Cybersecurity News Review - Week 19 (2025)
This week's cybersecurity update delivers news on high-profile hacks, critical vulnerabilities, and landmark legal decisions, highlighting both the evolving nature of digital threats and the security industry's response.
Cisco Patches 35 Vulnerabilities Across Several Products
Cisco has released patches for 35 vulnerabilities, including 26 in its semiannual IOS and IOS XE security advisory bundle. Among these is a critical arbitrary file upload flaw (CVE-2025-20188) in the Out-of-Band AP image download feature of IOS XE software. Other high-severity vulnerabilities could allow command injection, denial of service, or privilege escalation. Cisco also patched issues in Catalyst Center and Catalyst SD-WAN Manager, and updated the list of products affected by a critical Erlang/OTP SSH security defect. While no exploits have been reported in the wild, proof-of-concept code exists for two medium-severity issues. Users are urged to apply the available patches and workarounds promptly.
Windows Deployment Services Hit by 0-Click UDP Flaw Leading to System Failures
A critical pre-authentication DoS vulnerability has been discovered in Microsoft's Windows Deployment Services (WDS), allowing attackers to remotely crash enterprise systems using malicious UDP packets. This "0-click" flaw exploits WDS's lack of limits on connection requests, enabling attackers to overwhelm server memory by creating endless CTftpSession objects. The vulnerability affects a wide range of organizations using WDS for network-based Windows OS deployment. In tests, a Windows Server with 8GB RAM crashed within 7 minutes when targeted. This discovery highlights the often-overlooked risks of memory exhaustion vulnerabilities in UDP-based services and emphasizes the need for improved memory management safeguards in enterprise IT infrastructure.
New "Bring Your Own Installer" EDR bypass used in ransomware attack
A new "Bring Your Own Installer" EDR bypass technique is used to exploit SentinelOne's tamper protection feature, allowing attackers to disable EDR agents and install ransomware. Discovered by Aon's Stroz Friedberg Incident Response team, this method abuses the SentinelOne installer itself during the agent upgrade process, terminating the EDR agent and leaving devices vulnerable. SentinelOne recommends enabling the "Online Authorization" setting to mitigate this risk. The technique was used in a real-world ransomware attack and works across multiple versions of the SentinelOne agent. SentinelOne has shared this information with customers and other EDR vendors to address potential vulnerabilities.
FBI: End-of-life routers hacked for cybercrime proxy networks
The FBI has issued a warning about threat actors using malware to convert end-of-life routers into proxies for the 5Socks and Anyproxy networks. These vulnerable devices, no longer receiving security updates, are being exploited to create residential proxy botnets used for malicious activities. Specific Linksys and Cisco router models are listed as common targets, with Chinese state-sponsored actors exploiting known vulnerabilities for espionage campaigns. The routers are often infected with a variant of the "TheMoon" malware, enabling their use as proxies for various cybercrimes. Signs of compromise include network disruptions, overheating, and unusual traffic. To mitigate risks, users are advised to replace old routers or apply the latest firmware updates, change default credentials, and disable remote administration.
WhatsApp provides no cryptographic management for group messages
WhatsApp group messaging lacks cryptographic management for adding members, creating a security vulnerability where server administrators or hackers could potentially add unauthorized users to group chats without proper verification. While researchers gave WhatsApp's encryption a generally clean bill of health, this specific weakness means the server can add new members to groups with only a notification that might go unnoticed in large groups. Unlike Signal, which implements "cryptographic group management" requiring administrator signatures for adding members, WhatsApp relies solely on unsigned messages to the server, making sensitive group communications potentially vulnerable to interception—though this exploit would likely only be attempted in high-stakes scenarios involving government officials or other high-value targets.
