In today’s cybersecurity news…
Radware says recent WAF bypasses were patched in 2023
Radware has now spoken in response to an advisory published on May 7 by the CERT Coordination Center at Carnegie Mellon University which stated that the Radware Cloud Web Application Firewall (WAF) was vulnerable to filter bypass methods that could allow threat actors to conduct attacks without being blocked by the firewall. The methods, both of which have CVE numbers available in the show notes to this episode (CVE-2024-56523 and CVE-2024-56524), involved adding random data in the request body with an HTTP GET method, which could cause a firewall to fail to filter the request and allow various types of payloads to pass through to the underlying web application. This past Sunday, Radware announced that both issues mentioned in the advisory had been “addressed by its R&D team shortly after they were reported to the company in 2023.”
Marks & Spencer confirms data stolen in ransomware attack
Following up on a story we have been watching for a couple of weeks now, the British retailer now says personal data was stolen in the attack which has left the company still without the capacity to provide online purchases. On its website, the company describes the stolen data as PII as well as “masked” details of the payment card used for online purchases, including its own M&S credit card, or Sparks Pay, but the company states, “the data does not include usable card or payment details,” since it does not store full payment card details.
(Security Week and Marks & Spencer)
Turkish APT group used Output Messenger Zero-Day to spy on Kurdish military
The group, identified as Marbled Dust, along with a raft of other names, has been exploiting the vulnerability in team chat app Output Messenger since April of last year, which it has used to collect user data and deploy malicious files. The group specializes in targeting government entities, and Kurdish organizations ranging from political groups like PKK, through to telecommunication, IT service providers and Media. The flaw being exploited impacts Output Messenger versions before 2.0.63.
Alabama suffers cybersecurity event
Alabama’s governor, Kay Ivey, announced the attack on Monday, and is asking for patience due to possible disruptions to government website access or other communications. Ivey adds “some state employee usernames and passwords were compromised, but it is currently believed that no Alabamian’s personally identifiable information has been retrieved.” Neither the full scope of the attack nor the group behind it, is not known at this time.(The Record)
Huge thanks to our sponsor, Vanta
But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC. Get started at Vanta.com/headlines.
Co-Op fears hackers still in the system, shelves getting empty
As part of the triumvirate of British retailer hacks, the Co-Operative chain, for familiarly known as The Co-Op, continues to deal with an attempted cyberattack detected two weeks ago. According to Recorded Future News, company officials “fear the hackers still have access to its network and is keeping some critical logistics systems offline, preventing shops from getting resupplied with many goods. As a result “deliveries from The Co-op’s large depots were well below 20% of their normal capacity,” especially with regard to perishables such as meat, eggs, dairy, fruits, and vegetables. As the company name describes, the company is owned by its members rather than being publicly listed, and as such is “not required to make any declaration to the London stock exchange about the expected adverse financial impact of the attack.”
North Korean hackers target Ukrainian government
A group tracked as TA406 is known for using spearphishing to “target governments, research centers, think tanks, academic institutions and media organizations worldwide — particularly in Europe, Japan, Russia, South Korea and the United States.” This latest campaign targets Ukrainian government entities, and cybersecurity firm Proofpoint suggests, in a report, that Pyongyang is seeking to “better understand both the appetite to continue fighting against the Russian invasion” and “the medium-term outlook of the conflict.” This differs greatly from Russian espionage, which Proofpoint says focuses more on “tactical intelligence related to battlefield operations.”
New Intel CPU flaws leak sensitive data from privileged memory
According to researchers at ETH Zurich, “a new Branch Privilege Injection flaw in all modern Intel CPUs allows attackers to leak sensitive data from memory regions allocated to privileged software like the operating system kernel, along with critical data such as passwords, cryptographic keys, and memory of other processes. The branch privilege injection flaw which has a CVE-2024-45332 number available in the show notes, belongs to “specialized hardware components that try to guess the outcome of a branch instruction before it’s resolved, to keep the CPU pipeline full for optimal performance.” BleepingComputer writes, “the risk is low for regular users, and attacks have multiple strong prerequisites to open up realistic exploitation scenarios. That being said, applying the latest updates is recommended.”
SAP patches another critical NetWeaver vulnerability
As part of May Patch Tuesday, SAP released a number of fixes, the most important addressing a CVSS 10 critical-severity bug in NetWeaver’s Visual Composer development server component. This is a vulnerability “that has been exploited in the wild since January, for remote code execution.” The company is seeing “significant activity from attackers who are using public information to trigger exploitation and abuse of webshells placed by the original attackers, who have currently gone dark.” CVE-2025-31324