Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-h3vp-qwmx-5j25: Grokability Snipe-IT has incorrect authorization for accessing asset information

A photo taken this week showed Mike Waltz using an app that looks like—but is not—Signal to communicate with top officials. "I don't even know where to start with this," says one expert.

On ThursdaY, Reuters published a photo depicting then-United States national security adviser Mike Waltz checking his phone during a cabinet meeting held by President Trump in the White House. If you enlarge the portion of the image that captures Waltz’s screen, it seems to show him using the end-to-end encrypted messaging app Signal. But if you look more closely, a notification on the screen refers to the app as “TM SGNL.” During a White House cabinet meeting on Wednesday, then, Waltz was apparently using an Israeli-made app called TeleMessage Signal to message with people who appear to be top US officials, including JD Vance, Marco Rubio, and Tulsi Gabbard.

After senior Trump administration cabinet members used vanishing Signal messages to coordinate March military strikes in Yemen—and accidentally included the editor in chief of The Atlantic in the group chat—the “SignalGate” scandal highlighted concerning breaches of traditional government “operational security” protocol as well as compliance issues with federal records-retention laws. At the center of the debacle was Waltz, who was ousted by Trump as US national security adviser on Thursday. Waltz created the “Houthi PC Small Group” chat and was the member who added top Atlantic editor Jeffrey Goldberg. "I take full responsibility. I built the group," Waltz told Fox News in late March. "We've got the best technical minds looking at how this happened," he added at the time.

SignalGate had nothing to do with Signal. The app was functioning normally and was simply being used at an inappropriate time for an incredibly sensitive discussion that should have been carried out on special-purpose, hardened federal devices and software platforms. If you're going to flout the protocols, though, Signal is (relatively speaking) a good place to do it, because the app is designed so only the senders and receivers of messages in a group chat can read them. And the app is built to collect as little information as possible about its users and their associates. This means that if US government officials were chatting on the app, spies or malicious hackers could only access their communications by directly compromising participants' devices—a challenge that is potentially surmountable but at least limits possible access points. Using an app like TeleMessage Signal, though, presumably in an attempt to comply with data retention requirements, opens up numerous other paths for adversaries to access messages.

"I don't even know where to start with this," says Jake Williams, a former NSA hacker and vice president of research and development at Hunter Strategy. “It's mind-blowing that the federal government is using Israeli tech to route extremely sensitive data for archival purposes. You just know that someone is grabbing a copy of that data. Even if TeleMessage isn't willingly giving it up, they have just become one of the biggest nation-state targets out there.”

TeleMessage was founded in Israel in 1999 by former Israel Defense Forces technologists and run out of the country until it was acquired last year by the US-based digital communications archiving company Smarsh. The service creates duplicates of communication apps that are outfitted with a “mobile archiver” tool to record and store messages sent through the app.

“Capture, archive and monitor mobile communication: SMS, MMS, Voice Calls, WhatsApp, WeChat, Telegram & Signal,” TeleMessage says on its website. For Signal it adds, “Record and capture Signal calls, texts, multimedia and files on corporate-issued and employee BYOD phones.” (BYOD stands for bring your own device.) In other words, there are TeleMessage versions of Signal for essentially any mainstream consumer device. The company says that using TeleMessage Signal, users can “Maintain all Signal app features and functionality as well as the Signal encryption,” adding that the app provides “End-to-End encryption from the mobile phone through to the corporate archive.” The existence of “the corporate archive,” though, undermines the privacy and security of the end-to-end encryption scheme.

TeleMessage apps are not approved for use under the US government's Federal Risk and Authorization Management Program or FedRAMP. TeleMessage and Smarsh did not immediately return requests for comment about whether their products are used by the US federal government and in what capacity.

"As we have said many times, Signal is an approved app for government use and is loaded on government phones,” White House press secretary Anna Kelly tells WIRED. She did not answer questions about whether the White House approves of federal officials using TeleMessage Signal—which is a different app from Signal—or whether other officials aside from Waltz have used the app or currently use it.

The Cybersecurity and Infrastructure Security Agency does not create policy around federal technology use but does release public guidance. When asked about Waltz’s apparent use of TeleMessage Signal, CISA simply referred WIRED to its best-practices guide for mobile communications. The document specifically advises, “When selecting an end-to-end encrypted messaging app, evaluate the extent to which the app and associated services collect and store metadata.”

It is not clear when Waltz started using TeleMessage Signal and whether he was already using it during SignalGate or started using it afterward in response to criticisms that turning on Signal's disappearing messages feature is in conflict with federal data-retention laws.

