Dior’s coveted client list of China’s wealthiest and most powerful consumers has been compromised in a major data breach, forcing the French luxury giant to issue an apology as it scrambles to contain potential fallout and limit any damage to its reputation.
The luxury brand under French conglomerate LVMH experienced a customer data breach in China on May 7. According to a text message sent to customers yesterday, the company disclosed that an unauthorized external party had gained access to its database, obtaining sensitive personal information such as customers’ names, gender, phone numbers, email addresses, mailing addresses, purchase amounts, and shopping preferences.
Dior emphasized that the compromised data did not include bank account details, IBANs (International Bank Account Numbers), or credit card information. Nonetheless, the brand urged customers to exercise heightened caution, advising them to beware of phishing messages, unsolicited calls or emails, and to avoid clicking on suspicious links or disclosing personal information.
Screen is the traditional terminal multiplexer software used on Linux and Unix systems. We found a local root exploit in Screen 5.0.0 affecting Arch Linux and NetBSD, as well as a couple of other issues that partly also affect older Screen versions, which are still found in the majority of distributions.
In July 2024, the upstream Screen maintainer asked us if we could have a look at the current Screen code base. We treated this request with lower priority, since we already had a cursory look at Screen a few years earlier, without finding any problems. When we actually found time to look into it again, we were surprised to find a local root exploit in the Screen 5.0.0 major version update affecting distributions that ship it as setuid-root (Arch Linux and NetBSD). We also found a number of additional, less severe issues that partly also affect older Screen versions still found in the majority of distributions.
We offer two sets of patches for the issues described in this report, one for screen-4.9.1 and another for screen-5.0.0. These patch sets apply against the screen-4.9.1 and screen-5.0.0 release tarballs, respectively. Due to difficulties in the communication with upstream we do not currently have detailed information about bugfixes and releases published on their end.
The next section provides an overview of the Screen configurations and versions found on common Linux and UNIX distributions. Section 3) discusses each security issue we discovered in detail. Section 4) takes a look at possible further issues in Screen’s setuid-root implementation. Section 5) gives general recommendations for the improvement of Screen’s security posture. Section 6) points out problems we encountered during the coordinated disclosure process for these issues. Section 7) provides an affectedness matrix which gives a quick overview of the situation on various Linux and UNIX systems.
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware.
These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware.
However, a 2024 campaign using bogus Google Meet errors also targeted macOS users.
ClickFix targeting Linux users
A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems.
The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.
On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50.
CVE-2025-31324 is a critical vulnerability residing in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK). While not installed by default, business analysts commonly use this component to create applications without coding, making it widely present in SAP deployments.
The core issue with this vulnerability is a missing authorization check in the Metadata Uploader, accessible via the /developmentserver/metadatauploader endpoint. This means that any user, even unauthenticated ones, can interact with this endpoint and upload arbitrary files to the server.
Here's a breakdown of how the vulnerability works:
Unrestricted access: The /developmentserver/metadatauploader endpoint is exposed over HTTP/HTTPS and lacks proper authentication or authorization controls.
Malicious file upload: An attacker can send a specially crafted HTTP request to the vulnerable endpoint, containing a malicious file as the request body.
File system access: Due to the missing authorization check, the server accepts the attacker's request and writes the uploaded file to the server's file system. The file is often written to a location within the web application's accessible directories (e.g., under /irj/servlet_jsp/irj/root/).
Web shell execution (common scenario): If the attacker uploads a web shell like a Java server page (JSP) file, the attacker can then access the web shell via a web browser. Now residing on the server, this web shell allows an attacker to execute arbitrary operating system commands with the privileges of the SAP application server process.
System compromise: With the ability to execute commands as an SAP system administrator (system account name: sidadm), an attacker effectively gains control of the SAP system and its associated data. The attacker can then perform various malicious activities.
