UK Government Previews Cybersecurity Legislation

The British government has unveiled plans for a new Cyber Security and Resilience Bill that will implement stricter incident reporting rules and enhance supply chain vulnerability management. This legislation, first previewed after the government took office in July 2024, introduces a “two-stage reporting structure” requiring organizations to report significant cyber disruptions within 24 hours of detection and submit a full incident report to the National Cyber Security Center within 72 hours. The bill extends regulatory oversight to approximately 900-1,100 managed service providers with access to clients' systems and data, and strengthens the Information Commissioner’s Office’s authority. Current law only mandates reporting within 72 hours when personal data is compromised. Tech Secretary Peter Kyle emphasized that these measures aim to promote economic growth by securing digital infrastructure critical for business stability and innovation. Industry experts have welcomed the focus on supply chain security and streamlined reporting requirements, though some note that success will depend on establishing clear expectations given the existing regulatory frameworks many IT providers already navigate.​​​​​​​​​​​​​​​​

Canon Printer Flaw Enables Remote Code Execution

Researchers have uncovered a high-severity vulnerability (CVE-2025-1268) in Canon’s Generic Plus printer drivers that could allow attackers to execute arbitrary code remotely. The flaw, which received a concerning CVSS rating of 9.4, affects various Canon printers including production models, small office multifunction devices, and laser printers. This out-of-bounds vulnerability in Enhanced Metafile Recode processing can lead to memory corruption when handling image data conversion, potentially enabling system crashes, data leaks, or complete device compromise—especially in networked environments. Security experts warn that compromised printers could serve as entry points for broader network attacks, threatening network security, business continuity and compliance requirements. While Canon has promised updated drivers will be available through local sales representatives, one cybersecurity researcher suggests keeping printers isolated from networks via direct USB connections where practical to reduce potential attack surfaces.​​​​​​​​​​​​​​​​

Vitenas Cosmetic Surgery patient data hacked and leaked – DataBreaches.Net

A recent cyberattack on Vitenas Cosmetic Surgery in Texas led to a significant data breach involving unencrypted patient health information, including sensitive photos and personal details, as well as internal employee documents. The hackers, known as Kairos, claimed responsibility, stating they accessed the data through a brute force attack and had attempted negotiations with Dr. Vitenas for a month. With 1.34 GB of leaked files already online, the most sensitive information may be made public if a buyer isn’t found, while no incident report has been posted on official platforms yet.

Exclusive: Royal Mail suffers alleged data breach as threat actor claims 144GB stolen - Cyber Daily

A threat actor known as “GHNA” claims to have breached Royal Mail Group in March 2025, stealing 16,549 files (144GB) containing customer PII, confidential documents, internal meeting recordings, delivery location data, and more. The hacker shared sample data including names, addresses, and phone numbers, suggesting this isn’t the first Royal Mail breach connected to Spectos. This follows a previous incident in October when another hacker called “888” claimed a smaller Royal Mail breach, and a 2023 ransomware attack by LockBit that targeted Royal Mail International, where the company refused to pay the “absurd” ransom demands despite attempted negotiations.​​​​​​​​​​​​​​​​

270,000 Samsung Customer Support Tickets Leak onto the Internet. Here’s What Happened. - CX Today

Samsung Germany has suffered a massive data breach, with 270,000 customer service tickets leaked due to credentials stolen in 2021 from samsung-shop.spectos.com that weren’t properly rotated. The breach, executed by someone using the alias “GHNA,” exposed sensitive customer information including full names, addresses, email addresses, order details, and support interactions. Hudson Rock had previously flagged these compromised credentials, but Samsung failed to act. This incident follows Samsung’s 2023 security issue where employees accidentally leaked code through ChatGPT, highlighting the company’s ongoing cybersecurity challenges amid growing concerns about AI implementation creating new attack surfaces for hackers.​​​​​​​​​​​​​​​​

A major data leak in Sweden has exposed private information about Prince Carl Philip. yle.fi/a/74-2015…

A significant data breach affecting around two million people has been uncovered in Sweden. The newspaper Dagens Nyheter (DN) revealed that user data from the fitness app Sportadmin has been published on the dark web.

The leaked data includes not only information about ordinary fitness enthusiasts but also high-level politicians and members of the royal family. Among those affected is Prince Carl Philip. According to DN, his online pseudonym and anonymous email address have been published on the dark web.

More concerning, however, is that his regularly used jogging routes have also been exposed. These routes were recorded in the fitness app under his anonymous email address. The data also revealed a recent overseas trip taken by the prince.

The Pirkanmaa Welfare Region in Finland has reported a data breach in its password change service. Due to a technical error, users who logged in via the Suomi.fi authentication system on shared computers may have remained logged in for up to 32 minutes, even after logging out and receiving confirmation from the browser.

As a result, confidential information could have been exposed to others using the same device, particularly if the user did not clear browsing data or close the browser after changing their password.

The issue mainly affects employees, students, temporary workers, service providers, and decision-makers who used the “Passu” service on shared devices between June 11, 2024, and January 30, 2025. Approximately 3,500 people used the service during that time, and 2,000 of them can be contacted directly.

