroz Friedberg used the technique in lab conditions to deploy a Babuk ransomware variant during the exposed window.<\/li>\r\n<li>SentinelOne has introduced a <strong>\u201cLocal Upgrade Authorization\u201d toggle<\/strong> to block such behavior and has enabled it by default for new customers.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p><strong>Next Steps<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Enable the Local Upgrade Authorization setting<\/strong> in SentinelOne to prevent local upgrade\/downgrade attempts.<\/li>\r\n<li><strong>Audit endpoint policies<\/strong> for misconfigurations that allow local agent changes without central approval.<\/li>\r\n<li><strong>Review detection strategies for agent downtime periods<\/strong>\u2014even temporary gaps can be exploited.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/www.aon.com\/en\/insights\/cyber-labs\/bring-your-own-installer-bypassing-sentinelone\" target=\"_blank\" rel=\"noopener\">Aon<\/a> and <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/bring-your-own-installer-attack-sentinelone-edr\" target=\"_blank\" rel=\"noopener\">Dark Reading<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>9. Email-Based Attacks Dominate Cyber Insurance Claims as Ransomware Stabilizes<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nAccording to Coalition\u2019s 2025 Cyber Claims Report,<strong> 60% of all claims in 2024 were caused by business email compromise (BEC) and funds transfer fraud (FTF)\u2014far surpassing ransomware in volume.<\/strong> While ransomware remains the most costly attack type, its frequency and severity slightly declined. Meanwhile, BEC losses increased 23%, driven by rising legal and response costs. The report underscores the growing financial toll of email-based social engineering, even as ransomware continues to evolve in sophistication.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Average BEC loss: $35,000; average FTF loss: $185,000; average ransomware loss: $292,000.<\/li>\r\n<li>29% of BEC incidents also resulted in FTF attacks, often involving spoofed emails from vendors or executives.<\/li>\r\n<li><strong>Ransomware claims dropped 3% in frequency and 7% in severity;<\/strong> Akira was the most common variant, while Black Basta had the highest average demand ($4M).<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p><strong>Next Steps<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Prioritize protection against BEC and FTF attacks<\/strong>: Invest in email security, MFA, and employee awareness to mitigate socially engineered fraud.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/www.darkreading.com\/cyber-risk\/email-based-attacks-cyber-insurance-claims\" target=\"_blank\" rel=\"noopener\">Dark Reading<\/a> and <a href=\"https:\/\/www.coalitioninc.com\/announcements\/2025-cyber-claims-report\" target=\"_blank\" rel=\"noopener\">Coalition<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>10. Trump Administration Proposes $491M Cut to CISA Budget<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nThe Trump administration has proposed slashing nearly half a billion dollars from the Cybersecurity and Infrastructure Security Agency (CISA) budget, <strong>a 17% reduction aimed at \u201crefocusing\u201d the agency on its core mission of cyber defense<\/strong>. <strong>The proposed cuts would eliminate programs tied to misinformation, international engagement, and public outreach \u2014 which the administration claims are \u201cwasteful\u201d or politically biased.<\/strong> Critics warn that dismantling these functions could severely undermine national cybersecurity, especially during an election year and amid rising global threats.<\/pre>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/www.securityweek.com\/white-house-proposal-slashes-half-billion-from-cisa-budget\/\" target=\"_blank\" rel=\"noopener\">SecurityWeek<\/a>, <a href=\"https:\/\/nationalcioreview.com\/articles-insights\/extra-bytes\/cisa-faces-17-funding-reduction-under-federal-spending-plan\/\" target=\"_blank\" rel=\"noopener\">National CIO Review<\/a>, and <a href=\"https:\/\/siliconangle.com\/2025\/05\/04\/trump-administration-proposes-491m-cut-cisa-2026-budget-plan\/\" target=\"_blank\" rel=\"noopener\">SiliconANGLE<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>11. California Fines Retailer for Blocking Opt-Outs Under Privacy Law<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nThe California Privacy Protection Agency (CPPA) has fined <strong>menswear retailer Todd Snyder Inc. $345,000 for violating state privacy law by blocking consumer opt-out requests and demanding excessive personal information.<\/strong> The agency said the company\u2019s flawed privacy portal and misconfigured backend prevented users from exercising their right to stop the sale or sharing of personal data\u2014highlighting how poor technical implementation can turn into legal liability under the CCPA and CPRA.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>The company was found to require more personal data than necessary to process opt-out requests, a direct violation of California privacy rules.<\/li>\r\n<\/ul>\r\n<p><strong>Next Steps<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Audit your privacy request flow<\/strong>: Ensure consumers can exercise opt-out rights without unnecessary friction or data demands.