This posting is here to collect cyber security news in April 2025.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2025.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
182 Comments
Tomi Engdahl says:
Wall Street Journal:
The European Commission fines Apple €500M and Meta €200M under the DMA and issues cease-and-desist orders to both companies; Apple and Meta say they will appeal
Apple, Meta Fined by EU, Ordered to Comply With Tech Competition Rules
Fines come as European officials pursue trade talks with the Trump administration
https://www.wsj.com/tech/apple-meta-fined-by-eu-ordered-to-comply-with-tech-competition-rules-9063b7e6?st=hbwZ53&reflink=desktopwebshare_permalink
Tomi Engdahl says:
The Electronic Frontier Foundation (EFF) published a handbook explaining the surveillance technology used at the Mexico border. You can download the PDF for free.
https://shop.eff.org/products/eff-zine-surveillance-technology-at-the-u-s-mexico-border
Tomi Engdahl says:
Data Breaches
Microsoft Purges Dormant Azure Tenants, Rotates Keys to Prevent Repeat Nation-State Hack
Microsoft security chief Charlie Bell says the SFI’s 28 objectives are “near completion” and that 11 others have made “significant progress.”
https://www.securityweek.com/microsoft-purges-dormant-azure-tenants-rotates-keys-to-prevent-repeat-nation-state-hack/
Tomi Engdahl says:
Artificial Intelligence
AI-Powered Polymorphic Phishing Is Changing the Threat Landscape
Combined with AI, polymorphic phishing emails have become highly sophisticated, creating more personalized and evasive messages that result in higher attack success rates.
https://www.securityweek.com/ai-powered-polymorphic-phishing-is-changing-the-threat-landscape/
Tomi Engdahl says:
Data Breaches
5.5 Million Patients Affected by Data Breach at Yale New Haven Health
Yale New Haven Health System recently discovered that the personal information of millions of patients was stolen from its systems.
https://www.securityweek.com/5-5-million-patients-affected-by-data-breach-at-yale-new-haven-health/
Yale New Haven Health System (YNHHS), which operates several hospitals in Connecticut, recently disclosed a data breach impacting the personal information of millions of patients.
The Yale University-affiliated healthcare organization revealed on April 11 that it detected unusual activity on its IT systems on March 8.
While patient care was not impacted by the incident, an investigation showed that hackers managed to copy data from Yale New Haven Health systems on the day the intrusion was discovered.
Compromised information varies by patient, but can include name, date of birth, address, phone number, email, race/ethnicity, SSN, and medical record number.
YNHHS noted that its “electronic medical record system was not involved nor accessed in this incident, and no financial accounts, payment information or employee HR information was included”.
The healthcare data breach tracker of the Department of Health and Human Services showed on Wednesday that the incident impacts more than 5.5 million individuals.
Tomi Engdahl says:
Employee monitoring app leaks 21 million screenshots in real time
https://cybernews.com/security/employee-monitoring-app-leaks-millions-screenshots/?fbclid=IwY2xjawJ4hGVleHRuA2FlbQIxMQABHlrmCmj3ubR7DS9RgydhrRYCzI-Lj-KgUK-c81s_yctH6tiRSZoNmwirvlqJ_aem_MWdO5fXEus92p9JpXyCJpg
A surveillance tool meant to keep tabs on employees is leaking millions of real-time screenshots onto the open web.
Your boss watching your screen isn’t the end of the story. Everyone else might be watching, too. Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies.
The app, designed to track productivity by logging activity and snapping regular screenshots of employees’ screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame.
The leaked data is extremely sensitive, as millions of screenshots from employees’ devices could not only expose full-screen captures of emails, internal chats, and confidential business documents, but also contain login pages, credentials, API keys, and other sensitive information that could be exploited to attack businesses worldwide.
Cybernews contacted the company, and access has now been secured. An official comment has yet to be received.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cookie-bite-attack-poc-uses-chrome-extension-to-steal-session-tokens/
Tomi Engdahl says:
Telegram vows to exit markets over encryption backdoor demands
Telegram’s founder stresses the importance of encryption as a fundamental right over potential market access.