CVE-2025-31324 allows attackers to bypass security controls and directly upload and execute malicious files on vulnerable SAP servers, potentially leading to complete system compromise. The ease of exploitation (no authentication required) and the possibility for high impact make this a critical vulnerability that requires immediate attention and remediation.
L'Ateneo: la nostra infrastruttura è stata oggetto di un grave attacco informatico che ha reso inaccessibili i siti web
Attacco hacker a Roma Tre, siti dell'università inaccessibili. Lo rende noto la stessa Università, spiegando che «nella notte dell’8 maggio, si è registrata una interruzione dei servizi informatici di Ateneo. A seguito delle operazioni di verifica effettuate già nella notte e proseguite per tutta la mattina del 9 si è potuto constatare che l'infrastruttura dell'Ateneo è stata oggetto di un grave attacco informatico che ha reso inaccessibili i siti web di Ateneo».
CVE-2025-37752 is an Array-Out-Of-Bounds vulnerability in the Linux network packet scheduler, specifically in the SFQ queuing discipline. An invalid SFQ limit and a series of interactions between SFQ and the TBF Qdisc can lead to a 0x0000 being written approximately 256KB out of bounds at a misaligned offset. If properly exploited, this can enable privilege escalation.
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
On 5 May, 16:00 GMT+0, our automated malware analysis pipeline detected a suspicious package released, rand-user-agent@1.0.110. It detected unusual code in the package, and it wasn’t wrong. It detected signs of a supply chain attack against this legitimate package, which has about ~45.000 weekly downloads.
What is the package?
The package rand-user-agent generates randomized real user-agent strings based on their frequency of occurrence. It’s maintained by the company WebScrapingAPI (https://www.webscrapingapi.com/).
Our analysis engine detected suspicious code in the file dist/index.js. Lets check it out, here seen through the code view on npm’s site:
We’ve got a RAT (Remote Access Trojan) on our hands. Here’s an overview of it:
Behavior Overview
The script sets up a covert communication channel with a command-and-control (C2) server using socket.io-client, while exfiltrating files via axios to a second HTTP endpoint. It dynamically installs these modules if missing, hiding them in a custom .node_modules folder under the user's home directory.
Government to roll out passkey technology across digital services as an alternative to SMS-based verification.
Government to roll out passkey technology across digital services as an alternative to SMS-based verification.
Arkadiusz Wargula via Getty Images
Government set to roll out passkey technology across digital services later this year.
SMS-based verification to be replaced by more secure, cost-effective solution.
NCSC joins FIDO Alliance to shape international passkey standards.
The UK government is set to roll out passkey technology for its digital services later this year as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds annually.
Announced on the first day of the government’s flagship cyber security event, CYBERUK, the move to implement passkey technology for the government’s GOV.UK services marks a major step forward in strengthening the nation’s digital security.
Passkeys are unique digital keys that are today tied to specific devices, such as a phone or a laptop, that help users log in safely without needing an additional text message or other code. When a user logs in to a website or app, their device uses this digital key to prove the user’s identity without needing to send a code to a secondary device or to receive user input.
This method is more secure because the key remains stored on the device and cannot be easily intercepted or stolen, making them phishing-resistant by design. As a result, even if someone attempts to steal a password or intercept a code, they would be unable to gain access without the physical device that contains the passkey.
The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale, and the UK is already leading internationally with the NHS becoming one of the first government organisations in the world to offer passkeys to users.
In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password, and SMS code.
A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.
This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.
RSAC: Can we turn to govt, academic models instead?
Corporate AI models are already skewed to serve their makers' interests, and unless governments and academia step up to build transparent alternatives, the tech risks becoming just another tool for commercial manipulation.
That's according to cryptography and privacy guru Bruce Schneier, who spoke to The Register last week following a keynote speech at the RSA Conference in San Francisco.
"I worry that it'll be like search engines, which you use as if they are neutral third parties but are actually trying to manipulate you. They try to kind of get you to visit the websites of the advertisers," he told us. "It's integrity that we really need to think about, integrity as a security property and how it works with AI."
