@The DefendOps Diaries
//
Marks & Spencer (M&S) has confirmed it is currently dealing with a cybersecurity incident that has caused disruption to its UK retail operations. The retail giant said it has been managing this incident for the past few days, leading to operational changes aimed at protecting customers and the business. These changes have resulted in some disruption, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect. The company has apologized to customers for any inconvenience experienced due to the disruptions.
M&S said that despite the ongoing cyber incident, its stores remain open, and its website and app are operating normally. It is working diligently to resolve technical issues and address delays affecting customer orders. In response to customer queries on social media platforms like X, Marks & Spencer acknowledged working to resolve technical issues in its stores. The company is also collaborating with external cybersecurity experts to investigate the incident and has notified data protection authorities, including the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO). While M&S has confirmed the cybersecurity incident and taken steps to mitigate its impact, specific details regarding the nature of the attack and potential compromise of customer data remain unclear. The company has been tight-lipped on divulging extra information, however it has mentioned it is coordinating with relevant agencies such as the NCSC. The retailer said that if the situation changes an update will be provided as appropriate. Marks & Spencer claims to serve 32 million customers every year. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
A recent Microsoft Entra ID security update caused widespread account lockouts across numerous organizations, highlighting the potential risks associated with new security feature deployments. The issue stemmed from the rollout of a new "leaked credentials" detection app called MACE (Microsoft Account Credential Evaluation). This new feature inadvertently flagged legitimate user accounts, triggering automatic lockouts despite strong, unique passwords and multi-factor authentication (MFA) being in place.
Microsoft confirmed that the Entra account lockouts over the weekend were due to the invalidation of short-lived user refresh tokens mistakenly logged into internal systems. The problem was traced back to an internal logging mishap involving these tokens, where a subset of them were being logged internally, which deviates from the standard practice of logging only metadata. This logging error was identified on April 18, 2025, and promptly corrected. The incident caused significant disruption as Windows administrators from numerous organizations reported receiving alerts that user credentials had been found leaked on the dark web. However, users noticed discrepancies, such as passwordless accounts being affected and no matches on Have I Been Pwned (HIBP), raising suspicions of false positives. Microsoft has advised affected customers to use the “Confirm User Safe” feature in response to the erroneous alerts and is working to prevent future occurrences. Recommended read:
References :
@hackread.com
//
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.
Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink. Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging. Recommended read:
References :
Stu Sjouwerman@blog.knowbe4.com
//
A China-based cybercriminal gang known as the "Smishing Triad" is reportedly launching a wave of SMS phishing attacks, or "smishing," targeting users in both the US and the UK. These attacks are themed around road tolls, with victims receiving text messages that appear to be from toll road operators. The messages warn recipients of unpaid toll fees and potential fines if the fees are not promptly addressed. Cybersecurity researchers have issued warnings about this widespread and ongoing SMS phishing campaign, noting that it has been actively targeting toll road users since mid-October 2024, aiming to steal their financial information.
Researchers have linked the surge in these SMS scams to new features added to a popular commercial phishing kit sold in China. This kit simplifies the process of creating convincing lures that spoof toll road operators across multiple US states. The phishing pages are designed to closely mimic the websites of these operators as they appear on mobile devices, and in some cases, will not even load unless accessed from a mobile device. The goal of these kits is to obtain enough information from victims to add their payment cards to mobile wallets. These cards can then be used for fraudulent purchases in physical stores, online, or to launder money through shell companies. The phishing campaigns often impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across several states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The texts prompt recipients to click on a fake link, often requiring them to reply with "Y" to activate the link, a tactic used in other phishing kits. Victims who click the link are directed to a fraudulent E-ZPass page where they are asked to enter personal and financial information, which is then stolen by the attackers. Recommended read:
References :
@cyberinsider.com
//
Legends International, a prominent entertainment venue management firm, has disclosed a data breach that occurred in November 2024. The breach compromised the personal information of both employees and visitors to venues managed by the company. According to reports, the company detected unauthorized activity within its IT systems on November 9, 2024, prompting an immediate investigation with the assistance of external cybersecurity experts. Legends International also notified law enforcement following the discovery of the cyberattack.
The investigation confirmed that unauthorized actors had accessed and exfiltrated files containing personal data. The compromised information varies by individual but may include sensitive details such as dates of birth, Social Security numbers, driver's license and government ID numbers, financial account details, medical information, and health insurance information. The company has stated that the individuals affected either worked at or visited a venue managed by Legends International. In response to the breach, Legends International has taken steps to strengthen its security controls. While the company maintains that it is unaware of any misuse of personal information resulting from the incident, it is offering affected individuals a complimentary 24-month membership to Experian's IdentityWorks service. This service includes credit monitoring, identity restoration support, and up to $1 million in identity theft insurance. The incident has impacted at least 8,065 individuals in Texas and Massachusetts, though reports indicate that over 118,000 people nationwide may be affected. Recommended read:
References :
Iain Thomson@The Register - Security
//
References:
DataBreaches.Net
, The Register - Security
,
The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts concerning critical vulnerabilities affecting SonicWall SMA 100 series appliances and legacy Oracle Cloud environments. The alerts highlight potential risks to organizations and individuals stemming from exploited vulnerabilities and data theft. CISA is urging affected users to take immediate steps to mitigate potential cyberattacks, including resetting passwords, monitoring authentication logs, and implementing multi-factor authentication. These actions aim to prevent unauthorized access and escalation of privileges within enterprise environments.
