Google intelligence report finds UK is a particular target of IT worker ploy that sends wages to Kim Jong Un’s state
British companies are being urged to carry out job interviews for IT workers on video or in person to head off the threat of giving jobs to fake North Korean employees.
The warning was made after analysts said that the UK had become a prime target for hoax IT workers deployed by the Democratic People’s Republic of Korea. They are typically hired to work remotely, enabling them to escape detection and send their wages to Kim Jong-un’s state.
Google said in a report this month that a case uncovered last year involved a single North Korean worker deploying at least 12 personae across Europe and the US. The IT worker was seeking jobs within the defence industry and government sectors. Under a new tactic, the bogus IT professionals have been threatening to release sensitive company data after being fired.
Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.
The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.
The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This trend continues from a similar pace we saw in 2024. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.
Here are the key take-aways from our analysis and coverage of known exploited vulnerabilities:
In this two-part series, SpiderLabs explores the malicious traffic associated with Proton66, revealing the extent and nature of these attacks.
Mass scanning and exploit campaigns targeting multiple sectors
Starting from January 8, 2025, SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide. Although malicious activity was seen in the past, the spike and sudden decline observed later in February 2025 were notable, and offending IP addresses were investigated.
AS198953, belonging to Proton66 OOO, consists of five net blocks, which are currently listed on blocklists such as Spamhaus due to malicious activity. Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute force attempts. Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years. For instance, the last activities reported in AbuseIPDB for the IP addresses 45.134.26.8 and 45.135.232.24 were noted in November and July 2021, respectively.
A Chinese startup, Sand AI, appears to be blocking certain politically sensitive images from its online video generation tool.
A China-based startup, Sand AI, has released an openly licensed, video-generating AI model that’s garnered praise from entrepreneurs like the founding director of Microsoft Research Asia, Kai-Fu Lee. But Sand AI appears to be censoring the hosted version of its model to block images that might raise the ire of Chinese regulators from the hosted version of the model, according to TechCrunch’s testing.
Earlier this week, Sand AI announced Magi-1, a model that generates videos by “autoregressively” predicting sequences of frames. The company claims the model can generate high-quality, controllable footage that captures physics more accurately than rival open models.
Microsoft security chief Charlie Bell says the SFI’s 28 objectives are “near completion” and that 11 others have made “significant progress.”
Microsoft, touting what it calls “the largest cybersecurity engineering project in history,” says it has moved every Microsoft Account and Entra ID token‑signing key into hardware security modules or Azure confidential VMs with automatic rotation, an overhaul meant to block the key‑theft tactic that fueled an embarrassing nation‑state breach at Redmond.
Just 18 months after rolling out a Secure Future Initiative in response to the hack and a scathing US government report that followed, Microsoft security chief Charlie Bell said five of the program’s 28 objectives are “near completion” and that 11 others have made “significant progress.”
In addition to the headline fix to put all Microsoft Account and Entra ID token‑signing keys in hardware security modules or Azure confidential virtual machines, Bell said more than 90 percent of Microsoft’s internal productivity accounts have moved to phishing‑resistant multi factor authentication and that 90 percent of first‑party identity tokens are validated through a newly hardened software‑development kit.
The firm has stopped taking orders on its website and apps, including for food and clothes.
Marks & Spencer (M&S) says it has stopped taking online orders as the company struggles to recover from a cyber attack.
Customers began reporting problems last weekend, and on Tuesday the retailer confirmed it was facing a "cyber incident".
Now, M&S has entirely paused orders on its website and apps - including for food deliveries and clothes - and says it will refund orders placed by customers on Friday.
The firm's shares fell by 5% following the announcement, before recovering.
Online orders remained paused on Saturday morning.
"We are truly sorry for this inconvenience," the retailer wrote in a post on X.
"Our experienced team - supported by leading cyber experts - is working extremely hard to restart online and app shopping.
"We are incredibly grateful to our customers, colleagues and partners for their understanding and support."
Bell Ambulance and Alabama Ophthalmology Associates have suffered data breaches affecting over 100,000 people after being targeted in ransomware attacks.
One of them is Milwaukee, WI-based Bell Ambulance, which provides ambulance services in the area. The company revealed last week in a data security notice that it detected a network intrusion on February 13, 2025.