https://cryptoslate.com/telegram-vows-to-exit-markets-over-encryption-backdoor-demands/
Tomi Engdahl says:
https://www.theregister.com/2025/04/22/ssl_com_validation_flaw/
Bug hunter tricked SSL.com into issuing cert for Alibaba Cloud domain in 5 steps
10 other certificates ‘were mis-issued and have now been revoked’
Tomi Engdahl says:
https://www.theregister.com/2025/04/18/oracle_cisa_advisory/
Tomi Engdahl says:
https://hackread.com/hacker-twilio-sendgrid-data-breach-customer-data/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/
Tomi Engdahl says:
https://securityaffairs.com/176697/security/asus-warns-of-a-router-authentication-bypass-flaw.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/public-exploits-released-for-critical-erlang-otp-ssh-flaw-patch-now/
Tomi Engdahl says:
https://www.mikrobitti.fi/blogit/valvontakamerajarjestelmien-testaajan-kommentti-ala-luovuta-kotirauhaasi/124ba20d-ea00-4526-b686-5984bbf2279e
Tomi Engdahl says:
https://computercity.com/internet/google-2-step-verification-text-option-greyed-out-due-to-more-secure-options
Tomi Engdahl says:
https://cybersecuritynews.com/linux-kernel-vulnerability-escalate-privilege/
Tomi Engdahl says:
https://www.infoq.com/news/2025/04/google-go-module-mirror-backdoor/
Tomi Engdahl says:
Trump’s D.C. Prosecutor Is Going After Wikipedia For Allegedly Spreading ‘Propaganda’
Attorney Ed Martin claims that Wikimedia, the nonprofit that runs the free online encyclopedia, is “allowing foreign actors” to “manipulate information.”
https://www.huffpost.com/entry/ed-martin-trump-threathens-wikipedia_n_680d17bbe4b06b5c9fc8d713?d_id=9131169&ref=bffbhuffpost&ncid_tag=fcbklnkushpmg00000063&utm_medium=Social&utm_source=Facebook&utm_campaign=us_main&fbclid=IwZXh0bgNhZW0CMTEAAR5DvN0-Coslxv9uwMUbKC47fCuaOQ-KZS6b7Nf9cGTXTbM0CroHTClqbEVKNg_aem_rhJuFPCDh6j1mN2dWnP5Cw
Tomi Engdahl says:
Nyt tuli tärkeä työkalu – tee tämä reitittimellesi heti
https://www.is.fi/digitoday/tietoturva/art-2000011168672.html
F-Secure julkaisi ilmaisen työkalun reitittimien tietoturvan tarkistamiseen.
F-Secure Router Checker -työkalu etsii reitittimien haavoittuvuuksia NVD-tietokannasta ja tarjoaa ohjeita tietoturvan parantamiseen.
Reititinten tietoturva on ajankohtaista, sillä rikolliset ja valtiolliset toimijat etsivät haavoittuvia laitteita hyökkäyksiä varten.
F‑Secure Router Checker toimii muun muassa suomeksi ja ruotsiksi ja sitä käytetään suoraan F-Securen verkkosivuilta käsin. Tietokoneelle ei tarvitse asentaa mitään.
https://www.f-secure.com/fi/router-checker
Tomi Engdahl says:
CEO of cybersecurity firm charged with installing malware on hospital systems
https://securityaffairs.com/177020/cyber-crime/ceo-of-cybersecurity-firm-charged-with-installing-malware-on-hospital-systems.html?amp&fbclid=IwY2xjawJ8lmFleHRuA2FlbQIxMQABHszjPdUuw6xIhyHzkl5fG1l0qPOSz8YOo71Oai47kYVByQ_ndpben0zA0xWl_aem_t-_MMcJ-4m5odZSeV68nCw#amp_tf=From%20%251%24s&aoh=17457684742858&csi=0&referrer=https%3A%2F%2Fwww.google.com
Tomi Engdahl says:
The Head of the Pentagon Has Been Using His Personal Phone for Sports Betting and Sharing Military Secrets
“There’s zero percent chance that someone hasn’t tried to install Pegasus or some other spyware on his phone.”
https://futurism.com/head-pentagon-personal-phone?fbclid=IwY2xjawJ9KuFleHRuA2FlbQIxMQABHgflqJmZqp4KfJBVo6rOrXVKJhlW6t8iG1oGCiBKm0v2H7ENwp6fGFIX6I5b_aem_puhO7rOcphXmYw7cJKNGyw
Remember when defense secretary of the United States Pete Hegseth, the man at the center of all the “Signalgate” drama, accidentally texted a journalist about the need to maintain “100 percent OPSEC” about secret war plans?
“There’s zero percent chance that someone hasn’t tried to install Pegasus or some other spyware on his phone,” Mike Casey, the former director of the National Counterintelligence and Security Center, told the NYT. “He is one of the top five, probably, most targeted people in the world for espionage.”
