In today’s cybersecurity news…
Scattered Spider facilitates UK retail hacks and is moving to the U.S.
The announcement comes from Cybersecurity experts from Google. The group has been linked to the attacks on UK retailers Marks & Spencer, the Co-op and Harrods, and unnamed retailers in the U.S. are also being impacted. Charles Carmakal, the chief technology officer at Google’s Mandiant unit, said that “the threat had moved to the U.S. in a pattern typical of Scattered Spider assailants,” which is to focus on a particular industry sector and geography for a few weeks and then move on. One of its specific techniques is to make phone calls to IT help desks, pretending to be an employee or a contractor, to gain access to company systems.
Defendnot tool can disable Microsoft Defender
The tool, built by a developer who goes by the handle es3n1n, can disable Microsoft Defender on Windows devices simply by registering a fake antivirus product, even when no real AV is installed. As reported in BleepingComputer, the tool “utilizes an undocumented Windows Security Center (WSC) API that antivirus software uses to tell Windows it is installed and is now managing the real-time protection for the device.” When this happens, Windows automatically disables Microsoft Defender to avoid conflicts from running multiple security applications on the same device. Microsoft has since taken steps to detect and quarantine the tool.
(BleepingComputer and es3n1n blog)
FBI warns government officials about new waves of deepfakes
Since April 2025, the FBI has warned of a cyber campaign targeting current and former U.S. government officials using AI-generated deepfake voice messages and texts impersonating senior officials. Threat actors send malicious links disguised as messaging platform invites to access victims’ personal accounts. The FBI urges vigilance: verify caller identities with trusted contacts, check for subtle errors, and be wary of unnatural speech or visuals.
Rogue devices found in Chinese-made power inverters
U.S. security experts have discovered hidden “kill switches” and undocumented cellular radios in Chinese-made power inverters used in U.S. and European solar farms. These rogue devices could allow Beijing to remotely disable parts of the power grid during a conflict, raising serious national security concerns. While inverters typically allow remote access for maintenance, experts found covert communication hardware not listed in product documentation. Over the past nine months, similar devices were found in batteries from multiple Chinese suppliers. The presence of such hidden systems suggests a potential for remote sabotage of critical energy infrastructure by foreign actors.(The Times)
Huge thanks to our sponsor, Conveyor
If so, get Conveyor’s AI to knock them out for you. Connect Conveyor to any source, easily upload any format of questionnaire or use the browser extension for portals and our AI handles the rest—from parsing the questions to generating answers and auto-tagging collaborators.
Let Conveyor do the work for you. Learn more at www.conveyor.com.
Japan enacts proactive cyberdefense law
Last Friday, Japan enacted a new law that would give its authorities the ability to “preemptively engage with adversaries through offensive cyber operations to ensure threats are suppressed before they cause significant damage.” This law was originally proposed in 2022, is intended to help Japan strengthen its cyber defense “to a level equal to major Western powers” and “marks a break from the country’s traditional approach to cyber defense, which had tracked closely to its Article 9 constitutional commitment to pacifism.”
SEC social media hacker gets 14-month sentence
Following up on a story we covered in February, Alabama resident Eric Council Jr. is now facing this sentence for hacking into the Twitter/X account of the Securities and Exchange Commission (SEC). He achieved this by executing a SIM-swap, and his motive was to create fraudulent posts through the SEC’s account that would alter the market value of bitcoin. In addition to the sentence, Council must forfeit $50,000, and following the sentence, will face “three years of supervised release with the condition that he not use computers to access the dark web or commit further identity fraud.”
CFPB withdraws Biden-era rule targeting data brokers
The Consumer Financial Protection Bureau is “set to withdraw a Biden-era rule aimed at cracking down on data brokers and their selling of Americans’ personal and financial information.” A notice published last Thursday in the Federal Register says, “The Consumer Financial Protection Bureau (Bureau or CFPB) is withdrawing its Notice of Proposed Rule: Protecting Americans from Harmful Data Broker Practices (Regulation V) (NPRM). The Bureau has determined that legislative rulemaking is not necessary or appropriate at this time to address the subject matter of the NPRM. The Bureau will not take any further action on the NPRM.
(Cyberscoop and Federal Register)
Ransomware groups target the undefended space between IT and OT
In an interview with The Register, Timothy Conway, the technical director at the SANS Institute’s industrial control systems (ICS) programs, says the gangs focus on activities in organizations and systems that exist in between classic IT systems that run core business applications, and operational tech (OT) that drives heavy industrial infrastructure. As an example, Conway suggests what might happen if jet fuel was diverted to a home heating oil pipeline. He added, “all businesses have these middle systems, and encrypting them isn’t as difficult as developing ransomware to target OT.” The victims, he says, are more likely to pay the extortion demands. SANS stands for SysAdmin, Audit, Network, and Security. It is a training, research and certification organization.