April 30, 2025 – Cyber Briefing

👉 What’s trending in cybersecurity today?

Apple, AirPlay, Zero Click, Remote Attacks, Device Hijacking, AWS, Default Roles, Critical Flaws, Account Compromise, Gremlin Stealer, Malware, Telegram, Sensitive Data, Docker Desktop, macOS, Unrestricted Registry Access, Samsung, MagicINFO, Remote Code Execution, Verisource, Data Breach, 4 Million Individuals, Indian Defense Websites, Cyberattack, Pakistan, Ukraine, Epicentr, Retail Giant, Spain, Badajoz City Council, Ransomware, Germany, Uecker-Randow, Hunting Association, US Homeland Security Secretary, Stronger CISA, India, Court, Proton Mail, Meta, LlamaFirewall, AI Systems, Veza, Cloud Identity Security, Funding, Cloudflare, DDoS Attacks, Surge, Hyper Volumetric Incidents

Listen to the full podcast

🚨 Cyber Alerts

1. Apple AirPlay Bugs Expose Devices to Attacks

Oligo Security uncovered 23 serious vulnerabilities in Apple’s AirPlay protocol and SDK that expose both Apple and third-party devices to remote attacks, including data theft, malware propagation, and system hijacking. Two of these flaws, CVE-2025–24252 and CVE-2025–24132, enable wormable, zero-click remote code execution, allowing attackers to compromise devices without any user interaction and spread malware across networks. Oligo and Apple collaborated on responsible disclosure, issuing patches for 17 CVEs, while users and organizations are strongly urged to update their systems, limit AirPlay access, and apply firewall restrictions to prevent abuse.

2. AWS Default Roles Expose Cloud to Attacks

Researchers discovered major security flaws in default IAM roles used by Amazon Web Services offerings such as SageMaker, Glue, and EMR, along with open-source tools like Ray. These roles often include overly broad permissions like AmazonS3FullAccess, meant to simplify onboarding but instead create dangerous attack paths. A compromised role can let attackers access all S3 buckets, inject malicious code, and manipulate resources across AWS services. AWS responded by narrowing default permissions and updating guidance, but open-source tools like Ray remain exposed.

3. Gremlin Stealer Malware Sold on Telegram

Gremlin Stealer, a new infostealer variant, has been spreading since mid-March 2025, primarily promoted via a Telegram channel called CoderSharp. It’s capable of stealing a wide range of data from compromised Windows devices, including browser passwords, credit card information, and even cryptocurrency wallet data. The malware, written in C#, stores stolen data in plain text files within the device’s LOCAL_APP_DATA folder before compressing and sending it to a server via a Telegram bot.

4. Docker Flaw Allows Access to Any Registry

A critical vulnerability in Docker Desktop for macOS allows users to bypass Registry Access Management (RAM) policies. This flaw, present in versions 4.36.0 through 4.40.0, could allow unauthorized access to potentially malicious container images. It exposes organizations to risks of malware or ransomware being introduced into their software supply chain. Docker has patched the issue in version 4.41.0, urging all users to upgrade to mitigate these risks.

5. Samsung MagicINFO Flaw Allows Remote Access

A critical vulnerability has been discovered in Samsung’s MagicINFO digital signage management platform. This flaw, tracked as CVE-2024–7399, allows attackers to execute arbitrary code with system-level privileges remotely. The vulnerability is caused by improper file path validation in the SWUpdateFileUploader endpoint, enabling file uploads without authentication. Samsung has released a patch in version 21.1050, and organizations using affected versions are urged to update immediately to mitigate the risk.

💥 Cyber Incidents

6. Verisource Services Breach Affects 4 Million

Verisource Services, a Houston-based company, suffered a data breach in February 2024. Initially reported as affecting 1,382 individuals, the breach was later revised to impact up to 4 million people. Hackers gained access to sensitive personal information, including Social Security numbers and health data. Affected individuals have been offered credit monitoring and identity theft protection services, with lawsuits filed against the company for negligence.