According to security experts, it’s not surprising that Hegseth’s personal number is on the web, since he was a private citizen before being sworn in. Instead, the former Fox News host’s staggeringly stupid mistake was using the same phone number to do all his official top secret military stuff, like announcing the details of an airstrike in Yemen against Houthi forces in a group chat that also had his wife and brother (we should clarify: that was a separate incident from when he accidentally leaked stuff to a journalist).
As the NYT notes, even low-level government employees are forbidden from using personal devices for work-related tasks — and here’s the guy in charge of the entire nation’s defense efforts, leaving it all out in the open.
In August last year, according to the reporting, Hegseth used his phone number to join Sleeper.com, a fantasy football and sports betting site, using this clandestine username: “PeteHegseth.” He also used his number with an email account that left a bunch of Google Maps reviews
“If you use your phone for just ordinary daily activities, you are leaving a highly, highly visible digital pathway that even a moderately sophisticated person, let alone a nefarious actor, can follow,” Glenn S. Gerstell, a former general counsel for the National Security Agency, told the NYT.
“Phone numbers are like the street address that tell you what house to break into,”
Hegseth’s qualifications for the Pentagon job have been seriously called into question ever since he was nominated by Trump.
In March, Hegseth became the center of a national scandal after he shared classified war plans for a bombing campaign in Yemen in a Signal chat with other national security officials that accidentally contained The Atlantic’s editor-in-chief Jeffrey Goldberg. Ironically, during his stint at Fox News, Hegseth said former secretary of state Hillary Clinton should’ve been jailed for making a comparable mistake when she used her private email server for official communications.
Tomi Engdahl says:
Will Oremus / Washington Post:
The US House passes the Take It Down Act to criminalize posting nonconsensual sexual images of others, including deepfakes, and require platforms to remove them — Trump is expected to sign into law a bill that would force online platforms to quickly take down nonconsensual intimate images.
https://www.washingtonpost.com/technology/2025/04/28/congress-deepfake-revenge-porn-law/
Tomi Engdahl says:
Lauren Feiner / The Verge:
Critics fear the Take It Down Act, one of the few online safety laws to pass in years, could be weaponized against content the Trump admin or its allies dislike — Critics warn it could have grave consequences for online speech and encryption.
Take It Down Act heads to Trump’s desk
Critics warn it could have grave consequences for online speech and encryption.
https://www.theverge.com/news/657632/take-it-down-act-passes-house-deepfakes
The Take It Down Act is heading to President Donald Trump’s desk after the House voted 409-2 to pass the bill, which will require social media companies to take down content flagged as nonconsensual (including AI-generated) sexual images. Trump has pledged to sign it.
The bill is among the only pieces of online safety legislation to successfully pass both chambers in years of furor over deepfakes, child safety, and other issues — but it’s one that critics fear will be used as a weapon against content the administration or its allies dislike. It criminalizes the publication of nonconsensual intimate images (NCII), whether real or computer-generated, and requires social media platforms to have a system to remove those images within 48 hours of being flagged. In his address to Congress this year, Trump quipped that once he signed it, “I’m going to use that bill for myself too, if you don’t mind, because nobody gets treated worse than I do online, nobody.”
The proliferation of AI tools that make it easier than ever to generate realistic-looking images has supercharged concerns about deepfaked, damaging content spreading through schools and creating a new vector of bullying and abuse. But while critics say that’s an important issue to deal with, they worry that the Take It Down Act’s approach could be exploited to inflict harm in other ways.
The Cyber Civil Rights Initiative (CCRI), which was created to combat image-based sexual abuse, said that it can’t cheer the Take It Down Act’s passage. “While we welcome the long-overdue federal criminalization of NDII [the nonconsensual distribution of intimate images], we regret that it is combined with a takedown provision that is highly susceptible to misuse and will likely be counter-productive for victims,” the group writes. It fears that the bill, which empowers the Federal Trade Commission — whose Democratic minority commissioners Trump fired in a break with decades of Supreme Court precedent — will be selectively enforced in a way that ultimately only props up “unscrupulous platforms.”