“I have no doubt the leadership of the US national security apparatus ran this software through a full information-assurance process to ensure there was no information leakage to foreign nations,” says Johns Hopkins cryptographer Matt Green. “Because if they didn’t, we are screwed.”

Mike Waltz Has Somehow Gotten Even Worse at Using Signal

Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

GHSA-f9ch-h8j7-8jwg: Hashicorp Vault Community vulnerable to Incorrect Authorization

A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.812.0 is able to address this issue. The name of the patch is 3d12ac8dc2282369296c3386815c00a06c6a92fe. It is recommended to upgrade the affected component.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-8w8f-h4cm-c4pg: Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor

German police seized the dark web shop Pygmalion, gaining access to customer data linked to over 7,000 drug…

German police seized the dark web shop Pygmalion, gaining access to customer data linked to over 7,000 drug orders in a major investigation.

A major dark web drug operation and marketplace operating under the name “Pygmalion” has been disrupted by German law enforcement, with its infrastructure dismantled and several individuals arrested following a months-long investigation.

The Bavarian State Criminal Police Office (BLKA), working with the Central Office for the Prosecution of Cybercrime (ZCB) and backed by the Federal Criminal Police Office (BKA), seized multiple servers and onion domains used by the vendor.

The seized dark web domains now display a takedown notice from authorities, informing visitors that the content has been confiscated. _“_This criminal content has been seized by the Federal Criminal Police Office (BKA) on behalf of the Bavarian Central Office for the Prosecution of Cybercrime (ZCB),_“_ the seizure notice states.

Seizure notice displayed on all domains previously used by the Pygmalion shop

****Over 7,000 Orders Tracked****

According to a press release from the BLKA published on 24 April 2025, investigators found a detailed trove of records, including customer data and order histories dating back to April 2024. Initial forensic analysis revealed that the operators maintained precise logs covering at least 7,250 individual transactions.

The scale of the operation came to light through data collected during prior investigations by the Thuringia State Criminal Police Office. Once connections were established between activity in Bavaria, Thuringia, and North Rhine-Westphalia, authorities were able to map out an internal structure that included packers, shippers, and coordinators.

****Arrests and Massive Drug Seizure****

On February 7, 2025, police arrested four individuals, three men and one woman, aged from 24 to 56. All are suspected of being part of a group responsible for packaging and shipping narcotics to buyers around the globe. The arrests took place in the Eichstätt district and the town of Neuburg an der Donau.

During coordinated raids at five properties, officers seized over 53 kilograms of illicit substances including methamphetamine, heroin, and cocaine. Also recovered were roughly 150,000 tablets regulated under Germany’s Medicines Act.

Many of the drugs were already portioned into thousands of vacuum-sealed bags, ready for distribution. Officials estimate the retail value of the confiscated narcotics to be in the low seven-figure euro range.

Seized drugs (Image credit: © Bavarian State Criminal Police Office

****Vendor Statement: “Lay Low”****

In the aftermath of the takedown, a Pastebin message attributed to the vendor circulated via a redirect from the now-defunct Pygmalion darknet shop. It reads:

> “You’ve already heard from the BKA: Our shop has been seized. Normally, this wouldn’t be possible, since we’re behind Tor—but Pygmalion had access to the server. This means it’s safe to assume that customer data is now in the hands of the authorities.
> 
> To all who have ordered since approximately April 2024:
> 
> *   Clean your house as soon as possible.
> *   Keep your feet still.
> 
> We don’t plan on stopping, even though this was a huge blow for all of us.”

The message appears to confirm that the operational security of the marketplace was compromised internally, and it suggests that customers may be at risk of identification.

Law enforcement has outlined that online drug purchases, whether on the clear web or via dark web services, are subject to criminal prosecution. Contrary to the beliefs held by many users of such platforms, investigators frequently recover data logs, and the assumption of anonymity often proves false.

Officials emphasised that online traces left by orders can be used to identify buyers long after transactions occur. The scale of the seized data provides further opportunities for ongoing investigations.

The takedown and identification of buyers is similar to the Hansa dark web marketplace shutdown in 2018, when authorities not only dismantled one of the largest known cybercrime markets at the time but also publicly released information on identified, active, and arrested Hansa vendors and buyers.

Additionally, Pygmalion’s takedown came a month after German police seized the popular dark web marketplace Nemesis Market. The platform facilitated the sale of illegal drugs, stolen data, and cybercrime services, including ransomware. The shutdown was announced by German police on 21 March 2025.

