In today’s cybersecurity news…
Congress challenges Noem over proposed CISA cuts
On Tuesday, Homeland Security Secretary Kristi Noem faced tough questioning from members of Congress about the Trump administration’s proposal to cut CISA’s funding by $491 million, as part of their “skinny budget.” Homeland Security subcommittee chair Rep. Mark Amodei, R-Nev., said at a time when government leaders are saying China is getting the better of the U.S. in cyberspace, appropriators need more information on the budget proposal. Top panel Democrat, Rep. Lauren Underwood (D-Ill.), said to Noem, “Last week you said we should ‘just wait’ for the president’s grand cyber plan. But you have not waited to erode the department’s cyber defense capabilities by removing resources and personnel from CISA and other components.” Noem maintained that instead of “censorship,” CISA is now focused on securing critical infrastructure. She added that the president’s cyber plan would be “coming out shortly and that’s the president’s prerogative.”
(CyberScoop and The Record)
Texas school district breach impacts over 47,000 people
Alvin Independent School District (AISD) confirmed they suffered a breach in June of 2024 that compromised sensitive information belonging to 47,606 individuals. The district began notifying affected people over the weekend that the incident exposed names, Social Security numbers, state-issued IDs, credit card and financial account details, as well as medical and health insurance info.The Fog ransomware gang published the district’s name on its data leak site but it remains unclear whether the district paid a ransom. Since then, Fog has claimed responsibility for 20 confirmed ransomware attacks, 12 of them on educational institutions, and an additional 157 unconfirmed incidents. However, the group appears to have suddenly gone dark last month.
NSO Group to pay WhatsApp $167 million in damages
On Tuesday, after a five-year legal battle, a jury ruled that NSO Group must pay the Meta-owned platform $167,256,000 in punitive damages and around $444,719 in compensatory damages. WhatsApp accused NSO Group of exploiting an audio-calling vulnerability in the chat app to target around 1,400 people, including dissidents, human rights activists, and journalists. WhatsApp was seeking more than $400,000 in compensatory damages, based on the time its employees spent on investigating and remediating the attacks. A WhatsApp’s spokesperson hailed the historic ruling as, “the first victory against illegal spyware that threatens the safety and privacy of everyone.” NSO Group said it plans to carefully review the details of the verdict and left the door open for an appeal.
NSA to cut up to 2,000 civilian roles
The National Security Agency has been directed to cut 8 percent of civilian employees as part of the Trump administration’s push to reduce the size of the federal government. The NSA’s staffing cuts will likely impact roles ranging from administrative staff to defense and offensive cybersecurity operators. The NSA’s total number of non-military personnel is classified, but anonymous sources told The Record that between 1,500 and 2,000 positions are expected to be cut. The sources added that, currently, the agency has until the end of year to make the cuts.
Thanks to today’s episode sponsor, ThreatLocker
‘Easily Exploitable’ Langflow flaw requires immediate patching
CISA has added a critical authentication flaw found in the open source Langflow platform (CVE-2025-3248) to its Known Exploited Vulnerabilities (KEV) catalog. Langflow is a Python-based Web application that allows users to build AI-driven agents and workflows. The issue allows remote code injection and affects Langflow versions prior to 1.3.0. Horizon3.ai, who discovered the flaw and said it is “easily exploitable” and that the available patch fails to fully address the issue. The researchers encouraged users to update to the latest Langflow version to fully mitigate the risk of exploitation.
(Bleeping Computer and Dark Reading)
Hackers exploit IoT devices to deploy Mirai Botnet
Threat actors have been observed actively exploiting security flaws in two different Internet of Things (IoT) devices to corral them into the Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. The first device is an end-of-life GeoVision surveillance device which can be exploited via two critical severity operating system command injection flaws (CVE-2024-6047 and CVE-2024-11120). These issues could be used by threat actors to execute arbitrary system commands. That disclosure comes as researchers warned of active exploitation of a path traversal flaw in Samsung MagicINFO 9 digital signage server (CVE-2024-7399) that could enable an attacker to write arbitrary files as system authority. While Samsung addressed the issue back in August 2024, it has since been weaponized by attackers following the release of a proof-of-concept (PoC) exploit on April 30, 2025.
New investment scams use Facebook ads and filter victims
Cybersecurity researchers have identified two threat actors codenamed Reckless Rabbit and Ruthless Rabbit, orchestrating investment scams through spoofed celebrity endorsements on Facebook. The platforms use web forms to collect user data including users’ names, phone numbers, and email addresses, and also offer the ability to auto-generate passwords. The next phase of the attack uses validation tools to filter out traffic from certain countries and ensures that the contact info provided is legitimate. Validated victims are routed through a traffic distribution system (TDS) for cloaking, to a scam platform where they are either coaxed into making high return investments, or where they are instructed to wait for a representative to call them. Reckless Rabbit has been creating domains since April 2024, primarily targeting users in Russia, Romania, and Poland, while excluding traffic from countries includingAfghanistan, Somalia, Liberia, and Madagascar. Ruthless Rabbit, has been actively targeting European users since at least November 2022.
Magento backdoor hid for six years before activation
It took six years for a backdoor hidden in widely used Magento online store extensions to finally reveal itself. On April 20, the malware finally began affecting hundreds of digital storefronts. Security firm Sansec uncovered 21 modules published between 2019 and 2022, which share identical malicious logic hidden in PHP files. Once activated, the backdoor runs a remote payload, enabling attackers to deploy Magecart-style skimming scripts in customer browsers. Sansec estimates that between 500 to 1,000 stores are running the backdoored software, “including a $40 billion multinational.” The researchers said, “It is rare that a backdoor remains undetected for six years, but is even stranger that actual abuse has only started now.”