Tomi Engdahl says:
Avery Lotz / Axios:
President Trump says “fake news organizations” should be “investigated for election fraud” after several prominent polls showed his approval ratings sinking
Trump lashes out against “fake polls” as his approval ratings sink
https://www.axios.com/2025/04/28/trump-approval-ratings-slams-polls-truth-social
Tomi Engdahl says:
Josh Richman / Electronic Frontier Foundation:
In an open letter, EFF and top security experts urge the Trump admin to end its probe of ex-CISA chief Chris Krebs, calling it political and harmful to security — Political Retribution for Telling the Truth Weakens the Entire Infosec Community and Threatens Our Democracy; Letter Remains Open for Further Sign-Ons
EFF Leads Prominent Security Experts in Urging Trump Administration to Leave Chris Krebs Alone
Political Retribution for Telling the Truth Weakens the Entire Infosec Community and Threatens Our Democracy; Letter Remains Open for Further Sign-Ons
https://www.eff.org/press/releases/eff-leads-prominent-security-experts-urging-trump-administration-leave-chris-krebs
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Sources: Scattered Spider carried out a ransomware attack on UK retailer M&S, which employs 64K+ in 1,400 stores, that caused huge disruption starting April 22
Marks & Spencer breach linked to Scattered Spider ransomware attack
https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
Tomi Engdahl says:
Wired:NEW
Oligo researchers detail AirBorne, a set of vulnerabilities in Apple’s AirPlay SDK that may affect 10M+ third-party devices; Apple patched its own devices
Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
Researchers reveal a collection of bugs known as AirBorne that would allow any hacker on the same Wi-Fi network as a third-party AirPlay-enabled device to surreptitiously run their own code on it.
https://www.wired.com/story/airborne-airplay-flaws/
Tomi Engdahl says:
Microsoft pitches pay-to-patch reboot reduction subscription for Windows Server 2025
Redmond reckons $1.50/core/month hotpatch service is worth it to avoid eight Patch Tuesday scrambles each year
https://www.theregister.com/2025/04/28/windows_server_2025_hotpatching_subscription/
Microsoft Confirms $1.50 Windows Security Update Hotpatch Fee Starts July 1
https://www.forbes.com/sites/daveywinder/2025/04/28/microsoft-confirms-150-windows-security-update-fee-starts-july-1/
Tomi Engdahl says:
John Irish / Reuters:
In a first for the country, France blames Russia’s GRU for a string of local cyber attacks, including on ministries, defense firms, and think tanks
France accuses Russian intelligence of repeated cyber attacks since 2021
https://www.reuters.com/world/europe/first-france-accuses-russian-intelligence-repeated-cyber-attacks-2025-04-29/
Summary
Cybersecurity agency says a dozen French entities hit since 2021
Prior attack in 2017 leaked Macron election campaign mails
GRU unit APT28 is based in Rostov-on-Don
APT28 active worldwide since at least 2004
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
SK Telecom announces free SIM card replacements to its 25M mobile customers following a recent USIM data breach, but only 6M cards are available through May
SK Telecom cyberattack: Free SIM replacements for 25 million customers
https://www.bleepingcomputer.com/news/security/sk-telecom-cyberattack-free-sim-replacements-for-25-million-customers/
South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May.
SK Telecom is the country’s largest mobile network operator, serving roughly half of the domestic mobile phone market.
On April 19, the company detected a malware running on its network that allowed threat actors to steal customers’ Universal Subscriber Identity Module (USIM) data, typically including International Mobile Subscriber Identity (IMSI), Mobile Station ISDN Number (MSISDN), authentication keys, network usage data, and SMS or contacts if stored on the SIM.
No customer names, other identification details, or financial information were exposed due to this incident.
The main risk from this breach is the potential for threat actors to perform unauthorized number ports to cloned SIM cards, known as “SIM swapping.”
In an update published earlier today, SK Telecom assured customers that such requests would be automatically detected and blocked by its Fraud Detection System (FDS) and SIM Protection Service, which have been enhanced to handle the elevated risk.
As of today, SK Telecom is also offering free-of-charge SIM card replacements to 25 million mobile subscribers, including approximately 2 million using budget carriers, who are worried about the potential for SIM swapping attacks impacting them.
However, the mobile carrier warns that due to a lack of inventory, they can only replace up to 6 million SIM cards through May 2025.
“Currently, SK Telecom holds 1 million SIM cards and plans to secure 5 million more by the end of May 2025,” reads the update.
“Due to potential congestion, customers are encouraged to use the online reservation system (care.tworld.co.kr) to book their SIM replacement in advance.”
The FAQ also clarifies that roaming services have been disabled for subscribers who have activated SIM Protection, but they plan to upgrade the feature to make it usable while abroad for optimal protection.
Tomi Engdahl says:
The Cloudflare Blog:
In Q1 2025, Cloudflare blocked 20.5M DDoS attacks, a 358% YoY increase, and in Q2 it blocked an attack with, by far, the most intense packet rate on record — Welcome to the 21st edition of the Cloudflare DDoS Threat Report. Published quarterly, this report offers a comprehensive analysis …
Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflare’s 2025 Q1 DDoS Threat Report
https://blog.cloudflare.com/ddos-threat-report-for-2025-q1/