Nevertheless, those arrested over their activities on Pygmalion face charges related to organized trafficking of large quantities of controlled substances. Convictions under such offences could carry sentences of five to fifteen years in prison, depending on the severity and level of involvement.

The seized onion addresses include:

http://pygmaliop3prfrktd6a6ezi3oqehu5ysja37vudycvkqngzncnvgw5qd.onion

http://pygmaliooo4dwxt4xdvrglqsgvdjnj3ymjtaffsavnufb6e2vz726wid.onion

Police Seize Dark Web Shop Pygmalion, Access User Data from 7K Orders

Luxury retailer Harrods confirms a cyber attack attempt, restricting internet access but keeping its online store running. Learn…

Luxury retailer Harrods confirms a cyber attack attempt, restricting internet access but keeping its online store running. Learn about the growing wave of cyber threats also impacting M&S and Co-op.

Following disruptions at British retail giants Marks & Spencer and Co-op, the esteemed department store Harrods also, reportedly, has been targeted by malicious threat actors attempting to infiltrate their online infrastructure.

This incident, occurring just this week, prompted Harrods to implement protective measures, including restricting internet access across their physical locations. It’s worth noting that while Harrods confirmed the cyber attack attempt and the resulting restrictions on internet access at their sites, they did emphasize that their online store was operating normally on Thursday evening, May 1st, 2025.

“We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result, we have restricted internet access at our sites today,” Harrods’ official statement read.

While the immediate impact led to operational adjustments behind the scenes, the luxury retailer assured its clientele that their flagship store in Knightsbridge, along with its H Beauty and airport outlets remained open for business.

More importantly, there was no immediate indication that customer data had been compromised. This proactive response highlights the growing awareness and preparedness of major organizations in the face of persistent cybersecurity threats.

****Scattered Spider****

Considering these events collectively, a pattern of aggressive cyber activity against the retail sector in the UK has emerged. The recent attack on Marks & Spencer, which has been attributed to a sophisticated hacking group Scattered Spider, has had a far more severe impact. Their online operations remain crippled, causing a halt to online orders and even leading to empty shelves in some physical stores due to the disruption of inventory management systems, and a significant drop in its market value.

Simultaneously, Co-op has recently been a victim of cyber attacks, leading to the implementation of stringent internal security protocols, including mandatory camera usage during online meetings as a means of verifying attendees.

The fact that these attacks have occurred in close succession raises questions about potential links, whether through shared vulnerabilities in commonly used software like SAP’s enterprise resource planning systems, or perhaps even a coordinated campaign.

The National Cyber Security Centre (NCSC) is actively involved, working with the affected organizations to understand the nature and potential connections between these incidents.

“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture,” Richard Horne, NCSC’s chief executive stated.

UK Luxury Retailer Harrods Hit by Cyber Attack After M&S, Co-op

Passwords are becoming things of the past. Passkeys are more secure, easier to manage, and speed up the log in process

And we agree. If there is a cybersecurity themed day that we would like to get rid as soon as possible it’s world password day. Sorry, old friend, but you’re outdated, and it looks like your days are numbered. Let’s switch to passkeys.

To quote Microsoft:

> “As the world shifts from passwords to passkeys, we’re excited to join the FIDO Alliance in leaving World Password Day behind to celebrate the very first World Passkey Day.”

In 2013, Intel introduced World Password Day to remind people of the importance of strong passwords. But over time, the number of passwords we use, and the necessary strengths have grown so much that the system has become practically unusable without a password manager. So, only a few years later, Microsoft introduced Windows Hello, a new way for users to securely sign in to their accounts with their face, fingerprint, or PIN.

For several good reasons we want to say goodbye to passwords, especially for the important sites and services. Passwords are:

*   Hard to create
*   Easy to forget
*   Often reused across sites
*   Vulnerable to hacking techniques like brute-force attacks and phishing.

**The alternative: passkeys**

Passkeys are an alternative, more modern authentication method designed to replace passwords with a safer, simpler alternative. Despite their clear advantages, many people hesitate to switch to passkeys due to unfamiliarity and misconceptions. This blog post will try to explain what passkeys are, how to use them, and why they are better than passwords, helping you embrace this next step in online security.

A passkey is a digital credential that replaces traditional passwords by using cryptographic keys stored locally, and securely, on your device, such as your phone or computer.

At your demand, a program on your device will create a passkey automatically when you set up an account or enable a passkey login. Basically, it’s a unique key that identifies you without ever leaving your device.