The alert regarding Oracle Cloud addresses the compromise of legacy Oracle Cloud servers earlier in the year. CISA warns that the nature of the reported activity presents a potential risk, especially where credential material may be exposed, reused across separate systems, or embedded within scripts and applications. Compromised credentials, including usernames, emails, passwords, authentication tokens, and encryption keys, can significantly impact enterprise security. The agency has specifically emphasized the danger of embedded credentials, which are difficult to detect and remove, potentially enabling long-term unauthorized access. CISA has also added CVE-2021-20035, a high-severity OS command-injection vulnerability in SonicWall SMA100 remote-access appliances, to its known exploited vulnerabilities catalog. SonicWall initially disclosed and patched the vulnerability in September 2021, later raising its severity score. The vulnerability allows a threat actor to remotely inject arbitrary commands, potentially leading to code execution. Federal civilian executive branch agencies have been directed to patch their SonicWall appliances by May 7 or discontinue use of the product. SonicWall is actively investigating the scope of the exploitation and urges customers to upgrade to the latest firmware. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical security vulnerability, CVE-2025-32433, has been discovered in the Erlang/OTP SSH implementation, potentially allowing unauthenticated remote code execution (RCE). The flaw, which has been assigned a maximum CVSS score of 10.0, could enable attackers to execute arbitrary code on affected systems without providing any credentials. Researchers at Ruhr University Bochum, including Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk, identified the vulnerability. It stems from improper handling of SSH protocol messages, allowing attackers to send connection protocol messages prior to authentication, leading to a complete system compromise if the SSH daemon is running with root privileges.
The vulnerability affects all users running an SSH server based on the Erlang/OTP SSH library. According to the official Ericsson security advisory, any application providing SSH access using the Erlang/OTP SSH library should be considered affected. This vulnerability poses a significant risk, especially to critical infrastructure and high-availability systems where Erlang/OTP is widely used, such as in telecommunications equipment, industrial control systems, and connected devices. Expert Mayuresh Dani of Qualys emphasizes the critical nature, noting Erlang's frequent installation on high-availability systems. This vulnerability could allow actions such as installing ransomware or siphoning off sensitive data. Proof-of-concept (PoC) exploits for CVE-2025-32433 have already been released, increasing the urgency for organizations to take immediate action. SecurityOnline reported the release of PoC code, and the Horizon3 Attack Team confirmed they had developed their own exploit, describing it as "surprisingly easy" to reproduce. Mitigation strategies include immediately updating to the patched versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. As a temporary workaround, it is recommended to disable the SSH server or restrict access via firewall rules until the updates can be applied. Organizations should evaluate their systems for potential compromise. Recommended read:
References :
Jenna McLaughlin@NPR Topics: Technology
//
A whistleblower at the US National Labor Relations Board (NLRB) has come forward with allegations of a significant cybersecurity breach involving the Department of Government Efficiency (DOGE), overseen by Elon Musk. According to the whistleblower, Daniel Berulis, DOGE operatives arrived at the agency in early March and were granted unrestricted access to internal systems, a move that deviated from standard operating procedures. The whistleblower claims that these DOGE employees ignored infosec rules and were instructed to hand over any requested accounts and stay out of DOGE’s way.
According to the affidavit submitted to the Senate Intelligence Committee, these actions led to a "significant cybersecurity breach" potentially exposing the agency's data to foreign adversaries. The whistleblower also alleges that during their activity, DOGE employees exfiltrated 10GB of data to servers in the US and disabled monitoring tools, raising concerns about potential data exposure. Berulis’s document points out that not even his CIO enjoyed the level of access given to DOGE unit operatives, and that the NLRB already had auditor accounts set up that provided enough privileges to check data without being able to edit, copy, or remove it. The most alarming aspect of the allegations involves attempted access to the NLRB's systems from a Russian IP address using legitimate accounts created by DOGE staffers. These attempts were reportedly blocked, but the valid credentials used suggest a potential compromise. The NPR has reported that the data that DOGE moved could have included sensitive information on unions, ongoing legal cases and corporate secrets. Democratic lawmakers are calling for an investigation into the matter. Recommended read:
References :
@www.microsoft.com
//
Microsoft is warning of a rise in cyberattacks where threat actors are misusing Node.js to deliver malware and steal sensitive information. These campaigns, ongoing since October 2024, involve tricking users into downloading malicious installers from fraudulent websites disguised as legitimate software, often related to cryptocurrency platforms like Binance and TradingView. The attackers utilize malvertising campaigns to lure unsuspecting victims. Once the malicious installer is downloaded, a chain of events is triggered, leading to information theft and data exfiltration from compromised systems.
The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST. The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.
This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes. CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks. Recommended read:
References :
@nvd.nist.gov
//
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.
The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques. The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity. Recommended read:
References :
|