7. Cyberattack on Four Indian Defense Websites

A Pakistan-based group attempted cyberattacks on four Indian defense-related websites. Targets included Army Public Schools, Army Welfare Housing Organisation, and Indian Air Force Placement Organisation. The attackers sought to deface pages, disrupt services, and steal data, but India’s cybersecurity systems isolated and neutralized the threat. Despite the persistent efforts, no critical systems were affected, showcasing the resilience of India’s defenses against these cyber intrusions.

8. Epicentr Cyberattack Disrupts Ukraine Stores

Epicentr, Ukraine’s largest home improvement retailer, experienced a major cyberattack that disrupted operations across dozens of its stores and disabled key IT systems including checkout, logistics, and accounting functions. Customers nationwide were unable to make purchases, track deliveries, or use the company’s digital platforms, leading to widespread service outages. Although Epicentr confirmed the incident was a deliberate attack, the company did not identify the responsible group or confirm whether ransomware was involved.

9. Badajoz City Council Hit by Ransomware

Badajoz City Council, in Spain, is working diligently to restore its systems after a ransomware attack targeted its internal network. The incident has led to the suspension of administrative deadlines until the system is fully restored. The council has taken preventive measures, including shutting down its electronic headquarters and registry to secure sensitive data. Authorities have been informed, and the City Council is committed to providing updates as the recovery process progresses, prioritizing the restoration of services and ensuring the security of its systems.

10. Uecker-Randow Hunting Association Hacked

The Uecker-Randow Hunting Association in Germany has been without access to its website for two weeks following a cyberattack. Chairman Niels Saeger confirmed the breach during a meeting in Torgelow, explaining that the site was compromised by malware, likely a Trojan. An IT specialist has been brought in to address the issue, working to restore access to the site. If recovery efforts fail, the specialist may need to create a new website, as vital information, including hunter training details and newsletters, is currently inaccessible to members.

📢 Cyber News

11. CISA Reforms Aim to Strengthen Cyber Defense

Homeland Security Secretary Kristi Noem assured cybersecurity professionals that ongoing reforms at CISA will strengthen its mission. Speaking at the RSA Conference in San Francisco, she said recent workforce cuts and program dissolutions are part of efforts to refocus the agency on core cybersecurity functions. Despite criticism from former officials and concerns about discontinued tools and initiatives, Noem emphasized that the changes aim to make CISA more responsive and efficient. She added that upcoming federal budget proposals will further outline the agency’s evolving priorities, including a renewed push for secure-by-design products and a step back from countering online misinformation.

12. India Court Orders Block of Proton Mail

India’s Karnataka High Court has ordered the blocking of encrypted email provider Proton Mail following a legal complaint from New Delhi-based M Moser Design Associates. The company alleged that its employees received obscene and vulgar emails sent via Proton Mail, which refused to share sender details despite a police complaint. The court directed the Indian government to block Proton Mail under the Information Technology Act, citing concerns about the email service’s failure to cooperate.

13. Meta Launches LlamaFirewall for AI Security

Meta has launched LlamaFirewall, an open-source framework designed to address emerging cybersecurity risks in artificial intelligence systems. This new framework incorporates three key security components: PromptGuard 2, Agent Alignment Checks, and CodeShield. PromptGuard 2 helps detect real-time prompt injections and jailbreak attempts, while Agent Alignment Checks ensures AI systems’ goal alignment to avoid indirect prompt injections. CodeShield, a static analysis engine, focuses on preventing AI agents from generating insecure code.

14. Veza Raises $108M to Secure Cloud Data

Veza, a San Francisco startup, secured $108 million in Series D funding, bringing its valuation to $808 million. The funding round was led by New Enterprise Associates (NEA), with participation from existing investors like Accel and GV. Veza’s platform, designed to manage identity security for cloud data, helps organizations enforce data permissions across SaaS applications. The company aims to improve cybersecurity by offering unified, real-time access control to combat credential abuse and outdated security tools.

15. DDoS Attacks Surge by 358% in Q1 2025

DDoS attacks surged by 358% in the first quarter of 2025 compared to the same period last year. Over 20 million incidents were recorded, including more than 700 hyper-volumetric attacks exceeding 1 Tbps or 1 billion packets per second. While 99% of network attacks remained small, a late April campaign included bursts reaching 6.5 Tbps. Most attacks lasted under a minute, with many victims unaware of the attacker’s identity or motivation behind the disruptions.