The error was fixed in February, and the incident has been reported to the Data Protection Ombudsman.

www.mtvuutiset.fi/artikkeli…

Oracle Cloud Users Urged to Take Action www.darkreading.com/applicati…

With Oracle not budging from its denial of a breach that a growing number of security experts believe occurred, some are urging the company’s cloud customers to take immediate steps to verify if their data was compromised and to protect against any resulting misuse.

If the breach indeed occurred, the primary concerns include attackers leveraging stolen data to infiltrate cloud environments, escalating privileges to administrative control, and reusing credentials for lateral movement across affected organizations.

Additionally, any exposure of personally identifiable information (PII) and passwords could trigger compliance requirements under statutes like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) for covered organizations, Trustwave said in its take on the reported incident.

Check Point confirms breach, but says it was ‘old’ data and crook made ‘false’ claims www.theregister.com/2025/03/3…

A digital burglar is claiming to have nabbed a trove of “highly sensitive” data from Check Point - something the American-Israeli security biz claims is a huge exaggeration.

A cybercrime forum user going by the name CoreInjection advertised “a highly sensitive dataset” allegedly comprised of Check Point files on Sunday evening. They claimed this contained internal network maps and architectural diagrams, user credentials (including hashed and plaintext passwords), employee contact information, and proprietary source code.

Screenshots shared in the post appear to show CoreInjection inside a Check Point admin Infinity (security management) portal, supposedly granting themselves the ability to change users' two-factor authentication settings.

Analyzing New HijackLoader Evasion Tactics www.zscaler.com/blogs/sec…

HijackLoader (also known as IDAT Loader and GHOSTPULSE) is a malware loader initially discovered in 2023. The loader is not only capable of delivering second-stage payloads, but also offers a variety of modules to expand the malware’s capabilities. The modules are mainly used for configuration information and to evade security software, as well as inject and execute code.

Recently, Zscaler ThreatLabz uncovered new HijackLoader modules with additional evasion techniques. In this blog, we analyze these modules that implement features including call stack spoofing to mask the origin of function calls from endpoint detection, virtual machine detection to identify analysis environments, and another module that establishes persistence via scheduled tasks.

Phishing platform ‘Lucid’ behind wave of iOS, Android SMS attacks www.bleepingcomputer.com/news/secu…

A phishing-as-a-service (PhaaS) platform named ‘Lucid’ has been targeting 169 entities in 88 countries using well-crafted messages sent on iMessage (iOS) and RCS (Android).

Lucid, which has been operated by Chinese cybercriminals known as the ‘XinXin group’ since mid-2023, is sold to other threat actors via a subscription-based model that gives them access to over 1,000 phishing domains, tailored auto-generated phishing sites, and pro-grade spamming tools.

Prodaft researchers note that XinXin has also been using the Darcula v3 platform for its operations, which indicates a potential connection between the two PhaaS platforms. Subscriptions to Lucid are sold via a dedicated Telegram channel (2,000 members), and customers are granted access via licenses on a weekly basis.

The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques www.trendmicro.com/en_us/res…

Trend Research’s consistent monitoring and investigation efforts have uncovered Earth Alux’s stealthy activities and advanced techniques. One of the tools in the arsenal of this advanced persistent threat group (APT) is its primary backdoor, VARGEIT. Left undetected, the attack can maintain a foothold in the system and carry out cyberespionage. The long-term collection and exfiltration of data could lead to far-reaching consequences, such as disrupted operations and financial losses.

The attacks are targeted toward the Asia-Pacific (APAC) and Latin American regions, hitting key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Regular patching and updating, vigilant monitoring for any signs of compromise, and proactive protection can help prevent such threats from infiltrating organizations’ systems.

Analyzing open-source bootloaders: Finding vulnerabilities faster with AI www.microsoft.com/en-us/sec…

By leveraging Microsoft Security Copilot to expedite the vulnerability discovery process, Microsoft Threat Intelligence uncovered several vulnerabilities in multiple open-source bootloaders, impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot as well as IoT devices. The vulnerabilities found in the GRUB2 bootloader (commonly used as a Linux bootloader) and U-boot and Barebox bootloaders (commonly used for embedded systems), could allow threat actors to gain and execute arbitrary code.

Using Security Copilot, we were able to identify potential security issues in bootloader functionalities, focusing on filesystems due to their high vulnerability potential. This approach saved our team approximately a week’s worth of time that would have otherwise been spent manually reviewing the content. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability.

Smoked out - Emmenhtal spreads SmokeLoader malware www.gdatasoftware.com/blog/2025…

We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal (sic! - this spelling refers to the HTA component of this loader, hence slightly unorthodox spelling “EmmenHTAl) also referred to by Google as Peaklight.

This loader has been active since early 2024 and is primarily used by financially motivated threat actors to distribute commodity infostealers such as CryptBot and Lumma. In this campaign, we have observed that Emmenhtal Loader has been chained together with SmokeLoader malware, allowing threat actors to leverage its modular capabilities for deploying additional malware dynamically.

