Cybersecurity Threats and Trends - 06/05/2025

Today's cyber roundup features critical vulnerabilities, cloud security warnings, and sophisticated social engineering tactics...

In partnership with

Optimize global IT operations with our World at Work Guide

Explore this ready-to-go guide to support your IT operations in 130+ countries. Discover how:

  • Standardizing global IT operations enhances efficiency and reduces overhead

  • Ensuring compliance with local IT legislation to safeguard your operations

  • Integrating Deel IT with EOR, global payroll, and contractor management optimizes your tech stack

Leverage Deel IT to manage your global operations with ease.

As we navigate through today's digital minefield, remember that in cybersecurity, we don't just patch systems – we patch our collective paranoia to keep it at healthy levels. Let's dive into this week's top threats.

1. Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials

Primary Threat: Several widely used Chrome extensions are transmitting sensitive data over unencrypted HTTP and embedding hard-coded credentials in their code, exposing users to significant privacy and security risks.

Risk: HIGH

Cybersecurity researchers at Symantec said these extensions expose browsing domains, machine IDs, operating system details, and other sensitive information in plaintext. The unencrypted traffic makes users susceptible to adversary-in-the-middle attacks, allowing malicious actors on the same network to intercept or modify this data. Extensions with hard-coded API keys and tokens could be weaponized by attackers to craft malicious requests, corrupt metrics, inflate costs, or exhaust usage limits.

Detection and Remediation Tips:

  • Review and remove any affected extensions including SEMRush Rank, Browsec VPN, MSN New Tab, DualSafe Password Manager, and others listed in the advisory

  • Switch to extensions that use HTTPS for all communications

  • Consider using browser privacy tools that monitor extension behavior

  • Be skeptical of extensions requesting excessive permissions, especially from less-known developers

2. Iran-Linked BladedFeline Targets Iraqi and Kurdish Officials with Custom Malware

Primary Threat: An Iran-aligned hacking group dubbed BladedFeline has been conducting cyber espionage operations against Kurdish and Iraqi government officials using sophisticated custom malware.

Risk: HIGH

Security researchers at ESET revealed that BladedFeline, likely a sub-cluster of the Iranian OilRig APT group, has developed and deployed multiple backdoors including Whisper, Spearal, and Optimizer to maintain persistent access to target networks. The group has been active since at least 2017 and is specifically targeting Kurdish diplomatic officials and Iraqi government networks to gather intelligence that aligns with Iranian strategic interests in the region.

Detection and Remediation Tips:

  • If you're in a targeted sector, implement enhanced monitoring for the indicators of compromise associated with these attacks

  • Deploy robust email filtering to detect spear-phishing attempts, a common initial access vector

  • Ensure all internet-facing applications are patched and properly configured

  • Implement network segmentation to limit lateral movement if systems are compromised

  • Consider threat intelligence services focused on Middle Eastern threat actors if operating in the region

3. Multiple High-Risk Vulnerabilities in Microsoft Products Affect Windows, Azure, and Office

Primary Threat: Cert-In has identified 78 vulnerabilities across a broad range of Microsoft products, including critical flaws that could allow attackers to gain elevated privileges, execute remote code, or access sensitive information.

Risk: HIGH

Security researchers reported that the most severe vulnerabilities include a Windows flaw (CVE-2025-29959) that could allow attackers to run malicious code, steal data, or crash systems, and several Office vulnerabilities (CVE-2025-29979, CVE-2025-29978, CVE-2025-29977, CVE-2025-29976) enabling remote code execution. Azure cloud services are also affected by three elevation of privilege vulnerabilities (CVE-2025-27488, CVE-2025-30387, CVE-2025-29973), which could allow attackers to perform unauthorized actions with escalated permissions.

Detection and Remediation Tips:

  • Apply Microsoft's June 2025 security patches immediately across all affected products

  • Prioritize patching systems exposed to the internet or containing sensitive data

  • Implement the principle of least privilege for all user accounts and service principals

  • Monitor systems for unusual activity that might indicate exploitation attempts

  • Consider implementing additional security controls like application whitelisting and network segmentation

Did you know...?

The Evilginx phishing framework, similar to tools used by groups like BladedFeline, has evolved significantly since its introduction in 2017. Originally designed to bypass two-factor authentication, modern versions can now perform real-time session hijacking by acting as a transparent proxy between victims and legitimate websites. These advanced phishing tools can intercept authentication tokens even when hardware security keys are used, demonstrating why technical controls must always be complemented by human vigilance and proper security awareness training.

4. HMRC Cyber Attack Compromises 100,000 Taxpayer Accounts

Cybercriminals have successfully accessed approximately 100,000 UK taxpayer self-assessment accounts at HMRC (Her Majesty's Revenue and Customs), the UK's tax authority.

