Cyber News Roundup for May 2, 2025

Welcome to this week’s Cyber News Roundup! AI is quickly advancing in the realm of software exploits, with former NSA cyber chief Rob Joyce warning that it could soon be a key tool for attackers. Meanwhile, the FBI flags China as a top threat to U.S. infrastructure, and new reports reveal North Korean infiltration of global companies. RedSeal keeps organizations ahead of these evolving threats through comprehensive network visibility and proactive exposure management, ensuring you’re prepared to defend against emerging risks.

Let’s dive into this week’s highlights!

 

Former NSA cyber chief Rob Joyce warns that AI is rapidly approaching the ability to develop high-level software exploits   

At RSAC, former NSA cyber chief Rob Joyce warned that AI is rapidly approaching the ability to develop high-level software exploits. Joyce, now an advisor to Sandfly Security, predicted AI could become a reliable exploit developer as soon as this year or next. He pointed to AI’s strong performance in coding contests and the recent Hack The Box challenge, where an AI team nearly matched top human competitors. While he’s not worried about AI creating “script kiddie” attackers, he cautions that AI will enable skilled hackers to work faster and at scale.

AI also enhances phishing attacks by generating convincing, personalized emails—even with fake email threads and PDFs. On defense, AI offers speed advantages: reversing complex code in seconds instead of hours. Joyce also shared a clever ransomware attack that pivoted to a Linux video camera to encrypt data—highlighting how attackers exploit weak spots in unexpected places. (The Register)

 

An FBI official warns that China is the top threat to U.S. critical infrastructure   

Elsewhere at the RSA Conference, FBI Deputy Assistant Director Cynthia Kaiser called China the top threat to U.S. critical infrastructure. She said Chinese state-backed hackers are increasingly using AI to boost their cyber capabilities. This includes crafting fake business profiles, launching more convincing spear-phishing campaigns, and improving early-stage network scans. While AI isn’t yet creating shapeshifting malware, it’s enhancing targeting efforts. Kaiser stressed the importance of multi-factor authentication as a defense against these evolving, AI-powered threats. (SC World)

 

Mandiant and Google raise alarms over widespread infiltration of global companies by North Korean IT workers   

Mandiant and Google are raising alarms over widespread infiltration of global companies by North Korean IT workers, a threat more pervasive than previously believed. At RSA 2025, Mandiant CTO Charles Carmakal revealed that most Fortune 500 firms have unknowingly received job applications—and often hired—North Korean nationals. These operatives earn high salaries, often holding multiple jobs, funneling millions back to Pyongyang. While initially seen as a revenue strategy, the risk has escalated, with some ex-employees resorting to extortion after termination. Mandiant and Google warn these insiders could leak data or disrupt critical systems, especially under pressure. Evidence links some operatives to IP addresses used by North Korea’s intelligence bureau, suggesting potential handovers of access to state-sponsored threat actors. Though companies are catching and removing infiltrators more quickly, the embedded nature of these actors poses a significant long-term cybersecurity risk to corporate and national infrastructure. (CyberScoop)

 

France accuses Russia’s Fancy Bear of targeting at least a dozen French government and institutional entities   

France has publicly accused Russian state-backed hacking group APT28—also known as Fancy Bear and linked to the GRU—of targeting or compromising at least a dozen French government and institutional entities. Active since 2004, APT28 has increasingly focused on espionage, using phishing, vulnerability exploitation, and brute-force attacks, often with low-cost, disposable infrastructure. The French cybersecurity agency ANSSI and Cyber Crisis Coordination Centre identified attacks on local governments, ministries, research institutions, and think tanks, including efforts targeting the 2024 Olympics. APT28 has used tools like the HeadLace backdoor and OceanMap stealer, hiding infrastructure behind compromised routers and free services. France condemned these cyberattacks as a violation of UN norms and vowed to respond, highlighting past incidents including interference in the 2017 French elections and attacks on TV5Monde. The government pledged continued vigilance and coordinated defense with international partners. (SecurityWeek)