When you log in with a passkey, your device proves you are the legitimate user by using the passkey to solve a challenge without actually providing the passkey itself. As with passwords, it’s a way to prove you know the answer and with that who you are. But the difference is that, unlike passwords, passkeys can’t be stolen by fake or malicious websites.

OK. I heard some sighs in the back from the I-know-this-already crowd. There are plenty of technical explanations to be found. Feel free to try explaining cryptographic public and private keys to the people you do tech support for.

Because passkeys are tied to your device and cannot be shared or stolen like passwords, they offer a safer login experience.

**It’s not hard to use passkeys. Really!**

Using passkeys is straightforward and really not that hard:

*   **Create a passkey:** When you sign up or log into a website or app that supports passkeys, the system prompts you to create one. Your device automatically generates the cryptographic keys. This means there is truly no need to struggle with inventing a complicated 12-character password that meets confusing requirements for a site you might never use again. Your device does _all the work_.
*   **Log in:** Instead of typing a password, unlock your device using biometrics or a PIN. Your device then securely verifies your identity and tells the site or service it can trust you, without ever sending sensitive secrets over the internet.
*   **Sync across devices:** You can securely sync passkeys across your devices using encrypted cloud services or password managers. This lets you log in effortlessly from multiple devices and prevents the hassle of losing access if your device goes missing.

Having to create and memorize hundreds of complex, unique passwords is difficult and stressful. Passkeys remove this burden entirely. You don’t need to create anything or remember a lot. The authentication process is as simple as unlocking your device.

And it’s faster. Microsoft has seen that on average passkey sign-ins to their services take only 8 seconds, compared with 69 seconds to sign in using a traditional password and second factor. 

**Common misconceptions**

Many people shy away from using passkeys for the wrong reasons.

*   Your biometrics, like fingerprints or facial scans are not stored externally, the site you’re visiting never gets to see them. They are just meant for your device to verify it’s really you.
*   Using passkeys is not complicated as we explained above. Sure, the theory behind it is, but the user-experience may actually be simpler than password creation and management.
*   You are not losing the extra layer of 2FA security you set up for important sites and services. Passkeys inherently support two-factor authentication (2FA) without extra steps, since possession of your device plus biometric or PIN verification is required.

**There are downsides**

I have to be honest here. Some things are not ideal yet. But as we move forward and more people start using passkeys, these will improve soon enough.

As I hinted earlier, losing your device can pose a problem, since your key got lost along with it, unless you synchronize it. This is a problem that’s actively being worked on.

Many websites and services also don’t support passkeys yet. Developers and service providers are actively working to make passkey adoption smoother and more widespread, so you will see more websites and apps supporting passkeys soon.

Not every passkey system is equal. Due to the history of their development which is still ongoing, there are currently multiple flavors of passkey. These range from device-bound and physical token passkeys (that never leave the device) to synchronized passkeys that offer the option to use a device’s Credential Manager to back up and synchronize passkeys across the user’s other devices. This can confuse or frustrate users who just want the authentication to work, without having to worry about the nuances of the underlying technology. Industry groups (including the FIDO Alliance and W3C) are working on standards, guides, and tools to improve this situation for developers and users.

**Give it a try**

It doesn’t take a lot of effort to convince yourself of the benefits of passkeys.

Passkeys are created on, saved to, and synchronized across devices through a password manager. For example, passkeys created on a website on Chrome on Android are stored to the Google Password Manager by default, and then synchronized to different environments where Google Password Manager is available, such as Chrome on macOS, Windows, Linux, and ChromeOS. It’s up to the user which password manager to store a passkey to or to authenticate a passkey from depending on the environment.

To save a passkey to Google Password Manager, ensure you’re signed into your Google Account on an eligible device (Android, Chrome, or other supported platforms). When prompted by a website supporting passkeys, agree to create a passkey and follow the on-screen instructions.

MacOS allows you to save passkeys either in Google Password Manager or iCloud Keychain if you’re using macOS 13.5 or higher.

*   **Try passkeys today:** Look for websites and apps that offer passkey login options and give them a try. You’ll likely find the experience faster and easier than passwords.
*   **Educate yourself and others:** Share what you learn about passkeys with friends and family, especially those who find passwords confusing or frustrating.
*   **Advocate for passkey support:** Encourage your favorite sites and services to support passkeys to help make the internet safer for everyone.
*   **Use secure device authentication:** Enable biometrics or PINs on your devices to fully benefit from passkey security.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 On world password day, Microsoft says fewer passwords, more passkeys 

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

GHSA-gcqf-f89c-68hv: Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information

A year after Microsoft announced passkeys support for consumer accounts, the tech giant has announced a big change that pushes individuals signing up for new accounts to use the phishing-resistant authentication method by default.
"Brand new Microsoft accounts will now be 'passwordless by default,'" Microsoft's Joy Chik and Vasu Jakkal said. "New users will have several passwordless options for

Microsoft Sets Passkeys Default for New Accounts; 15 Billion Users Gain Passwordless Support

Joe talks about how helping the helpers can put a fire in you and the importance of keeping nonprofits cybersecure.