TeleMessage, a modified Signal clone used by US government officials, has been hacked
A hacker exploited a vulnerability in TeleMessage, a service providing modified versions of encrypted messaging apps, to extract archived messages and data related to U.S. government officials and companies. While messages of cabinet members were not compromised, the breach exposed various sensitive information, including message contents, contact details of government officials, and login credentials. The hack revealed that archived chat logs were not end-to-end encrypted between TeleMessage's modified apps and their storage location. In response, Smarsh, TeleMessage's parent company, suspended its services and launched an investigation. Coinbase, one of the affected companies, stated that there was no evidence of sensitive customer information being accessed or accounts being at risk.
NSO Group fined $167M for spyware attacks on 1,400 WhatsApp users
A U.S. federal jury has ordered NSO Group to pay WhatsApp over $167 million in damages for a 2019 spyware campaign targeting 1,400 users. This landmark case marks the first time a spyware vendor has been held accountable in court. NSO exploited a WhatsApp vulnerability to install Pegasus spyware on devices, affecting human rights activists, journalists, and diplomats. The trial revealed NSO's direct involvement in infection operations and their use of multiple zero-day vulnerabilities. Meta, WhatsApp's owner, hailed the verdict as a significant step for privacy and security. The decision could have far-reaching implications for the commercial spyware industry, with experts warning that other spyware firms could face similar consequences.
Malicious PyPi package hides RAT malware, targets Discord devs since 2022
A malicious Python package named "discordpydebug" was discovered on PyPI, targeting Discord developers with RAT malware. Despite lacking documentation, it was downloaded over 11,000 times since March 2022. The package transforms infected devices into remote-controlled systems, allowing attackers to steal data, execute code, and potentially move laterally within networks. It uses outbound HTTP polling to bypass security measures and connects to a C2 server. To mitigate risks, developers are advised to verify package sources, review code for suspicious functions, and use security tools to detect malicious packages.
Pay day banking outages hit 1.2m people, banks reveal
A recent banking outage on February 28th affected approximately 1.2 million customers in the UK, with Lloyds Banking Group experiencing the largest impact. The incident, which occurred on a common payday, led to login issues and extended customer service wait times. Banks have since paid over £114,000 in compensation and are implementing measures to prevent future disruptions. This event is part of a broader pattern of IT failures in the banking sector, with nine major banks accumulating 803 hours of outages over two years. Experts argue that these issues stem from aging infrastructure and inadequate IT systems, emphasizing the need for banks to invest in modernization to maintain customer trust and prevent reputational damage.
Beware phony IT calls after Co-op and M&S hacks, says UK cyber centre
The National Cyber Security Centre (NCSC) has issued a warning about criminals impersonating IT help desks to launch cyber attacks on British retailers, including recent targets like Marks & Spencer, Co-op, and Harrods. The NCSC advises organizations to review their password reset processes and authentication methods for staff members, especially for senior employees with high-level access. Experts recommend additional security layers, such as code words, to verify employee identity. The attacks are suspected to be linked to a group of young English-speaking hackers known as Scattered Spider, although the perpetrators deny this association and call themselves DragonForce. The NCSC is working with victims and law enforcement to investigate the connection between these attacks.
LockBit Ransomware Hacked, Insider Secrets Exposed
The notorious cybercrime group LockBit has suffered a major security breach, with their dark web affiliate panels being compromised and replaced with a message against criminal activity. A leaked SQL database containing crucial information about LockBit's ransomware operations was made available, including internal chats, victim profiles, custom ransomware builds, and Bitcoin addresses. The data dump covers activities from December 2024 to April 2025 and has been confirmed as authentic by cybersecurity experts. This breach is expected to provide valuable insights for cyber defenders and law enforcement, potentially enabling better tracking of LockBit's campaigns, improved attribution, and enhanced victim support. The incident follows a significant law enforcement operation against LockBit in 2024, further impacting the group's operations.
Open source project curl is sick of users submitting “AI slop” vulnerabilities
Daniel Stenberg, lead of the curl project, is raising alarm over the increasing number of AI-generated vulnerability reports submitted through platforms like HackerOne. These reports, often characterized by perfect English and polite phrasing, are wasting developers' time and have not yielded any valid security issues. Stenberg plans to ban reporters who submit AI-generated content, which he refers to as "AI slop." The problem is not unique to curl, with other open-source projects experiencing similar issues. While HackerOne supports responsible AI use in security research, they treat low-quality, AI-generated reports as spam. Stenberg is calling for stronger measures from reporting platforms to address this growing trend and filter out AI-generated noise from genuine security reports.
