Robin’s Newsletter #361

18 May 2025. Volume 8, Issue 20
M&S insurance claim may top £100M. Coinbase flips script on extortion attempt. OpenAI instructed to retain output log data.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Need to Know, 18th May 2025

  • OpenAI instructed to retain output log data, regardless of contracts, regs
  • Coinbase offers $20M bounty following extortion attempt
  • Data pinched in M&S attack; insurance claim could top £100M…
  • … Scattered Spider turn attention to US retailers
  • Fancy Bear using XSS vulns to compromise webmail systems
  • SAP NetWeaver vulnerabilities being exploited by cybercriminals

Interesting stats

~1/2 apps on the Xiaomi Mi Store used proprietary encryption that is vulnerable to interception, compared to  3.5% of Google Play Store apps, according to a research paper from Princeton and Citizen Lab that reviewed 1,699 apps. LINK, PAPER

Five things

  1. UK retail incidents: M&S says that threat actors took some personal data during the incident, which it has been responding to for the last four weeks. The data includes names, addresses, and order histories, but is not believed to include usable payment card information or passwords. While some on social media have speculated that using “passwords” is potentially weasel-wording to avoid talking about hashed credentials, I suspect this is the company trying to keep communications accessible to customers, rather than cause for concern. The BBC says it understands the attackers gained access through an unnamed third party. The Financial Times reports that the insurance claim, from Allianz and Beazley, could be as high as £100 million. M&S’ annual insurance premium, believed to have been £5 million, may double following the breach. Meanwhile, customers and investors are still awaiting further details on when online orders, worth around £3.8 million a day, will restart. Operations have been disrupted since 25th April. The Co-op has been struggling with empty shelves this week. The company has not confirmed the nature of the incident — as members, not shareholders, own it, it doesn’t have to disclose to, for example, a stock exchange — while some deliveries from large depots are reportedly 20% below their normal capacity. Google warned this week that the Scattered Spider group, thought to be behind the attacks, was focusing on similar US retailers. M&S: PERSONAL DATA, THIRD PARTY, INSURANCE RESTART; CO-OP; GOOGLE

  2. Coinbase has suffered a cyber incident and an extortion attempt. In an SEC filing, the cryptocurrency training platform says unknown actors demanded $20 million, adding “we said no” in a blog post, which also flipped the script and said they would offer $20 million as a bounty to anyone providing information that leads to the arrest and conviction of those behind the attack. The attackers gain access to the personal, financial, and government ID information of “less than 1%” of Coinbase’s customer base by bribing “a small group of insiders” to copy customer support tools. LINK, BLOG POST

  3. Over 581 organisations running vulnerable versions of SAP NetWeaver are believed to have been compromised, according to analysis by EclecticIQ. Ransomware gangs are believed to be getting in on the action, beyond the original threat actors with connections to the Chinese government. Organisations have been reluctant to patch their SAP instances because the patch requires an update, and the software is typically used for critical finance, manufacturing and ERP activities. SAP

  4. The Russian-linked Fancy Bear group is using cross-site scripting (XSS) vulnerabilities in the Roundcube, MDaemon, Horde, and Zimbra email platforms to target Eastern European defence companies. The XSS vulnerabilities are exploited through spear-phishing emails that trigger when the user accesses the message through the webmail interfaces of the platforms. According to ESET, vendors patched some vulnerabilities many years ago. FANCY BEAR

  5. A New York Magistrate Judge has ordered OpenAI to retain “output log data” that it would otherwise delete at a user’s request, or because of privacy laws and regulations. The order is at the request of The New York Times, which is engaged in a lawsuit over copyright issues. It seems NYT has positioned this as OpenAI ‘destroying’ data needed for the case, while OpenAI contends that no explanation has been made as to why this data is necessary. It’s interesting to see a judge forcing OpenAI to retain, albeit segregated, data with a legal or contractual requirement to delete. Worth considering if your organisation uses ChatGPT. OPENAI (h/t Mario)

In brief

  • 🤓 Interesting reads: Phil Venables’ blog post on (re)starting a security programme from scratch: this is a good step-by-step list of activities covering people, process, and tech; you might be surprised by some of them. ETH Zurich researchers have discovered a way to defeat Intel’s Spectre defences, designed to prevent data leakage from speculative execution on shared machines. The bitrate is pretty slow: 5.6KB/s. The folks at Pen Test Partners have an interesting write-up on using Microsoft Copilot for SharePoint to find sensitive information on company file shares and serve up content from files the user may not have permission or the ability to access. SECURITY PROGRAMME, SPECTRE (PAPER (PDF)), COPILOT