A China-linked APT group known as “TheWizards” is abusing an IPv6 networking feature   

A China-linked APT group known as “TheWizards” is abusing an IPv6 networking feature to conduct adversary-in-the-middle (AitM) attacks and hijack software updates on Windows systems, according to ESET. Active since at least 2022, the group targets entities in Asia and the Middle East, including individuals and gambling firms. Their tool, “Spellbinder,” exploits IPv6’s Stateless Address Autoconfiguration (SLAAC) by sending spoofed Router Advertisement messages, tricking nearby systems into routing traffic through attacker-controlled gateways. Spellbinder is deployed via a fake AVG archive and uses DLL sideloading to load malicious code into memory. It captures traffic to Chinese software update domains, redirects requests, and installs the “WizardNet” backdoor for persistent access. ESET warns that organizations should monitor IPv6 traffic or disable IPv6 if not required. This tactic mirrors similar supply chain hijacking seen in January by another APT group, “Blackwood.” (Bleeping Computer)

 

SonicWall warns of VPN exploitation in the wild   

Cybersecurity company SonicWall is warning users of its Secure Mobile Access appliances that these are now being actively exploited in attacks. This is in reference to two vulnerabilities, with separate CVE numbers (CVE-2023-44221 and CVE-2024-38475) whose advisories have been updated to reflect the exploitation situation. The vulnerabilities impact a range of SMA brands, listed in the show notes to this episode, which have been patched in a recent firmware version update. “The two vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.14-75sv and later.” (BleepingComputer)

 

Alleged ‘Scattered Spider’ member extradited to U.S.   

A 23-year-old Scottish man, thought to be part of the prolific ransomware gang, was extradited last week from Spain to the U.S., where he faces charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the U.S. and abroad, and that he personally controlled more than $26 million stolen from victims. Buchanan was arrested in connection with a series of SMS-based phishing attacks back in 2022 that led to intrusions at Twilio, LastPass, DoorDash, Mailchimp, and other tech firms. While Scattered Spider has been tied to the 2023 ransomware attacks against MGM and Caesars casinos in Las Vegas, it remains unclear whether Buchanan was implicated in those incidents. (Krebs on Security)

 

RansomHub operation goes dark   

A report issued this week by Group-IB offers an in-depth look at RansomHub’s affiliate recruitment methods, negotiation tactics, and aggressive extortion strategies. The researchers say the ransomware-as-a-service (RaaS) operation has been inactive since April 1 but speculated that the operation may have migrated to the Russian-language speaking Qilin operation. Earlier this month GuidePoint Security noted that a “series of internal disagreements” between RansomHub administrators and some affiliates had caused disruptions within the RaaS operation. The disagreements apparently stirred unease among other RansomHub affiliates, who began diverting their communications with victims to rival platforms. (Dark Reading)

 

Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi   

Researchers at cybersecurity firm Oligo have disclosed AirBorne, a set of vulnerabilities in Apple’s AirPlay SDK that expose millions of third-party devices—such as smart TVs, speakers, and CarPlay systems—to remote code execution over shared Wi-Fi. Apple has patched its own hardware, but Oligo warns many third-party vendors may not, which poses risks for lateral movement, network persistence, and potential surveillance.  (Wired)

 

Google tracked 75 zero days exploited in the wild in 2024   

According to Google’s Threat Intelligence Group, 75 zero-day vulnerabilities were exploited in the wild in 2024—down from 98 in 2023, but above 2022’s total—pointing to an upward trend in zero-day activity over the past four years. Most exploits still target end-user platforms but there’s an increase in attacks on enterprise technologies, especially security and networking appliances, which made up over 60% of enterprise-targeted zero-days. The group attributes more than half of all known exploits to cyber espionage actors. (cloud.google.com)

 

