In today’s cybersecurity news…
U.S. lawmakers demand UK retraction of Apple backdoor
Senators Ron Wyden and Andy Biggs are urging newly appointed National Intelligence Director Tulsi Gabbard to push the United Kingdom to revoke its order requiring Apple to grant government access to encrypted user data. They warn that the directive threatens Americans’ privacy and suggested that, if the UK refuses to back down, the U.S. should reconsider its deep intelligence-sharing ties with its ally. The confidential British order compels Apple to create a backdoor into its Advanced Data Protection system, which encrypts iCloud-stored data so securely that even Apple cannot access it. Authorities argue this hinders investigations into terrorism, child exploitation, and other serious crimes. The lawmakers’ appeal highlights growing tensions over encryption, privacy, and government surveillance, with potential implications for international cybersecurity cooperation.
Sarcoma ransomware claims breach at circuit board maker Unimicron
This breach is the handiwork of a relatively new operation with the delightful name of Sarcoma. The group has claimed responsibility for an attack against Unimicron, a Taiwan-based manufacturer of printed circuit boards (PCB). The group has already published samples of files allegedly stolen from the company’s systems with a threat to leak everything next week if no ransom is paid. The group claims to have 377 GB of SQL files belonging to the Taiwanese company. “Unimicron is one of the largest PCB manufacturers in the world, with plants and service centers in Taiwan, China, Germany, and Japan. Its products are extensively used in LCD monitors, computers, peripherals, and smartphones.”
Ransomware attack disrupts Michigan’s Sault Tribe operations
A ransomware attack on the Sault Ste. Marie Tribe of Chippewa in Michigan has severely disrupted critical services, including casinos, health centers, and various businesses. Tribe Chairman Austin Lowes stated that the incident began Sunday morning, affecting multiple computer and phone systems across tribal administration. As a result, many departments and businesses were forced to close temporarily. While officials hope to resolve the issue within a week, they are prepared for a longer recovery. The attack has had a particularly devastating impact on the tribe’s health division, affecting essential services for its 44,000 members in Michigan’s Upper Peninsula.
Huge thanks to our sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks.
But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC. Get started at Vanta.com/headlines
Russian threat actor Seashell Blizzard enlists specialist initial access subgroup
According to a new report from Microsoft, the group once known for attacks mostly on Ukraine and countries in Eastern Europe is now setting its sights on high-value targets globally, especially in the UK, the U.S., Canada, and Australia. Its specialist initial access subgroup takes advantage of vulnerabilities in remote access technologies including ConnectWise ScreenConnect and Fortinet FortiClient software. The report states that the subgroup “discovers vulnerabilities in Internet-facing infrastructure through direct scanning and the use of third-party internet scanning services and knowledge repositories,” with the goal of establishing long-term persistence on the affected systems.
FINALDRAFT malware uses Microsoft API for espionage through Windows and Linux
Threat hunters at Elastic Security Labs are watching a campaign currently focusing on “the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts.” This group has also targeted a telecommunications organization and a university, both located in Southeast Asia. The procedure involves the execution of a malware named PATHLOADER that makes way for an encrypted shellcode named FINALDRAFT, is subsequently injected into the memory of a newly spawned “mspaint.exe” process and works on Windows and Linux systems. The researchers believe that this campaign is built for espionage.
Zacks possibly suffers another data breach
This breach supposedly happened in June, 2024, with the threat actor releasing data last month. Zacks is a U.S. based investment research company. The threat actors behind this breach claim to have access to the data of 12 million accounts. The leaked database has been added to Have I Been Pwned. However, Troy hunt and his organization state that 93% of the email addresses mentioned in this most recent haul were already in the Have I Been Pwned database from previous breaches including those not affiliated with Zacks. BleepingComputer also notes that “there is also the possibility of threat actors scraping the information from other services and compiling a database with user information associated with Zacks.”
Astaroth phishing kit bypasses 2FA with reverse proxy techniques
A new phishing tool called “Astaroth” has surfaced on cybercrime platforms, featuring advanced techniques to bypass two-factor authentication (2FA). First advertised in January 2025, Astaroth uses session hijacking and real-time credential interception to compromise accounts on Gmail, Yahoo, Office 365, and other platforms. Researchers at SlashNext report that it operates via an *evilginx*-style reverse proxy, positioning itself between users and legitimate login pages to capture usernames, passwords, 2FA tokens, and session cookies. Unlike traditional phishing kits that struggle to bypass 2FA, Astaroth intercepts authentication tokens in real time, allowing attackers to hijack active sessions before security measures can respond. Cybersecurity expert Jason Soroko warns that this approach renders 2FA ineffective, as attackers can instantly assume control of compromised accounts. The emergence of Astaroth highlights the growing sophistication of phishing tactics and the increasing need for robust security measures beyond standard authentication protocols.