The infection chain starts with an email claiming to confirm that a payment has been made. Attached to the email is a 7z archive file, named deceptively as ‘Платiжна_iнструкция.7z’ (translated as “Payment_instruction”) to trick victims into extracting and opening its contents.

Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp

Russian hacking group Water Gamayun (aka EncryptHub) is exploiting a Windows vulnerability to deploy two new backdoors: SilentPrism and DarkWisp. Using malicious installer files disguised as legitimate software, they also distribute Rhadamanthys Stealer and custom EncryptHub Stealer variants that collect system information, passwords, and cryptocurrency data. The group employs sophisticated techniques like using IntelliJ’s runnerw.exe to execute malicious scripts and has recently moved from GitHub to their own infrastructure for command-and-control operations.​​​​​​​​​​​​​​​​

Trend Micro Open Sources AI Tool Cybertron

Trend Micro is open sourcing its Trend Cybertron cybersecurity LLM and AI agent, allowing free access to its threat detection automation capabilities. Built on Llama architecture with 8 billion parameters, it’s trained on Trend Micro’s vulnerability research data and uses Nvidia Inference Microservice for deployment. Unlike other security AI tools focused on responding to incidents, Cybertron proactively anticipates risks. This represents a growing trend of using foundational LLMs to create specialized models, an approach gaining popularity across healthcare, finance, and other industries.​​​​​​​​​​​​​​​​

Samsung Tickets Data Leak: Infostealers Strike Again in Massive Free Dump | InfoStealers

A data breach at Samsung Germany, involving 270,000 customer tickets, was caused by credentials stolen by infostealer malware in 2021. The leaked data, which includes personal information and transactional details, can be exploited by cybercriminals for physical attacks, targeted phishing, and fraudulent warranty claims. The breach highlights the importance of proactive credential monitoring and rotation to prevent similar incidents.

Oracle Cloud Data Breach: Six Million Records Stolen, 140,000 Clients Potentially Impacted - CPO Magazine

A recent data breach of Oracle Cloud resulted in the theft of six million records and potentially impacted 140,000 clients. The breach, attributed to a previously known vulnerability dating back to 2014, allowed attackers to compromise an Oracle Cloud subdomain and steal encrypted passwords. The attackers, seeking to ransom victims and sell stolen data, have offered a variety of purloined file types and credentials for sale on the dark web.

Oracle (ORCL) Warns Health Customers of Patient Data Breach - Bloomberg

Hackers breached Oracle’s systems, stealing patient data from older Cerner servers not yet migrated to Oracle’s cloud. The FBI is investigating the breach and extortion attempts against medical providers.

RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a new malware called RESURGE, which exploits a now-patched security flaw in Ivanti Connect Secure appliances. RESURGE, an improvement over the SPAWNCHIMERA malware variant, contains rootkit, dropper, backdoor, bootkit, proxy, and tunneler capabilities. Organizations are advised to patch their Ivanti instances and implement additional security measures to mitigate the risk posed by this malware.

youtube.com/watch

A recent report by the University of Toronto’s Citizen Lab suggests that Ontario police may have secretly used the Israeli spyware tool Paragon Solutions. The tool, linked to an Israeli company, allegedly hacks into phones via WhatsApp, raising concerns about surveillance and human rights. The investigation found potential use by the Ontario Provincial Police and other services like Toronto and Hamilton Police. The use of such spyware could contravene Canadian laws, highlighting the need for stricter regulations and oversight to prevent abuses. This issue underscores broader questions about the ethics of spyware use in democratic societies.

‘Evilginx’ Tool (Still) Bypasses MFA

Evilginx, a malicious version of the NGINX Web server, can be used in adversary-in-the-middle attacks to steal credentials and authentication tokens, bypassing multifactor authentication. Sophos researchers tested Evilginx with Microsoft-themed malicious domains and phishing pages, mimicking a user account protected by MFA and successfully bypassing it. To prevent Evilginx attacks, organizations should move off token-based or push-MFA methods and embrace stronger, phishing-resistant FIDO2-based options like passkeys.

Ubuntu namespace vulnerability should be addressed quickly: Expert | Network World

Three vulnerabilities were discovered in Ubuntu’s unprivileged user namespace restriction feature, allowing local attackers to bypass the protection and exploit kernel vulnerabilities. While Ubuntu asserts these are not security vulnerabilities due to AppArmor protections, experts recommend patching, limiting unprivileged profile changes, and restricting AppArmor profiles.

BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability

Threat hunters infiltrated the BlackLock ransomware group’s online infrastructure, exploiting a vulnerability in their data leak site. This allowed them to extract configuration files, credentials, and command history, revealing BlackLock’s modus operandi and potential connections to other ransomware strains like DragonForce. The findings suggest a possible takeover of BlackLock by DragonForce due to ransomware market consolidation.

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

SquareX warns of the emergence of browser-native ransomware, which targets digital identity and cloud-based enterprise storage. Unlike traditional ransomware, it requires no file download and is undetectable by endpoint security solutions. This new threat leverages AI agents to automate attacks, potentially impacting entire enterprises through compromised SaaS applications and file-sharing services.