Thursday, May 1, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C., where I talked about incident response and cyber preparedness to a room full of CIOs who help lead wonderful missions to help others. I’m incredibly fortunate to be able to volunteer for the NGO community. I’ve been involved with them for a few years now, and it has been a singular experience.  

I sit in a uniquely blessed situation. Cisco Talos is resourced to help protect our customers — we have expertise, tooling and a huge array of diverse security skillsets. A humanitarian assistance or non-governmental organization (NGO) usually has none or very few of these luxuries. If I can take some of my time and experience here at Talos and help others who provide housing to the homeless, protect refugees or feed the hungry, damn right I’m gonna do it. And NGOs? They really need help.  

In today’s global humanitarian funding climate, money and grants are very scarce to come by_._ This means the competition for the dollars that remain is fierce, and that things like cybersecurity can fall by the wayside. But security in an NGO is incredibly important. We're talking about incredibly vulnerable and marginalized people who deserve aid, and the amazing volunteers who should have privacy without malicious interference. 

The hard truth is that cybersecurity can be a bleak space. We as professionals do not operate in the “good news” business. We work, and thrive, in adversarial conditions — actively searching for what the bad guys are doing and learning how they are coming after the good guys. They’re launching ransomware. They are extorting and causing real harm to others. This is day in and day out, and it can wear you down mentally. You have to endure and focus on the mission. After all, that’s the gig. 

This is why I enjoy volunteering by either giving some of my time and expertise to a mentee or to an NGO that has an outstanding mission to help others. It puts fuel in your soul and reminds you that others are fighting their own good fights. These organizations are some of the best. They have a thankless, often dangerous, mission to help others have better lives. The way I see it, volunteering is the least I could do. 

If you want to join me, there are some places that could use your help. Check out the Cyber Peace Institute, or Defcon Project Franklin.

**The one big thing **

This week is bittersweet because we’re discussing the final section of Talos' 2024 Year in Review report. Let’s jump into the abyss of AI-based threats together. 

**Why do I care? **

AI may not have upended the threat landscape last year, but it’s setting the stage for 2025, where agentic AI and automated vulnerability discovery could pose serious challenges for defenders. The future may bring:

1.  The use of agentic AI to conduct multi-stage attacks or find creative ways to access restricted systems 
2.  Improved personalization and professionalization of social engineering 
3.  Automated vulnerability discovery and exploitation 
4.  Capabilities to compromise AI models, systems and infrastructure that organizations around the world are building 

**So now what? **

Continue to stay informed and alert, and for more information, read Talos’ blog post about these threats or download the full Year in Review.

**Top security headlines of the week **

**AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover.** The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK. (SecurityWeek) 

**4 Million Affected by VeriSource Data Breach.** VeriSource says the stolen information belonged to employees and dependents of companies using its services. It has been working with its customers to “collect the necessary information to notify additional individuals affected by this incident.” (SecurityWeek) 

**SAP NetWeaver Visual Composer Flaw Under Active Exploitation.** CVE-2025-31324 is a critical vulnerability with a maximum CVSS score of 10 that affects all SAP NetWeaver 7.xx versions. It allows unauthenticated remote attackers to upload arbitrary files to Internet exposed systems without any restrictions. (DarkReading) 

**FBI shares massive list of 42,000 LabHost phishing domains.** The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. (BleepingComputer)

**Can’t get enough Talos? **

State-of-the-art phishing: MFA bypass. Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist. This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

TTP Episode 11. Craig, Bill and Hazel discuss three of the biggest callouts from Cisco Talos' latest Incident Response Quarterly Trends.

Talos Takes: Identity and MFA. Hazel and friends discuss how AI isn't rewriting the cybercrime playbook, but it is turbo charging some of the old tricks, particularly on the social engineering side.

**Upcoming events where you can find Talos **

*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/    
Typical Filename: VID001.exe   
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: img001.exe   
Detection Name: Simple\_Custom\_Detection 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: VID001.exe    
Detection Name: Coinminer:MBT.26mw.in14.Talos

Tag

#auth