<\/li>\r\n<li><strong>Align technical infrastructure with legal intent<\/strong>: A misconfigured form or backend can lead to enforcement action.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/therecord.media\/california-fines-clothing-retailer-privacy\" target=\"_blank\" rel=\"noopener\">The Record<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>12. Fake Resum\u00e9s Target HR Teams With Updated More_eggs Malware<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nA new spear phishing campaign is targeting HR staff with <strong>fake job applications that deliver an upgraded version of the More_eggs backdoor<\/strong>. Sent via job platforms or messaging services, the campaign <strong>tricks recruiters into downloading malicious ZIP files disguised as resum\u00e9s.<\/strong> These files exploit a temporary lapse in vigilance to install polymorphic malware that evades sandboxing, then launches a stealthy backdoor for credential theft and further compromise.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>The attack uses a .LNK file disguised in a ZIP, along with a decoy image, and relies on user interaction (e.g. clicking a CAPTCHA).<\/li>\r\n<li>Server-side polymorphism ensures each download is unique, helping evade static detection.<\/li>\r\n<li>The malicious code uses legitimate Windows tools like <code>ie4uinit.exe<\/code> for execution, distracting the user with WordPad while launching the backdoor.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p><strong>Next Steps<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Train HR staff to be cautious with resum\u00e9s<\/strong>, especially ZIPs, .LNK, VBS, or ISO file types\u2014even if they include a password.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/www.csoonline.com\/article\/3977803\/fake-resumes-targeting-hr-managers-now-come-with-updated-backdoor.html\" target=\"_blank\" rel=\"noopener\">CSO Online<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>13. M&amp;S, Co-op, and Harrods All Hit by Cyber Incidents<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\n<strong>Three of the UK\u2019s best-known retailers\u2014Marks &amp; Spencer, the Co-op, and Harrods\u2014have suffered cyber incidents within the same two-week period,<\/strong> causing payment issues, online order disruptions, and internal system lockdowns. While <strong>the incidents haven\u2019t been officially linked,<\/strong> analysts suggest possible shared supplier compromise or increased sector-wide threat activity. M&amp;S\u2019s incident alone may cost the company \u00a330M in profit, highlighting just how quickly operational disruptions can turn into major financial losses in retail.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>M&amp;S<\/strong> was hit around<strong> April 22<\/strong>, leading to contactless payment issues, paused Click &amp; Collect, and halted web\/app orders. Empty shelves and system outages followed.<\/li>\r\n<li>Analysts suggest Scattered Spider may be behind the M&amp;S breach, which impacted store operations and remote work access.<\/li>\r\n<li><strong>Co-op<\/strong> confirmed a cyberattack on <strong>April 30<\/strong>, shutting down parts of its IT systems. <strong>Staff were told to remain on camera and avoid posting sensitive info in Teams.<\/strong><\/li>\r\n<li><strong>Harrods r<\/strong>eported an attempted breach on <strong>May 1<\/strong> and restricted internet access across its sites as a precaution. Stores remained open.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/cybermagazine.com\/cyber-security\/cyber-hits-uk-retail-m-s-co-op-harrods-targeted\" target=\"_blank\" rel=\"noopener\">Cyber Magazine<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>14. The Most Interesting Cybersecurity Product Launches from RSA 2025<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nAI dominated RSA 2025, where nearly every major cybersecurity vendor showcased how artificial intelligence is reshaping threat detection, response, and automation. From LLM firewalls to autonomous SOC agents and smarter identity protection, vendors are embedding AI deeper into their platforms\u2014not just for alerts, but for action. Here are the standout launches security leaders should know about.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Product Announcements<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Palo Alto Networks \u2013 Prisma AIRS<\/strong>: Enhanced by the acquisition of Protect AI, this platform adds AI-powered detection and response to protect AI infrastructure itself. Also announced Cortex XSIAM 3.0 for next-gen SOC automation.<\/li>\r\n<li><strong>Cisco \u2013 Foundation AI Security Model<\/strong>: An open-source initiative to standardize safe AI deployment practices. Also added agentic AI and automated attack verification to Splunk and XDR products.<\/li>\r\n<li><strong>ServiceNow \u2013 AI Security Operations<\/strong>: Real-time, AI-powered incident response tools integrated with Cisco infrastructure. Aimed at speeding up resolution through collaborative AI agents.<\/li>\r\n<li><strong>CrowdStrike \u2013 Falcon Privileged Access<\/strong>: Identity-focused access protection module built into the Falcon suite, plus automation upgrades to Falcon SIEM and Charlotte AI for faster identity threat detection.<\/li>\r\n<li><strong>Check Point + Illumio \u2013 Smart Cyber Defense Platform<\/strong>: Combines threat prevention with Illumio\u2019s microsegmentation to boost Zero Trust and contain breaches before they spread.