  • ⚠️ Incidents: GlobalX, the airline chartered by the US government to run deportation flights, has made an SEC filing detailing “unauthorised activity” resulting from a cyber security incident. Luxury fashion brand Dior has confirmed an incident that affects customers of its fashion and accessories lines. US steel manufacturer Nucor had to suspend some operations in the wake of a cyber security incident. Grok, the AI chatbot from Elon Musk’s xAI, unexpectedly turned conversations towards the subject of “white genocide” this week; the company says that it was the result of “an unauthorised modification” to Grok’s system prompt, used as guardrails for how the chatbot should respond to users. It raises questions over the monitoring and integrity of xAI’s systems, but also highlights more broadly how relatively minor amendments to AI systems can have profound consequences. GLOBALX, DIOR, NUCOR, XAI

  • 🏴‍☠️ Ransomware: Chief executives of NHS suppliers are being asked to sign a cyber security charter and ‘defend as one’ amidst a growing number of ransomware attacks in the health sector. The charter includes a range of good practices and common sense measures such as patching systems, applying multi-factor authentication, monitoring infrastructure, and taking backups. NHS (LETTER)  

  • 🕵️ Threat Intel: More detail around North Korea’s cyber operations and remote IT worker schemes from DTEX, an insider risk company. The FBI is warning of deepfakes impersonating government officials by scammers seeking access to victims’ computers. NORTH KOREA (REPORT (PDF)), FBI DEEPFAKE

  • 🪲 Vulnerabilities: ASUS DriverHub can be abused to install malicious software. The vulnerabilities (CVE-2025-3462 and -3463; 8.4, 9.4/10, respectively) relate to how the firmware update tool runs a local web server that doesn’t properly validate the source of the command. So long as they include ‘DriverHub.asus.com’ in the domain, such as ‘driverhub.asus.com.attackerdomain.com’, they will be executed. Ivanti Neurons IT service management solutions has a critical authentication bypass (CVE-205-22462; 9.8/10). Ivanti Endpoint Manager Mobile (EPMM) also has an auth bypass and remote code execution vulns.  Fortinet’s FortiVoice, FortiMail, FortiNDR, FortiCamera, and FortiRecorder are all affected by a critical stack overflow vulnerability that allows remote, unauthenticated actors to execute arbitrary commands(CVE-2025-32756; 9.6). ASUS (ADVISORY), IVANTI-1 (ADVISORY), IVANTI-2 (ADIVSORY), FORTINET (ADIVSORY)

  • 🧿 Privacy: The state of Texas has secured a $1.375 billion settlement from Google over charges that it collected and used biometric data without user consent. You may need to opt-out again from Meta using your public Facebook data to train its AI models. The US Consumer Financial Protection Bureau (CFPB) has cancelled plans to prevent data brokers from selling Americans’ financial data, credit history, and Social Security numbers. GOOGLE, META, DATA BROKERS

  • 📜 Policy & Regulation: Japan has passed the Active Cyberdefence Law (ACD), permitting Japan’s Self-Defence Force to engage in pre-emptive offensive cyber operations. JAPAN

  • 💰 Investments, mergers and acquisitions: Proofpoint is to acquire German Microsoft 365 security services outfit Hornetsecurity for reportedly “well over” $1 billion. HORNET

And finally

  • The EU has launched the European Vulnerability Database (EUVD), which features details of vulnerabilities and fixes and highlights critical and known-exploited issues. The EUVD has been in the works for a couple of years, rather than being a knee-jerk reaction to a recent 11th-hour funding save for the US-sponsored CVE programme. EUVD (SITE)
Robin
  Marks & Spencer Co-op Retail Scattered Spider Cyber insurance Coinbase Extortion Bounty Fancy Bear Cross Site Scripting (XSS) SAP SPECTRE Microsoft Sharepoint xAI Prompt Injection National Health Service (NHS) North Korea ASUS Ivanti Fortinet Biometric Google Data broker Consumer Financial Protection Bureau (CFPB) Japan European Vulnerability Database (EUVD) Robin's Newsletter - Volume 8
Next:
Robin’s Newsletter #362
Previous:
Robin’s Newsletter #360