In today’s cybersecurity news…
Microsoft wants to update all the things
Microsoft opened a private preview for a new update orchestration platform that operates on top of Windows Update. This aims to unify updates for all apps, drivers, and Windows components for an organization. Organizations can use WinRT APIs or PowerShell commands to onboard their updates. The new model will plan downloads and updates to minimize bandwidth, user downtime, and CPU usage. This will also show the history of all updates in the Settings app alongside official Windows Updates. No word on Microsoft’s timetable to publicly launch the tool.
(Bleeping Computer, Windows IT Pro Blog)
LexisNexis breach impacts 364,000 people
The prominent analytics company disclosed that its LexisNexis Risk Solutions business received a report from “an unknown third party” about accessing company information on April 1st. An investigation found that the company itself didn’t suffer a breach of its systems, but that “some data which was held in GitHub… was acquired by an unknown third party.” This information includes names, contact details, Social Security numbers, and driver’s license numbers. Regulatory filings in Maine, South Carolina, and Vermont disclosed that this GitHub data was initially accessed on December 25, 2024. The company has found no signs of misuse and will offer impacted victims two years of credit monitoring.
Cyber insurance premium volume expected to double
Bloomberg reports that the insurance company Munich re AG expects the global cyber insurance market to hit $16.3 billion in 2025 and roughly double to $30 billion by 2030. Cyber Security Ventures estimates that hacking crimes resulted in $9.5 trillion in losses in 2024, with the vast majority of risks uninsured. The insurer Beazley Plc estimates that less than half of the Fortune 100 and less than 10% of SMEs have a cyber policy.
Surveillance industry clashes with Indian regulations
Late last year, India created new regulations that require all internet-connected CCTV models imported after April 9, 2025, to submit hardware, software, and source code for assessment in government labs before being sold in the country. The rules require CCTV cameras sold in India to have tamper-proof enclosures, strong malware detection, and use encryption. Although the regulations do not call out any specific country, sources speaking to and documents seen by Reuters attest that these rules were in part a response to China’s surveillance capabilities. An April 3rd meeting with surveillance gear executives, including from Hanwha, Motorola, Bosch, Honeywell and Xiaomi, told government officials they weren’t ready to meet certification requirements. The government declined a request for a delay at that meeting. India currently has 15 labs that can review 28 applications at a time, but as of May 28th, 342 applications were pending. Since testing began, labs have approved 35 applications, and only one from a foreign country.
(Reuters)
Huge thanks to our sponsor, ThreatLocker
Botnet hits Asus routers
Security researchers at GreyNoise discovered a novel botnet dubbed “AyySSHush” operating a campaign since mid-March 2025, targeting SOHO routers from Asus, Cisco, D-Link, and Linksys. The campaign exploits an old command injection flaw on Asus routers to add a threat actor-controlled SSH public key and enable listening on TCP port 53282. This allows for persistence across configuration changes and firmware updates. The researchers identified over 9,000 infected Asus routers, although so far, malicious requests have been minimal. It’s unclear what the operational goal of the botnet is in the long term.
Dark Partners dropping infostealers
Cybersecurity researcher g0njxa discovered a threat group dubbed Dark Partners. This group faked websites to impersonate dozens of apps and other tools, including seven cryptocurrency platforms, VPN services, payment processors, and remote desktop solutions. These pages all provide a simple download button to these services, but instead deliver malware loaders like Payday or info stealers like Poseiden and Lumma. These attempt to scrape crypto wallet information and use a Google Calendar link to retrieve C2 server addresses. Dark Partners uses code signing certificates on Windows, but none are currently valid.
Faux Bitdefender site delivers real malware
In other spoofed site news, researchers at DomainTools discovered a campaign that uses a spoofed version of Bitdefender’s antivirus download page for Windows. Instead of legitimate tooling, it redirects visitors to the StoreInstaller.exe file, which installs VenomRAT, StormKitty, and SilentTrinity malware. Combined, the three provide persistent remote access, attempt to steal crypto wallet information, and provide a framework for long-term control. While this might seem like another campaign to quickly grab crypto credentials, the researchers say the total malware bundle shows signs of looking to resell access to the infected device.
US laptop farms enabling North Korean remote jobs
The Wall Street Journal profiled Christina Chapman, a 50-year-old operator of a laptop farm used by North Korean operators to infiltrate remote workers into US companies. Chapman was approached on LinkedIn to “be the U.S. face” of a company placing overseas IT workers, with North Koreans operating similar schemes on Upwork and Fiverr. These “farmers” set up domestic online connections, facilitate paychecks, send along tax and identification forms, and maintain the laptops that North Koreans log into. Crowdstrike identified roughly 150 cases of North Korean workers operating on customer networks, with laptop farms seen in at least eight states. These operators also hired Americans to provide domestic mailing addresses, pass liveliness checks, and conduct job interviews. The FBI raided Chapman’s house in October 2023, pleaded guilty to wire fraud and money laundering charges, and is set for sentencing on July 16th.
(WSJ)