In today’s cybersecurity news…
UK retailer Co-Op suffers cyberattack
One of the largest food retailers in the U.K. – its full official name is The Co-operative Group – has shut down some of its IT systems, due to what spokesperson Mark Carrington describes as “recently experienced attempts” by hackers to break into some of its systems. As a result, the company’s back office and call center functions are facing some disruption. The stores continue to operate normally. No further details such as whether the attempted intrusions were successful, if anything was stolen or who the perpetrators are – are currently available.
FBI shares list of 42,000 LabHost phishing domains
The FBI has released 42,000 phishing domains linked to LabHost, a major phishing-as-a-service (PhaaS) platform dismantled in April 2024. Active from 2021 to 2024, LabHost sold phishing kits targeting U.S. and Canadian banks, offering tools to bypass two-factor authentication and manage campaigns in real time. The platform gained dominance in late 2023, attracting 10,000 global customers. Authorities estimate it stole over 1 million credentials and nearly 500,000 credit card records. The domain list, covering registrations from November 2021 to April 2024, aims to raise awareness and help identify threats. The takedown involved cooperation from 19 countries.
NSO group looking at hefty damages in WhatsApp case
The damages trial has now begun following a five-year court battle between the Israeli spyware maker NSO Group and WhatsApp. Some experts are predicting a penalty that might lead to the bankruptcy of the spyware manufacturer, which had been found liable in December for hacking 1,400 WhatsApp users in 2019. However, as Nitansha Bansal, a spyware expert and the assistant director at the Atlantic Council’s Cyber Statecraft Initiative, stated, bankruptcy would not be the end of the spyware Pegasus, which is considered to be the most advanced commercial surveillance product in the world. The company could either restructure or simply rebrand the technology, Bansal said.
SonicWall warns of VPN exploitation in the wild
Cybersecurity company SonicWall is warning users of its Secure Mobile Access appliances that these are now being actively exploited in attacks. This is in reference to two vulnerabilities, with separate CVE numbers (CVE-2023-44221 and CVE-2024-38475) whose advisories have been updated to reflect the exploitation situation. The vulnerabilities impact a range of SMA brands, listed in the show notes to this episode, which have been patched in a recent firmware version update. “The two vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.14-75sv and later.”
Thanks to today’s episode sponsor, ThreatLocker
Microsoft Windows Server hotpatching to require subscription
As quoted in BleepingComputer, “Microsoft has announced it will require paid subscriptions for Windows Server 2025 hotpatching, a service that enables admins to install security updates without restarting.” The company is offering an opportunity for admins to try hotpatching free of charge “before it becomes generally available in July, when they’ll have to pay for a subscription to test it.” The company also “warned those currently testing Windows Server 2025 hotpatching in preview to disenroll on or before June 30 so that they’re not automatically subscribed in July.” The announcement explained, “with hotpatching, we are taking what was previously an Azure-only capability and now making it available to Windows Server machines outside of Azure through Azure Arc.”
TheWizards group uses SLAAC spoofing to perform adversary-in-the-middle attacks
The security firm ESET has come out with a new blogpost describing the activities of a Chinese APT group they have named TheWizards, who are deploying Spellbinder, a lateral movement tool for performing adversary-in-the-middle attacks. According to the post, Spellbinder “enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and redirecting the traffic of legitimate Chinese software so that it downloads malicious updates from a server controlled by the attackers. Currently, TheWizards targets “individuals, gambling companies, and unknown entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong.”
Pinterest to start labeling Gen-AI manipulated images
Pinterest is introducing new tools to help users identify and reduce exposure to AI-generated content. The platform will now label images created or altered with generative AI using an “AI modified” stamp visible during close-up viewing. These labels are based on metadata analysis and newly developed AI classifiers that detect such content even without embedded markers. Users can also choose to see fewer AI-generated images when browsing. Matt Madrigal, Chief Technology Officer at Pinterest, stated, “Gen AI content on Pinterest should enhance users’ ability to discover and act on their inspiration.” The global rollout includes an appeal process for users who believe their content was incorrectly flagged as AI-generated.
Russia-linked group Nebulous Mantis targets NATO-related defense organizations
Operating with geopolitical motives the group has been active since 2019, using a range of trojans, spear phishing and living off the Land tactics to target critical infrastructure, governments, and NATO-linked entities, all the while changing the domains they operate from every month. A new report from PRODAFT outlines the group’s techniques and in particular its espionage activities hidden behind ransomware operations, attacking organizations in North America, Europe and Japan. A link to the report is available in the show notes to this episode.
(PRODAFT)