An investigation showed that hackers gained access to files containing information such as name, date of birth, SSN, and driver’s license number, as well as financial, medical and health insurance information.
Bell Ambulance did not say in its public notice how many individuals are impacted, but the Department of Health and Human Services (HHS) data breach tracker revealed on Monday that 114,000 people are affected.
The Medusa ransomware group announced hacking Bell Ambulance in early March, claiming to have stolen more than 200 Gb of data from its systems.
The second healthcare organization to confirm a data breach impacting more than 100,000 people is Birmingham, AL-based ophthalmology practice Alabama Ophthalmology Associates.
SK Telecom, South Korea’s largest telecom company, disclosed a data leak involving a malware infection.
SK Telecom is South Korea’s largest wireless carrier — it has tens of millions of subscribers and holds roughly half of the local market.
The company revealed on Tuesday in a Korean-language statement posted on its website that it detected an intrusion on April 19. An investigation showed that the attackers deployed malware and managed to obtain personal information belonging to customers.
Following the incident, SK Telecom is offering customers a free SIM protection service designed to prevent SIM swapping, which suggests that the leaked data could be leveraged for such activities.
A detailed analysis of a multi-stage card skimming attack exploiting outdated Magento software and fake image files.
In today’s post we’re going to review a sophisticated, multi-stage carding attack on a Magento eCommerce website. This malware leveraged a fake gif image file, local browser sessionStorage data, and tampered with the website traffic using a malicious reverse-proxy server to facilitate the theft of credit card data, login details, cookies, and other sensitive data from the compromised website.
The client was experiencing some strange behaviour on their checkout page, including clients unable to input their card details normally, and orders not going through. They contacted us for assistance. Thinking this would be a straightforward case of credit card theft instead what we found was actually a fascinating and rather advanced malware which we will explore in detail in this post.
A new attack technique named Policy Puppetry can break the protections of major gen-AI models to produce harmful outputs.
SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers.
MTN Group said an “unknown third-party has claimed to have accessed data linked” to parts of its system and that the incident “resulted in unauthorised access to personal information of some MTN customers in certain markets.”
A surveillance tool meant to keep tabs on employees is leaking millions of real-time screenshots onto the open web.
Your boss watching your screen isn't the end of the story. Everyone else might be watching, too. Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies.
The app, designed to track productivity by logging activity and snapping regular screenshots of employees’ screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame.
Singaporean businessman Lu Heng is poised to capture Africa’s regional IP address regulator, and with it, the keys to control of much of the world's remaining IPv4 addresses
People playing Blizzard's RTS have spent the last year complaining about hackers doing terrible shit
ReliaQuest has observed SAP NetWeaver incidents with unauthorized file uploads and malicious execution, hinting at a possible unreported vulnerability.
M-Trends 2025 data is based on more than 450,000 hours of Mandiant Consulting investigations. The metrics are based on investigations of targeted attack activity conducted between Jan. 1, 2024 and Dec. 31, 2024. Key findings in M-Trends 2025 include:
55% of threat groups active in 2024 were financially motivated, which marks a steady increase, and 8% of threat groups were motivated by espionage.
Exploits continue to be the most common initial infection vector (33%), and for the first time stolen credentials rose to the second most common in 2024 (16%).
The top targeted industries include financial (17.4%), business and professional services (11.1%), high tech (10.6%), government (9.5%), and healthcare (9.3%).
Global median dwell time rose to 11 days from 10 days in 2023. Global median dwell time was 26 days when external entities notified, 5 days when adversaries notified (notably in ransomware cases), and 10 days when organizations discovered malicious activity internally.
M-Trends 2025 dives deep into the aforementioned infostealer, cloud, and unsecured data repository trends, and several other topics, including:
Democratic People's Republic of Korea deploying citizens as remote IT contractors, using false identities to generate revenue and fund national interests.
Iran-nexus threat actors ramping up cyber operations in 2024, notably targeting Israeli entities and using a variety of methods to improve intrusion success.
Attackers targeting cloud-based stores of centralized authority, such as single sign-on portals, to gain broad access.
Increased targeting of Web3 technologies such as cryptocurrencies and blockchains for theft, money laundering, and financing illicit activities.
In a sanctions package including more than 150 new measures, the British government said it was closing loopholes being exploited by the Kremlin.