Risk: MEDIUM

According to cybersecurity expert Professor Oli Buckley from Loughborough University, who commented on the incident, attackers used stolen credentials obtained through phishing campaigns to access the accounts and fraudulently claim more than £47 million in tax rebates. While no taxpayer money was directly stolen from individuals, HMRC has had to lock and reset all affected accounts as a precaution, causing significant disruption to users.

Detection and Remediation Tips:

  • If you have an HMRC account, change your password immediately and enable multi-factor authentication if available

  • Be vigilant for phishing attempts impersonating HMRC, especially those requesting login credentials or personal information

  • Use unique passwords for financial and tax-related accounts

  • Consider using a password manager to generate and store strong, unique credentials

  • Monitor your tax account for any unauthorized activity or unexpected communications

5. Operation ENDGAME 2025: Major Ransomware Takedown

The Scoop: A massive international law enforcement operation has dismantled significant ransomware infrastructure, taking down 300 servers and neutralizing 650 domains used by ransomware operators.

Risk: Informational

According to SME Cyber Insights, Operation ENDGAME, coordinated by Europol and Eurojust with participation from law enforcement agencies in Canada, Denmark, France, Germany, Netherlands, UK, and USA, targeted "initial access malware" - the tools criminals use to break into business systems before launching ransomware attacks. The operation has issued arrest warrants for 20 cybercriminals who specifically targeted small and medium enterprises, which are prime targets due to typically having fewer cybersecurity defenses.

What you should do:

  • Update your security software and ensure all systems are patched

  • Implement or review your backup strategy to ensure it follows the 3-2-1 rule (3 copies, 2 different media types, 1 offsite)

  • Consider security awareness training for employees to recognize initial access attempts

  • Review your incident response plan in case of a ransomware attack

  • For small businesses, consider managed security services if in-house expertise is limited

6. Multiple Cisco Security Flaws Exposed with Public Exploit Code

Primary Threat: Cisco has patched three vulnerabilities with public exploit code affecting its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) products.

Risk: HIGH

Security researchers reported that these flaws include a critical static credential vulnerability (CVE-2025-20286), an arbitrary file upload vulnerability (CVE-2025-20130), and an information disclosure vulnerability (CVE-2025-20129). The most concerning is the static credential issue, which could allow attackers to extract credentials from one cloud deployment and use them to access other environments. Cisco has confirmed that proof-of-concept exploit code is already available for these vulnerabilities, significantly increasing the risk of exploitation.

Detection and Remediation Tips:

  • Apply the security patches released by Cisco immediately

  • If using cloud deployments, verify whether your configuration is vulnerable (Primary Administration node in the cloud)

  • Consider implementing network segmentation to limit potential damage

  • Monitor for suspicious access attempts to affected systems

  • Review logs for signs of exploitation, particularly if patching has been delayed

IN SUMMARY:

From browser extensions leaking sensitive data to nation-state actors targeting government officials, and from critical infrastructure vulnerabilities to massive ransomware takedowns, this week's threats demonstrate the diverse attack surface that organizations must defend. The HMRC breach particularly demonstrates how even well-resourced organizations can fall victim to relatively simple social engineering tactics when deployed at scale.

🚨 Key Takeaways:
✔️ Browser extensions continue to be a significant security risk vector, with popular extensions exposing sensitive data through basic security mistakes.
✔️ Nation-state actors are developing increasingly sophisticated malware to target specific regions and organizations aligned with their strategic interests.
✔️ Microsoft's June security update addresses 78 vulnerabilities across multiple products, highlighting the importance of prompt patching.
✔️ Large-scale phishing campaigns remain highly effective, as shown by the HMRC breach affecting 100,000 accounts.
✔️ Law enforcement agencies are making progress against ransomware infrastructure, but small businesses remain particularly vulnerable.
✔️ Public exploit code significantly increases risk, requiring immediate patching of affected systems.

🔎 Immediate Actions:
✔️ Review and potentially remove Chrome extensions, particularly those mentioned in the Symantec advisory.
✔️ Apply Microsoft's June security patches immediately across all affected products.
✔️ Change passwords for tax and financial accounts, especially if you're a UK taxpayer using HMRC services.
✔️ Implement or review your ransomware defense and recovery strategy.
✔️ Enhance email security and user training to combat sophisticated phishing attempts.
✔️ Apply Cisco security patches immediately if you're using affected products.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Seeking impartial news? Meet 1440.

Every day, 3.5 million readers turn to 1440 for their factual news. We sift through 100+ sources to bring you a complete summary of politics, global events, business, and culture, all in a brief 5-minute email. Enjoy an impartial news experience.