In today’s cybersecurity news…
Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
Researchers at cybersecurity firm Oligo have disclosed AirBorne, a set of vulnerabilities in Apple’s AirPlay SDK that expose millions of third-party devices—such as smart TVs, speakers, and CarPlay systems—to remote code execution over shared Wi-Fi. Apple has patched its own hardware, but Oligo warns many third-party vendors may not, which poses risks for lateral movement, network persistence, and potential surveillance.
(Wired)
Google tracked 75 zero days exploited in the wild in 2024
According to Google’s Threat Intelligence Group, 75 zero-day vulnerabilities were exploited in the wild in 2024—down from 98 in 2023, but above 2022’s total—pointing to an upward trend in zero-day activity over the past four years. Most exploits still target end-user platforms but there’s an increase in attacks on enterprise technologies, especially security and networking appliances, which made up over 60% of enterprise-targeted zero-days. The group attributes more than half of all known exploits to cyber espionage actors.
France ties Russian APT28 hackers to 12 cyberattacks on French orgs
France has officially blamed the Russian state-backed hacking group APT28, tied to the GRU, for 12 cyberattacks on French entities since 2021, including targets in government, defense, aerospace, and research. The French foreign ministry denounced the attacks as breaches of UN norms, while the national cybersecurity agency ANSSI reported that APT28 used phishing, email server exploits, and low-cost anonymous infrastructure.
Marks & Spencer breach linked to Scattered Spider ransomware attack
We reported that British retailer Marks & Spencer was experiencing outages last week. Bleeping Computer’s sources now say it’s a ransomware attack linked to the Scattered Spider threat group. The attackers reportedly gained access as early as February, stealing the NTDS.dit Active Directory database, and on April 24th deployed DragonForce ransomware to encrypt VMware ESXi hosts, disrupting operations, including payment systems and online orders. Marks & Spencer has enlisted CrowdStrike, Microsoft, and Fenix24 to aid in investigation and recovery.
Thanks to today’s episode sponsor, ThreatLocker
EFF letter calling to stop prosecution of former CISA director Chris Krebs
The Electronic Frontier Foundation (EFF), along with more than 400 cybersecurity and election security experts, has publicly urged the US administration to drop its investigation into former CISA Director Chris Krebs. In an open letter, the signatories warn that targeting Krebs and his employer, SentinelOne, for contradicting election fraud claims undermines the infosec community’s independence and discourages truthful, nonpartisan security reporting.
(eff.org)
Nova Scotia energy provider takes some servers offline following cyber incident
Nova Scotia Power disclosed it experienced a cyberattack on April 25, affecting parts of its Canadian IT infrastructure, including its customer care center and online portal. No disruption occurred to power generation or grid operations, but the company isolated impacted servers to contain the incident. The nature of the attack has not been confirmed, but Emera, Nova Scotia Power’s parent company, says it’s working with law enforcement and cybersecurity experts to investigate and recover. Physical operations and international subsidiaries remain unaffected.
SentinelOne warns of threat actors targeting its systems and high-value clients
SentinelOne reports that China-linked APT group PurpleHaze attempted reconnaissance on its infrastructure and high-value clients, indicating targeted cyberespionage with potential for future attacks. The group, known to be tied to APT15, is said to have used tools like the GoReShell backdoor and ShadowPad malware, also seen in broader China-nexus campaigns. SentinelOne also detected over 1,000 job applications from North Korea-linked fake personas, including attempts to infiltrate its SentinelLabs intelligence team.
House passes bill to study routers’ national security risks
The U.S. House of Representatives passed the ROUTERS Act, which mandates the Department of Commerce to study national security risks posed by routers and modems controlled by foreign adversaries, especially China. Lawmakers have emphasized securing U.S. communications networks as a critical role in national infrastructure. This builds on previous efforts to remove untrusted equipment, following cybersecurity threats such as the Salt Typhoon hacker group’s exploitation of telecom networks.
Watch out for any Linux malware sneakily evading syscall-watching antivirus
A new proof-of-concept program, Curing, highlights a blind spot in Linux security tools that rely on syscall monitoring. The io_uring interface, introduced in Linux kernel 5.1, lets applications bypass traditional system calls for I/O operations, which many antivirus tools rely on to detect threats. As io_uring operates outside the syscall path, malware exploiting it may evade detection by tools like Falco, Tetragon, and Microsoft Defender. ARMO, which developed the proof-of-concept, calls it a “major blind spot” and suggests solutions like updating antivirus tools or disabling io_uring. Google disabled io_uring in ChromeOS after spending $1M on related bug bounties.