Nova Scotia energy provider takes some servers offline following cyber incident   

Nova Scotia Power disclosed it experienced a cyberattack on April 25, affecting parts of its Canadian IT infrastructure, including its customer care center and online portal. No disruption occurred to power generation or grid operations, but the company isolated impacted servers to contain the incident. The nature of the attack has not been confirmed, but Emera, Nova Scotia Power’s parent company, says it’s working with law enforcement and cybersecurity experts to investigate and recover. Physical operations and international subsidiaries remain unaffected. (The Record)

 

House passes bill to study routers’ national security risks   

The U.S. House of Representatives passed the ROUTERS Act, which mandates the Department of Commerce to study national security risks posed by routers and modems controlled by foreign adversaries, especially China. Lawmakers have emphasized securing U.S. communications networks as a critical role in national infrastructure. This builds on previous efforts to remove untrusted equipment, following cybersecurity threats such as the Salt Typhoon hacker group’s exploitation of telecom networks. (CyberScoop)

 

A massive power outage strikes the Iberian Peninsula   

A massive power outage struck the Iberian Peninsula on April 28, 2025, cutting electricity across Spain, Portugal, and parts of southern France and Andorra. The blackout, which began around 12:30 p.m. local time, caused Spain’s power demand to collapse by half within moments — a total grid failure known as a “cero energético.” Sources suggest a cyberattack is the likely cause, though authorities have not confirmed this. Critical infrastructure was severely impacted, including airports, metros, telecommunications, and traffic systems. Spain’s Prime Minister Pedro Sánchez visited Red Eléctrica’s control center as emergency restoration efforts began, focusing on hydroelectric power while gas and nuclear plants remain offline. Internet traffic dropped by nearly 30–37% across the region. The Spanish Cybersecurity Coordination Office is investigating, but officials warn it’s too early to draw conclusions. This outage highlights growing concerns, as cyberattacks on utilities have more than doubled globally in recent years. Recovery is expected to take time. (Cyber Security News)

 

A British retailer tells warehouse workers to stay home following a cyberattack   

British retailer Marks & Spencer (M&S) has told around 200 agency workers not to report to its main warehouses as it manages a growing cyberattack crisis. Online shopping remains paused, with M&S apologizing for the disruption but assuring customers that stores are still open. The incident, first disclosed last week, has already led to an 8% drop in M&S shares. The company says its internal team and external cyber experts are working urgently to restore online and app services. (The Record)

 

Iran claims it stopped infrastructure cyberattack   

The head of Iran’s Telecommunication Infrastructure Company, Behzad Akbari told the Tasnim News Agency that “one of the most widespread and complex cyber attacks against the country’s infrastructure was identified and preventive measures were taken,” over the weekend. However, he was otherwise light on details. This announcement came a day after a large explosion at Iran’s largest commercial port, although there is no indication these events are related. Iran suffered two notable infrastructure attacks in 2021 and 2022, both claimed by the dissident group Predatory Sparrow, but no group has come forward to take credit so far.  (The Record)

 

How Bad Scans and AI Spread a Scientific Urban Legend   

And finally, ever heard of “vegetative electron microscopy”? No? Good — because it’s total nonsense. But thanks to a string of scanning errors, translation mix-ups, and a little AI mischief, this completely made-up scientific term has wormed its way into real academic papers! It all started when 1950s research got poorly digitized, blending unrelated words into something that sounded impressive but meant absolutely nothing. Then, a tiny mistranslation in Farsi helped the error spread even further. Now, large AI models, including GPT-3 and GPT-4, faithfully regurgitate the fake term as if it’s a cornerstone of modern science. Researchers are calling it a “digital fossil” — a mistake now permanently trapped in the AI training ecosystem. The real kicker? Fixing it is next to impossible. So the next time someone drops “vegetative electron microscopy” in a paper, just know: science — and AI — sometimes make stuff up too. (ScienceAlert)

 

“Policy Puppetry” can break the safety guardrails of all major generative AI models   

A new attack called “Policy Puppetry” can break the safety guardrails of all major generative AI models, according to AI security firm HiddenLayer. The technique tricks large language models into interpreting malicious prompts as policy files, bypassing their built-in safeguards against producing harmful content HiddenLayer successfully tested the attack on top models from OpenAI, Anthropic, Google, Meta, and others. By formatting prompts to look like XML, INI, or JSON files, attackers can override system instructions and generate restricted outputs.