<\/li>\r\n<li><strong>Armis \u2013 Centrix Platform + Vulnerability Intelligence DB<\/strong>: Delivers unified attack surface visibility and real-time risk insights, plus a new database to help prioritize vulnerability remediation.<\/li>\r\n<li><strong>SentinelOne \u2013 Purple AI Athena<\/strong>: An autonomous SOC agent that mimics analyst reasoning to investigate and remediate threats in real time.<\/li>\r\n<li><strong>Darktrace \u2013 Cyber AI Analyst Upgrades<\/strong>: Introduced new LLM-trained AI models to enhance investigation accuracy and reduce SOC workload. Claims 90M automated investigations in 2024.<\/li>\r\n<li><strong>Huntress \u2013 ITDR &amp; SIEM Expansion<\/strong>: New features for detecting credential abuse (e.g. malicious OAuth apps and inbox rules) and a fully managed SIEM with 20+ integrations.<\/li>\r\n<li><strong>Abnormal AI \u2013 AI Phishing Coach &amp; Data Analyst<\/strong>: AI agents for personalized phishing awareness training and transforming raw security data into actionable insights.<\/li>\r\n<li><strong>Fortinet \u2013 Enhanced FortiAI<\/strong>: FortiAI\u2019s updated version integrates AI across the Fortinet Security Fabric to stop advanced threats and support secure AI adoption.<\/li>\r\n<li><strong>Akamai \u2013 Firewall for AI<\/strong>: A new firewall designed specifically for LLMs and AI apps, blocking prompt injection, data leaks, and malicious outputs in hybrid environments.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/www.csoonline.com\/article\/3976416\/top-cybersecurity-products-showcased-at-rsa-2025.html\" target=\"_blank\" rel=\"noopener\">CSO Online<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>15. Why CISOs Need Wartime Contingency Planning on the 2025 Agenda<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nAmid escalating global tensions\u2014from Ukraine to South Asia\u2014CISOs and C-suite leaders are being urged to treat war planning as an operational necessity, not just a government concern. <strong>In the UK, Prime Minister Keir Starmer ordered a review of national contingency plans to prepare for the possibility of \u201cfull-out war,\u201d signaling that wartime disruption is now a leadership-level consideration.<\/strong> Organizations are being advised to assess exposure to geopolitical hotspots, refresh crisis playbooks, and prepare for infrastructure disruption and workforce loss in regions that support global operations.<\/pre>\r\n\r\n<p>&nbsp;<\/p>\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>RSA speakers Tom Cross and Greg Conti urged tech companies to create formal \u201cwar plans,\u201d as a great power conflict is no longer an abstract threat.<\/li>\r\n<li>The India-Pakistan escalation and Starmer\u2019s call to update UK contingency plans prompted renewed attention to outdated corporate playbooks.<\/li>\r\n<li>Conflict zones like India and Pakistan house critical IT services, and population displacement could trigger infrastructure breakdowns and workforce disruption.<\/li>\r\n<li>NATO\u2019s Admiral Rob Bauer warned business decisions now carry strategic consequences and advised building secure, redundant infrastructure with wartime resilience in mind.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p><strong>Next Steps<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Review and modernize your contingency plans<\/strong>: Emergency response procedures should be updated at least annually\u2014not every decade.<\/li>\r\n<li><strong>Assess geopolitical exposure across third-party ecosystems<\/strong>: This includes outsourced operations, cloud regions, and at-risk vendor geographies.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/www.csoonline.com\/article\/3980419\/india-pakistan-conflict-underscores-your-c-suites-need-to-prepare-for-war.html\" target=\"_blank\" rel=\"noopener\">CSO Online<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>16. NATO\u2019s Locked Shields 2025 Simulates Massive Infrastructure Attacks<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nLocked Shields 2025\u2014hosted by NATO\u2019s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Estonia\u2014brought together <strong>4,000 cybersecurity professionals from 41 countries in the world\u2019s most complex live-fire cyber defense exercise.<\/strong> Teams were tasked with defending 8,000 virtual systems across military, telecom, and critical infrastructure scenarios, while also managing disinformation, legal challenges, and geopolitical pressure. The exercise reflects how blurred the lines have become between cyber war, crisis communications, and infrastructure resilience.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>17 blue teams participated,<strong> defending against thousands of coordinated attacks in a simulation environment<\/strong> managed by Estonia\u2019s CR14 Foundation.<\/li>\r\n<li><strong>This year\u2019s exercise added scenarios involving quantum computing, AI,<\/strong> and coordinated disinformation campaigns.<\/li>\r\n<li>Participants had to navigate legal, operational, and communications challenges\u2014testing full-spectrum cyber readiness.<\/li>\r\n<li>CCDCOE Director Mart Noorma called Locked Shields a training ground for defending both national networks and the \u201cessential services societies depend on.