New UK Framework Pressures Vendors on SBOMs, Patching and Default MFA
The UK government is introducing a voluntary Software Security Code of Practice, outlining 14 baseline principles for software vendors to ensure secure-by-default practices. This initiative aims to address market failures in software security by setting minimum expectations for procurement conversations and encouraging even small firms to adopt secure practices. The code covers various aspects of software security, from design to maintenance, and will be accompanied by a certification scheme. While currently voluntary, it may evolve into mandatory rules, similar to previous UK initiatives. The approach mirrors the US government's Secure by Design pledge but lacks a federal mechanism for enforcement. This move aligns with recent calls from industry leaders for prioritizing security over rapid feature development in software products.
41 Countries Taking Part in NATO's Locked Shields 2025 Cyber Defense Exercise
Locked Shields 2025, one of the world's most complex cybersecurity exercises, is currently underway at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. Nearly 4,000 experts from 41 NATO ally and partner nations are participating in this realistic simulation designed to test and enhance national cybersecurity teams' preparedness. The exercise involves 17 blue teams defending 8,000 virtual systems against sophisticated attacks, including challenges related to quantum computing and AI. Participants must also handle disinformation, political pressure, infrastructure issues, legal aspects, and strategic communications in high-pressure scenarios. The exercise aims to prepare nations to defend their networks and essential services against the rising threat of cyberattacks on critical infrastructure, emphasizing the importance of resilience through shared challenges, cooperation, and training.
PIVOTT Act Revived to Tackle Growing Cybersecurity Workforce Shortages
The PIVOTT Act, introduced by Congressman Mark E. Green, aims to address the growing cybersecurity workforce gap by offering full scholarships for two-year degrees in exchange for government service. Administered by CISA, the program targets entry-level talent and those transitioning to cybersecurity careers, providing a streamlined pathway into government positions. The Act responds to the increasing cyber threats faced by the US government and the persistent shortage of cybersecurity professionals in both public and private sectors. It seeks to build a skilled workforce quickly, addressing the critical need for cybersecurity expertise in an era of heightened geopolitical tensions and evolving technological threats.
Impact of AI on cyber threat from now to 2027 (NCSC)
An NCSC assessment forecasts the impact of AI on cyber threats from now until 2027. It predicts that AI will enhance cyber intrusion operations, making them more effective and frequent. While only highly capable state actors will fully harness AI for advanced cyber operations initially, the proliferation of AI-enabled tools will likely increase access to enhanced intrusion capabilities for a wider range of actors. Key developments include AI-assisted vulnerability research and exploit development, which will shorten the time between vulnerability disclosure and exploitation. The assessment also warns of an increased attack surface due to the integration of AI systems in critical infrastructure. To mitigate these threats, the report emphasizes the importance of fundamental cybersecurity practices and keeping pace with AI advancements in cyber defense.
Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks
Europol has announced the shutdown of several DDoS-for-hire services responsible for thousands of global cyber-attacks. Polish authorities arrested four suspects, while the U.S. seized nine associated domains. The services, including cfxapi, cfxsecurity, neostress, jetstress, quickdown, and zapcut, enabled customers to launch attacks on various targets for as little as €10. These platforms featured user-friendly interfaces, allowing even those with limited technical knowledge to orchestrate attacks. The operation, part of the ongoing Operation PowerOFF, is a collaborative effort between Europol, Dutch, and German authorities to dismantle DDoS-for-hire infrastructure. This action follows a similar takedown in December 2024, which targeted 27 stresser services and led to charges against six individuals in the Netherlands and the U.S.
Subscribe and come back next week to get another quick overview of recent industry events. Did I miss any news that you found useful from this week? Please add them to the comment section.