This discovery highlights a major vulnerability: AI models can’t reliably police themselves. With universal jailbreaking now easier, researchers warn that more external security layers are needed to defend against misuse. Policy Puppetry shows that today’s LLM training and alignment methods still have critical gaps. (SecurityWeek)

 

The U.S. opens a criminal antitrust investigation into router maker TP-Link   

The U.S. is conducting a criminal antitrust investigation into TP-Link, a California-based router maker with Chinese ties. Prosecutors are looking at whether TP-Link used predatory pricing to dominate the U.S. market—and whether its growing presence poses national security risks. The probe began under Biden and continues under President Trump. Meanwhile, the Commerce Department is separately investigating TP-Link’s China connections. TP-Link denies wrongdoing but says it will cooperate if contacted. No charges have been filed yet, and the investigations could take years. (Bloomberg)

 

A popular employee monitoring tool exposes over 21 million real-time screenshots   

A major privacy mess has hit WorkComposer, a popular employee monitoring tool. Cybernews researchers discovered that the company had exposed over 21 million real-time screenshots on the open internet through an unsecured Amazon S3 bucket. These screenshots captured everything employees were doing—emails, passwords, sensitive communications, even proprietary company data.

WorkComposer, which tracks remote workers by logging hours and snapping a screenshot every 20 seconds, boasts over 200,000 users. While there’s no evidence yet that hackers accessed the images, the risk for identity theft, scams, and wire fraud is huge This leak highlights a bigger issue: too many companies still don’t grasp the shared responsibility model for cloud security. Experts are again urging businesses to properly lock down their databases—or risk joining the growing list of high-profile breaches. (TechRadar)

 

The Defense Department is launching a new fast-track software approval process   

The Pentagon is giving its software approval process a serious makeover. Acting CIO Katie Arrington announced a new system called SWIFT that will use AI to speed up the months—or even years—it currently takes to certify software for Defense Department networks. Speaking at an industry event, Arrington didn’t hold back. She called the old Risk Management Framework and ATO process “stupid” and “archaic,” and said it’s time for a change.

Under SWIFT, software vendors will upload cybersecurity info and Software Bills of Materials—think ingredient lists for software—into the government’s eMASS system. AI tools will review the data automatically, aiming to issue a “provisional ATO” much faster than a human could. Third-party certification will also be required to make sure everything checks out. Arrington said the official memo launching SWIFT is being signed now, with industry feedback coming next. Her message was clear: “I want the RMF eliminated.” (airandspaceforces)

 

Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts   

This attack is separate from the DomainKeys Identified Mail (DKIM) OAuth attack that we covered on Tuesday. Since early March, Russian threat actors have been abusing legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees tied to Ukraine and human rights causes. In this campaign the attackers impersonate European officials or Ukrainian diplomats via WhatsApp and Signal, luring targets with fake invitations to private video meetings. Victims are tricked into providing Microsoft authorization codes or clicking phishing links. One communication originated from a compromised Ukrainian government account. (BleepingComputer)

 

Education clouds hit with AzureChecker that deploys crypto mining containers   

Microsoft has identified a threat actor named Storm-1977 that has been conducting password spraying attacks against cloud tenants in the education sector over the past year. The Microsoft Threat Intelligence team stated, in an analysis, “the attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors.” The tool connects to an external server to pull in files containing username and password combinations to carry out the password spray attack. In one instance, the threat actor was able to create more than 200 containers within a victim’s resource group in order to conduct illicit cryptocurrency mining. (The Hacker News)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.