During his RSA keynote, Schneier asked: "Did your chatbot recommend a particular airline or hotel because it's the best deal for you, or because the AI company got a kickback from those companies?"
To deal with this quandary, Schneier proposes that governments should start taking a more hands-on stance in regulating AI, forcing model developers to be more open about the information they receive, and how the decisions models make are conceived.
He praised the EU AI Act, noting that it provides a mechanism to adapt the law as technology evolves, though he acknowledged there are teething problems. The legislation, which entered into force in August 2024, introduces phased requirements based on the risk level of AI systems. Companies deploying high-risk AI must maintain technical documentation, conduct risk assessments, and ensure transparency around how their models are built and how decisions are made.
Because the EU is the world's largest trading bloc, the law is expected to have a significant impact on any company wanting to do business there, he opined. This could push other regions toward similar regulation, though he added that in the US, meaningful legislative movement remains unlikely under the current administration.
The Socket Research team investigates a malicious Python package disguised as a Discord error logger that executes remote commands and exfiltrates data via a covert C2 channel.
On March 21, 2022, a Python package ‘discordpydebug’ was uploaded to the Python Package Index (PyPI) under the name "Discord py error logger." At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library. However, the package concealed a fully functional remote access trojan (RAT). Over time, the package reached over 11,000 downloads, placing thousands of developer systems at risk.
The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny. Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid.
Discord’s developer ecosystem is both massive and tightly knit. With over 200 million monthly active users, more than 25% of whom interact with third-party apps, Discord has rapidly evolved into a platform where developers not only build but also live test, share, and iterate on new ideas directly with their users. Public and private servers dedicated to development topics foster an informal, highly social culture where tips, tools, and code snippets are shared freely and often used with little scrutiny. It’s within these trusted peer-to-peer spaces that threat actors can exploit social engineering tactics, positioning themselves as helpful community members and promoting tools like discordpydebug under the guise of debugging utilities.
The fact that this package was downloaded over 11,000 times, despite having no README or documentation, highlights how quickly trust can be weaponized in these environments. Whether spread via casual recommendation, targeted DMs, or Discord server threads, such packages can gain traction before ever being formally vetted.
Depuis la fin de l’année 2023, VIGINUM observe et documente les activités d’un mode opératoire informationnel russe susceptible d’affecter le débat public numérique francophone et européen, connu sous le nom de « Storm-1516 ».
Le mode opératoire informationnel (MOI) Storm-1516, actif depuis plus d’un an et demi, est responsable de plusieurs dizaines d’opérations informationnelles ayant ciblé des audiences occidentales, dont française. S’appuyant sur l’analyse de 77 opérations informationnelles documentées par VIGINUM et conduites par Storm-1516 entre la date de son apparition supposée et le 5 mars 2025, ce rapport détaille les principaux narratifs et contenus employés, leur chaîne de diffusion, ainsi que les acteurs étrangers impliqués dans la conduite du MOI.
L’analyse par VIGINUM de ces différentes opérations informationnelles démontre que le dispositif d’influence informationnelle russe a investi des efforts conséquents pour coordonner les actions d’un important réseau d’acteurs, d’organisations et de MOI agissant depuis le territoire russe et dans les pays ciblés, et ce depuis le début de l’invasion à grande échelle de l’Ukraine par la Russie en 2022.
Storm-1516 constitue aujourd’hui un mode opératoire informationnel mature, qui offre à ses commanditaires la capacité de mener à la fois des actions de court terme en réaction à l’actualité, mais également de s’inscrire dans des stratégies de long terme, visant à décrédibiliser des personnalités ou des organisations européennes et nord-américaines, notamment en amont de grands événements et de processus électoraux.
