Ransomware crooks search for ‘insurance’ ‘policy’ right away • The Register - Researchers reviewed 3 years of ransomware forensics and found threat actor SOPs usually involve searching for “insurance” in company documents. If found, ransoms are around 2.8x the average. If there’s a double extortion attempt, the ransom is around 5.5x’s higher.
Law biz appeals £60K ICO fine over 32 GB digital burglary • The Register - UK law firm loses 32GBs of case data and decides its not a personal data breach. UK regulator doesn’t agree. Company pays $60k GBP
Eight days from patch to exploitation for Microsoft flaw • The Register - Despite Microsoft self-scoring the vulnerability as a 6.5, within 8 days, likely-Russian aligned threat actors began using the vuln with custom malware across Poland and Romania. (The decades old NTLM protocol can be disabled though it may be necessary in limited scenarios.) Hacker News Article: CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download
AI models can generate exploit code at lightning speed • The Register - Reviewing patches to determine what vulns are patched is a common threat actor technique. However, crims now have the power of AI to help them reverse engineer and weaponize patches at speed and scale.
Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps • The Register - SSL.com flubbed the implementation of their DNS validation records by allowing threat actors to issue certs for the domain used in the attackers email address. E.g.; If a verification for example1.com was requested with email address attacker@gmail then the threat actor could also produce SSL certificates for gmail[.]com
SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks - Attackers can convince victims to install a malicious app that allows for NFC captures, while attackers perform NFC Relay and Replay attacks. Less technical family members should be reminded to always contact their financial institution directly if contacted about potential fraud, and should never tap a card against their phone or anything other than a credit terminal.
Politics
Doge
Whistleblower describes how DOGE tore through NLRB IT system • The Register - Whistleblower claims the following:
- Agency Assistant Chief Information Officer ruled the creation of NLRB accounts for DOGE employees and advised not to log the creation.
- Those accounts were assigned Tenant Owner permissions, created multiple additional accounts, and tokens to storage accounts, exported significant numbers of files related to ongoing NLRB investigations, and removed or deleted logs of this activity. Additional attempts were made from an endpoint in Russia to login to the Doge created NLRB accounts but were stopped by conditional access policies.
- It should be noted that Amazon, Tesla, and SpaceX, significant contributors to the Trump Vance Campaign were under investigation by the National Labor Relations Bureau.
- Additionally, the NLRB employee and his lawyers attest to the dropping of “night letters” featuring photos of the whistleblower and threatening language advising Berulis drop the reports of the activity. Berulis’ Whistleblower disclosure 2025_0414_Berulis-Disclosure-HELP-and-Oversight-with-Exhibits.pdf
Dems fret over DOGE feeding sensitive data into random AI • The Register - Dems are going after DOGE’s use of Musk’s GROK AI, filing a report with the Office of Management and Budget stating that GROK doesn’t meet the OMB’s own AI Guidelines, doesn’t comply with Federal Law, and isn’t FEDRAMP certified.
Hegseth/SignalGate
CIA’s chief data officer says Signalgate chats have vanished • The Register - For that lawsuit, Blankenship testified [PDF] that when he came to take a copy of the group chat on Director Ratcliffe’s phone, following the judge’s retention order, the only remnant of the Signalgate chatter was the group name and some administrative info, such as members’ profile names. Almost all the rest of the data, including the content of the messages, was missing.
CVE
CVE program gets a last-minute save, maybe a new home • The Register - CISA continues CVE funding for another 11 months. This isn’t comforting anyone though, and the EU and others are splintering the CVE program to have some assurance and sovereignty. The splintering of a standard bug tracking system has begun • The Register - EU Vulnerability Database, Global CVE Allocation System (GCAS), the CVE foundation, as well as the original MITRE-led National Vulnerability Database (NVD)
Privacy
Florida draft law mandating encryption backdoors for social media accounts billed ‘dangerous and dumb’ | TechCrunch - Social Media used by Minors (SB868) will require a mechanism for decrypting end-to-end encrypted messages when provided with a subpoena by law enforcement. The obvious issue is that if any of the messages are non end-to-end encrypted then potentially all messages on the platform are. The fact that this comes weeks after the CALEA breaches is exceptionally tone deaf.
Threat Actors
Google Blocked 5.1B Harmful Ads and Suspended 39.2M Advertiser Accounts in 2024 - the tech giant said it stopped 5.1 billion bad ads, restricted 9.1 billion ads, and blocked or restricted ads on 1.3 billion pages last year. It also suspended over 5 million accounts for scam-related violations. Its essential that you install an Ad-Blocker on your devices. Firefox supports UBlock Origin (my preferred blocker) and it works on mobile and desktop. Additionally, if you’re tech savvy, the PiHole project is a network wide DNS blackhole that is extremely effective. (Couple this with Tailscale the free wireguard wrapper and you have a great home vpn/ad blocking setup that can run in a single docker container on a raspberry pi, or an always on desktop in your home)
Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks - These were likely being used by Pegasus or other spyware-for-hire outfits.
Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution - Erlang’s SSH Vuln hits the streets at 10/10 on the CVS Score. Users should update immediately and/or disable the SSH service and remove firewall rules. “Erlang is frequently found installed on high-availability systems due to its robust and concurrent processing support,” Dani said. “A majority of Cisco and Ericsson devices run Erlang.”