Ripple NPM supply chain attack hunts for private keys • The Register - Threat actors were able to publish 5 new versions of the official Ripple NPM package, all with malicious code to steal keys. Ripple holders should consider rotating keys if they’ve made use of any of the packages. Effected are NPM hosted packages for 4.2.1-4 and 2.14.2.
UN says scam call center epidemic is expanding globally • The Register - SE Asian OCGs (Organized Crime Groups) are feeling the heat in the South Pacific and moving abroad. Making use of the Middle East and former Soviet Bloc countries to rake in billions.
Ukraine
Trojanized Alpine Quest app geolocates Russian soldiers • The Register - Somebody, Ukraine?, gave Russian soldiers access to a pirated version of a high end topographic map software. It just so happens that it sends the users files and location data to an unknown person.
Leaks and Breaches
Blue Shield shared 4.7M people’s health info with Google Ads • The Register - Info potentially shared with Google ranged from medical claim dates, doctors visited, patient names, insurance plan details, city of residence and zip code, gender, family size, and Blue Shield-assigned account identifiers, to financial responsibility info, and search queries and results for the “Find a Doctor” tool — including location, plan type, and provider details.
From 112K to 4M – HR biz’s data spill from bad to worse • The Register - In addition to the estimated 4 million affected individuals, VeriSource said names, addresses, dates of birth, genders, and social security numbers may have been stolen, although the data points won’t be the same for each person.
Yale New Haven Health alerts 5.5M+ patients of data breach • The Register - Intruders stole at least some patient data that, depending on the individual, may have included Social Security numbers; demographic info such as name, date of birth, address, telephone number, email address, race, or ethnicity; patient type; and medical record numbers.
Vulns
Potential SAP zero-day fixed, details locked behind paywall • The Register - SAP setting a bad example for the rest of the world by paywalling fix details. IOCs, and other details of the zero day which had been weaponized since at least March 14th, are only available behind customer logins.
Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw - However, cyber defense search engine Onyphe paints a more dire picture, telling BleepingComputer that there are 1,284 vulnerable servers exposed online, with 474 already having been compromised with webshells.
159 CVEs Exploited in Q1 2025 — 28.3% Within 24 Hours of Disclosure - This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year.
Microsoft
Microsoft mystery folder fix might need a fix of its own • The Register - Microsoft’s crazy folder fix discussed in last week’s notes brings new issues. Notably, non-privileged users can sym-link the folder to an executable and crash out Windows Updates.
Tactics
Who needs phishing when your login’s already in the wild? • The Register - Credential and Token theft have finally bypassed phishing as the default mechanism for bad guys to break in. But this presents a problem for users and security practitioners alike.
FBI
FBI: Cybercrime cost victims ‘staggering’ $16.6B last year • The Register - America’s critical infrastructure operators reported almost 4,900 cybersecurity threats last year, with ransomware (1,403 complaints) topping the list. The five most reported ransomware variants: Akira, LockBit, RansomHub, Fog, and PLAY. However, in 2024, reported ransomware losses reported to IC3 totaled $12.5 billion, compared to $59.6 billion in 2023 and $34.4 billion in 2022.
RSAC
There’s one question that stumps North Korean fake workers • The Register - How fat is Kim Jong Un? Attendees had the pleasure of hearing from Microsoft, the FBI, Crowdstrike, and UpWork on the dangers and tracking of DPRK IT Workers.
NSA, CISA top brass absent from RSA Conference • The Register - NSA and CISA participation at RSA this year is at an all time low. Though previous CISA bosses Jen Easterly and Chris Krebs are speaking. Instead it has been announced that Kristi Noem will appear Tuesday as a Keynote speaker.
CISA officials jump ship, both pushed for Secure by Design • The Register - Unrelated to RSAC, but in regards to CISA, Bob Lord and Lauren Zabierek, both who helped push the Secure by Design initiative, resigned this week. Based on public comments from the Trump org, it appears Secure by Design may be going away or face significant modification.
Supply Chain
Security snafus caused by third parties up from 15% to 30% • The Register - Verizon’s Data Breach Investigation Report (DBIR) found that the proportion of breaches involving third parties rose from 15 percent in last year’s dataset to 30 percent in this year’s report. Remediation of issues at third parties also tended to be longer than in-house infosec teams. Those interested in our third party should speak with Nathan Kramer who handles our Third Party Security Risk assessment
Incoming Attacks
Experts forecast Ivanti VPN attacks as endpoint scans surge • The Register - Just like the Palo and Juniper scans previously identified, threat actors automated scanning and probing botnets are starting to target Ivanti VPN endpoints….again.
Carriers
SK Telecom warns customer USIM data exposed in malware attack - Threat actors successfully attacked SK Telecom (48% market share) to steal USIM data (is information stored on a Universal Subscriber Identity Module (USIM)), which typically includes International Mobile Subscriber Identity (IMSI), Mobile Station ISDN Number (MSISDN), authentication keys, network usage data, and SMS or contacts if stored on the SIM.