Si l’impact réel sur le débat public numérique demeure difficile à estimer, VIGINUM observe que de nombreux narratifs propagés via ce MOI ont atteint une visibilité très importante en ligne, et qu’ils sont parfois repris, de manière inconsciente ou opportuniste, par des personnalités et des représentants politiques de premier plan.
Les opérateurs de Storm-1516 poursuivent aujourd’hui leurs activités avec un rythme opérationnel soutenu, et devraient très probablement continuer à adapter leurs TTPs, notamment pour crédibiliser davantage leurs contenus, tenter de contourner les mécanismes de modération des plateformes, gêner le suivi et l’imputation technique de leurs activités, ou encore renouveler leurs infrastructures d’attaque.
Au regard de ces éléments, VIGINUM considère que les activités de Storm-1516 réunissent les critères d’une ingérence numérique étrangère, et représentent une menace importante pour le débat public numérique français et européen.
The presence of credentials in leaked “stealer logs” indicates his device was infected.
Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.
Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US.
A steady stream of published credentials
According to journalist Micah Lee, user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits. Besides pilfering login credentials, stealers can also log all keystrokes and capture or record screen output. The data is then sent to the attacker and, occasionally after that, can make its way into public credential dumps.
“I have no way of knowing exactly when Schutt's computer was hacked, or how many times,” Lee wrote. “I don't know nearly enough about the origins of these stealer log datasets. He might have gotten hacked years ago and the stealer log datasets were just published recently. But he also might have gotten hacked within the last few months.”
Overview: Check Point researchers have identified a new phishing campaign that exploits Microsoft’s “Dynamics 365 Customer Voice,” a customer relationship
Overview:
Check Point researchers have identified a new phishing campaign that exploits Microsoft’s “Dynamics 365 Customer Voice,” a customer relationship management software product. It’s often used to record customer calls, monitor customer reviews, share surveys and track feedback.
Microsoft 365 is used by over 2 million organizations worldwide. At least 500,000 organizations use Dynamics 365 Customer Voice, including 97% of Fortune 500 companies.
In this campaign, cyber criminals send business files and invoices from compromised accounts, and include fake Dynamics 365 Customer Voice links. The email configuration looks legitimate and easily tricks email recipients into taking the bait.
As part of this campaign, cyber criminals have deployed over 3,370 emails, with content reaching employees of over 350 organizations, the majority of which are American. More than a million different mailboxes were targeted.
Affected entities include well-established community betterment groups, colleges and universities, news outlets, a prominent health information group, and organizations that promote arts and culture, among others.
In April of 2025, Rapid7 discovered and disclosed three new vulnerabilities affecting SonicWall Secure Mobile Access (“SMA”) 100 series appliances (SMA 200, 210, 400, 410, 500v). These vulnerabilities are tracked as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821. An attacker with access to an SMA SSLVPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory. This chain results in root-level remote code execution. These vulnerabilities have been fixed in version 10.2.1.15-81sv.
Rapid7 would like to thank the SonicWall security team for quickly responding to our disclosure and going above and beyond over a holiday weekend to get a patch out.
A vulnerability has been identified and remediated in all supported versions of the Commvault software. Webservers can be compromised through bad actors creating and executing webshells.
Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment. Unauthenticated access is not exploitable. For software customers, this means your environment must be: (i) accessible via the internet, (ii) compromised through an unrelated avenue, and (iii) accessed leveraging legitimate user credential
Today it was discovered that an unknown actor had managed to exploit a vulnerability in Lockbit’s PHPMyAdmin instance (on their console onion site). Apparently they were running PHP 8.1.2 which is vulnerable to an RCE CVE-2024-4577. Which uhh… lol? It probably would have been prudent to do a post-paid penetration test on their own infrastructure at some point.
Further compounding the unfortunate situation, the actor was able to dump their database. This contained, as stated by Bleeping Computer, a number of tables such as bitcoin addresses, data about their build system such as bespoke builds for affiliates, A ‘chats’ table containing negotiation messages, which we’ll go through in a later post. And finally, of interest today, the usernames and passwords of LockBit agents using the console.