\u201d<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/www.securityweek.com\/41-countries-taking-part-in-natos-locked-shields-2025-cyber-defense-exercise\/\" target=\"_blank\" rel=\"noopener\">SecurityWeek<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>17. AI-Generated Victim Avatar Used in Road Rage Sentencing Raises Ethical Questions<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\n<strong>In a first-of-its-kind moment, an Arizona judge accepted a victim impact statement delivered by an AI-generated avatar of a man killed in a 2021 road rage shooting.<\/strong> Created by the victim\u2019s sister, the avatar of Christopher Pelkey <strong>was trained to look and sound like him and spoke words scripted by his family,<\/strong> including a direct message of forgiveness to the shooter. <strong>The judge was visibly moved and imposed the maximum sentence.<\/strong> The case highlights the emotional and ethical complexity of using AI in courtroom proceedings\u2014especially when speaking on behalf of the dead.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>The avatar was created using Stable Diffusion (with LoRA tuning) and voice cloning tools, and was clearly labeled as AI-generated.<\/li>\r\n<li>Its use was permitted under Arizona\u2019s victim rights laws, which let families choose the format of impact statements.<\/li>\r\n<li>The video combined real clips of Pelkey with the AI-generated likeness delivering a scripted message to the court and to the shooter, Gabriel Horcasitas.<\/li>\r\n<li>While the judge praised the emotional impact of the message, some experts and observers raised concerns about whether it was appropriate to \u201cput words in a dead man\u2019s mouth.\u201d<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read more on <a href=\"https:\/\/www.404media.co\/i-loved-that-ai-judge-moved-by-ai-generated-avatar-of-man-killed-in-road-rage-incident\/\" target=\"_blank\" rel=\"noopener\">404 Media<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>18. JPMorgan\u2019s Open Letter to SaaS Providers: Security Must Come Before Features<\/strong><\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-verse\"><strong>Summary<\/strong>\r\nIn a rare public letter, JPMorgan Chase CISO Patrick Opet <strong>called on SaaS and software vendors to radically rethink their security priorities.<\/strong> The letter warns that modern SaaS delivery models have created dangerous concentration risk and eroded traditional security boundaries\u2014leaving global infrastructure exposed to systemic failures. <strong>JPMorgan urges suppliers to stop prioritizing speed and features<\/strong> <strong>over built-in security,<\/strong> calling today\u2019s third-party integration models a \u201csingle-factor explicit trust\u201d architecture that attackers are actively exploiting.<\/pre>\r\n\r\n\r\n\r\n<p><strong>Key Details<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Modern SaaS integrations often blur internal\/external boundaries and rely on oversimplified OAuth-based trust, increasing risk of abuse.<\/li>\r\n<li>The firm warns that compromised tools with \u201cread-only\u201d API access can escalate into full internal compromise due to flawed architectural assumptions.<\/li>\r\n<li><strong>Fourth-party dependencies and AI-powered integrations are amplifying this risk a<\/strong>cross sectors faster than security controls are evolving.<\/li>\r\n<li><strong>Suggested mitigations include<\/strong> confidential computing, customer self-hosting, and \u201cbring your own cloud\u201d deployments for greater isolation.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p><strong>Next Steps<\/strong><\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Push vendors for secure-by-default controls and transparency<\/strong>: Demand evidence of controls that go beyond annual compliance reports.<\/li>\r\n<li><strong>Start rejecting high-risk integration patterns<\/strong> unless stronger, verifiable alternatives (like policy isolation or confidential computing) are in place.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Read the full open letter on <a href=\"https:\/\/www.jpmorgan.com\/technology\/technology-blog\/open-letter-to-our-suppliers\" target=\"_blank\" rel=\"noopener\">JPMorgan<\/a><\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>","protected":false},"excerpt":{"rendered":"<p>Fourth week in a row, I spent hours going throguh 20+ different cyber security news sources to find most interesting articles from last week so you can quickly catch up on only the most interesting cyber news quickly. 1. Germany Most Targeted Country in Q1 2025 DDoS Attacks Summary DDoS attacks surged 358% year-over-year in&#8230;<\/p>","protected":false},"author":1,"featured_media":19324,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,26],"tags":[],"class_list":["post-19317","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-blog"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/19317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=19317"}],"version-history":[{"count":14,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/19317\/revisions"}],"predecessor-version":[{"id":19328,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/19317\/revisions\/19328"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/19324"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=19317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=19317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=19317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}