Of special importance, making our work markedly easier, these passwords were not hashed. Which sure is a choice, as an organization that performs ransomware attacks.
The vast majority of the passwords in this table as reasonably secure; it’s not solely hilariously weak credentials, but there still are a number that display poor security hygiene.
The weak passwords
Before going into my standard analysis, I’ll list off all of the weak passwords in question, and then we’ll go through the statistics of the whole set. The fun to highlight passwords:
Spyware maker NSO Group will have to pay more than $167 million in damages to WhatsApp for a 2019 hacking campaign against more than 1,400 users.
On Tuesday, after a five-year legal battle, a jury ruled that NSO Group must pay $167,254,000 in punitive damages and around $444,719 in compensatory damages.
This is a huge legal win for WhatsApp, which had asked for more than $400,000 in compensatory damages, based on the time its employees had to dedicate to remediate the attacks, investigate them, and push fixes to patch the vulnerability abused by NSO Group, as well as unspecified punitive damages.
WhatsApp’s spokesperson Zade Alsawah said in a statement that “our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone.”
Alsawah said the ruling “is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone. Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
NSO Group’s spokesperson Gil Lainer left the door open for an appeal.
“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” Lainer said in a statement.
The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip."
LockBit dark web site defaced with link to database
As first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database.
From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including:
A 'btc_addresses' table that contains 59,975 unique bitcoin addresses.
A 'builds' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but no private keys, unfortunately. The targeted companies' names are also listed for some of the builds.
A 'builds_configurations' table contains the different configurations used for each build, such as which ESXi servers to skip or files to encrypt.
A 'chats' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th.
Affiliate panel 'chats' table
Affiliate panel 'chats' table
A 'users' table lists 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie spotting that passwords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69, 'MovingBricks69420', and 'Lockbitproud231'.
In a Tox conversation with Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost.
Based on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to have been dumped at some point on April 29th, 2025.
It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link.
Le 21 janvier 2025, au petit matin, David Balland, co-fondateur d’une start-up française spécialisée dans les crypto-monnaies, est enlevé avec sa compagne à leur domicile, dans le Cher. Une rançon est demandée. En moins de trois jours, les différentes unités de la gendarmerie mobilisées sur cette affaire conduisent les investigations, retrouvent les deux conjoints et interpellent dix malfaiteurs.
Le matin du 21 janvier 2025, un couple est enlevé à son domicile, à Vierzon, dans le Cher, par une équipe de malfaiteurs. David Balland est le co-fondateur de Ledger, une entreprise française spécialisée dans les crypto-monnaies. Les deux victimes sont aussitôt séparées et conduites en des lieux différents. Les ravisseurs contactent alors l’un des autres co-fondateurs de la start-up pour obtenir une rançon en monnaie électronique.
Concernant le volet cyber des investigations, l’Unité nationale cyber a déployé une quinzaine de ses gendarmes spécialistes, en appui de la S.R. de Bourges. « Notre action dans ce dossier a été double, a indiqué le colonel Hervé Pétry, commandant l’UNC. D'abord par une force de projection sur le terrain, pour appuyer les investigations par rapport à l'ensemble des supports numériques. Ces derniers ont été saisis de manière à geler la preuve, extraire les données, les traiter, les exploiter pour récupérer un maximum de preuves et d'informations nous permettant d'identifier et de localiser les individus pour retrouver les victimes. Nous avons pu progresser et transmettre les informations à la fois aux enquêteurs de la S.R. de Bourges et au GIGN, pour tout ce qui concerne le dispositif d'intervention et de recherches opérationnelles. Le deuxième aspect concerne des recherches effectuées à l'UNC, dont le siège est à Pontoise, en matière cette fois de cryptoactifs, d'identification, de traçabilité et de saisie. »
