May 3, 2025

Hello all,

Last week was “World Password Week”. However, this year many tech giants chose, to replace “password” with “passkey”. In fact, on what was World Password Day, Microsoft announced that all new Microsoft accounts will now be passwordless, use passkeys by default, and existing accounts will be transitioned as quickly as possible. The RSA conference didn’t unleash the hailstorm of vulnerabilities that I expected, but instead there was a steady stream of new product and enhancement announcements – most involving the use of AI. There was at least one vulnerability revealed last week that has devastating potential.

Headline NEWS:

• Apple Airplay vulnerabilities revealed that can enable zero-click device takeover, DOS, Remote Code Execution (RCE), Man in The Middle (MiTM) attacks, and more. This is as serious as it gets since the defect is in the Airplay SDK itself and will need to be fixed in everything that uses it. Attackers can use these flaws to set up beachheads for other attacks, to spy on networks, and to surreptitiously exfiltrate data. Check your devices for updates. If you don’t need Airplay active, turn it off.
• iOS Vulnerability in Darwin Notifications System, a part of the operating system that lets processes communicate with each other, has a defect that could crash the operating system with a single line of code. The fix is to update to iOS version 18.3 or later.
• Linux Kernel defect dubbed “Attack of the Vsock” was revealed this week that could allow for privilege escalation all the way to root. Check with your favored penguin vendor for updates to plug this hole.
• Microsoft Passwordless future is here. Big Redmond has flipped the switch, and all new accounts will now be created with passkeys vs. passwords. Any existing accounts that use a password and MFA will be prompted to create a passkey after successful login. Upon next login, you’ll be prompted to log in with the new passkey. It is unclear at this time how organizations that use other MFA methods and have complex Conditional Access Policies surrounding logons will be affected by this change.

In Ransomware, Malware, and Vulnerabilities News:

• Microsoft Windows RDP caches passwords – indefinitely. A researcher discovered that RDP sessions cache passwords locally, and even if you change the password in Azure, the old password still works on the Windows RDP machine. In fact, many old passwords work! When brought to Microsoft’s attention, they said that this was by design and had no plans to change it. Since this story broke this week, there has been a lot of press about it, so I expect that this unbelievable hole will get plugged soon – I hope.

In Other News Events of Note and Interest:

• Windows Server Hot patching – pay to play. I was excited when I first learned that Microsoft would include the ability to hot patch locally run versions of Windows Server 2025. Previously, this had only been available to Azure hosted Windows servers. Unfortunately, the world learned this week that Microsoft wants to charge us $1.50 per core per month for the privilege of only needing to reboot once a quarter. Somehow this seems like a money grab to me.

Musings:

I saw a shirt on LinkedIn this week with #NaaS on it. This stands for “Not as a Service”. Hundreds of people commented on the picture that they agree. I’m old enough to recall that you could purchase software (or a license to use it, as vendors are apt to say) and it was perpetual. If you didn’t want new versions, you could keep using that same version on your systems until either the software wouldn’t work with your operating system, or the silicon turned back into sand, whichever came first. Nowadays, nearly everything is a service that you pay for monthly. The last two generations have mostly grown up with the mindset of “What is my monthly payment?” for just about anything. And as long as they have enough money to pay the bills, they’re content, never considering the long-term cost of use or ownership. Subscription everything. Car leases, finance a $1000 cellphone monthly, prepared meals delivered home, and monthly software subscriptions. I must admit that in some ways, always having the most up to date “thing” is a nice benefit of a subscription, but how many of the new features or enhancements do you truly find useful? I suspect that I could do pretty much everything I needed to do regarding document writing with Microsoft Word 6.0. But maybe my luddite ways need to ease up a bit, because purely from a security mindset, subscription services for software have been a godsend in that holes are continually plugged, and threat actors have a significantly harder time doing their evil work. So, I guess the hashtag should be #EiiSBaS, “Evaluate if it Should Be a Service”, because not everything should. Still, Microsoft’s recent announcement that hot patching of security updates will require a subscription seems downright wrong, like a money-grab. Alas, based on our “What’s my monthly payment?” culture, I expect that enough organizations will sign up and this new revenue stream will become standard.

Keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

• AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover
• Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
• New iOS Critical Vulnerability That Could Brick iPhones With a Single Line of Code
• Critical Linux Kernel Flaw (CVE-2025-21756) Allows Privilege Escalation
• Microsoft is now forcing new users to adopt a passwordless future

Ransomware, Malware, and Vulnerabilities News

• Ukrainian extradited to US for Nefilim ransomware attacks
• Hacker ‘NullBulge’ pleads guilty to stealing Disney’s Slack data
• Central District of California | Yemeni Man Charged in Federal Indictment
• World Password Week 2025: AP’s expert tips to stay safe online
• FBI warns of time-traveling hackers
• FBI shares massive list of 42,000 LabHost phishing domains
• CISA tags Broadcom Fabric OS, CommVault flaws as exploited in attacks
• CISA Alerts Users to Security Flaws in Planet Technology Network Products
• Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis – Google Blog
• The Cyberthreat Report: April 2025
• Any Run Malware Trends Report, Q1 2025: Get Your Copy
• Vulnerability Exploitation Is Shifting in 2024-25
• US Critical Infrastructure Still Struggles With OT Security
• Many Fuel Tank Monitoring Systems Vulnerable to Disruption
• Backdoor found in popular ecommerce components
• Magento supply chain attack compromises hundreds of e-stores
• Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack
• Hacking in Space: Not as Tough as You Might Think
• iOS and Android juice jacking defenses have been trivial to bypass for years
• Windows RDP lets you log in using revoked passwords. Microsoft is OK with that.
• CISOs should re-consider using Microsoft RDP due to password flaw, says expert
• Unpatched Windows Shortcut Vulnerability Let Attackers Execute Remote Code
• Google Chrome Vulnerability Let Attackers Escape Payload from Sandbox
• Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach
• Malicious PyPI packages abuse Gmail, websockets to hijack systems
• Is it safe to unsubscribe from spam you didn’t sign up for?
• HPE Turns Attention to Security with Latest Features
• Here’s how long it takes a hacker to figure out your passwords
• Cloudflare mitigates record number of DDoS attacks in 2025
• Researchers Note 16.7% Increase in Automated Scanning Activity
• Kali Linux warns of update failures after losing repo signing key
• I saw how an “evil” AI chatbot finds vulnerabilities. It’s as scary as you think
• Backblaze responds to claims of “sham accounting,” customer backups at risk
• NVIDIA releases another GeForce Hotfix driver with 10 game and monitor fixes
• Critical SAP NetWeaver flaw exploited by suspected initial access broker
• SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
• SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
• China now America’s number one cyber threat – US must get up to speed
• China is using AI to sharpen every link in its attack chain, FBI warns
• Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool
• SentinelOne Targeted by North Korean IT Workers, Ransomware Groups, Chinese Hackers
• Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives
• JPMorgan Chase Suffers $1,000,000 Loss After Scammers Lift Customers’ Credit Cards
• Breach at health insurance giant Blue Shield of California leaked health data of millions
• Emera, Nova Scotia Power respond to cybersecurity breach; incident response teams mobilized
• Ascension discloses new data breach after third-party hacking incident
• Kelly & Associates Insurance Group, Inc. Data Breach – Levi & Korsinsky, LLP Launches Investigation
• Nearly three-quarters of businesses were hit by ransomware in 2024: why the worst could still be coming
• Ransomware attack shuts down DuPage sheriff’s, courthouse computers
• Cyber attack disrupts Bartlesville school systems in Oklahoma
• DragonForce expands ransomware model with white-label branding scheme
• DragonForce and Anubis Ransomware Operators Unveils New Affiliate Models
• Co-op confirms data theft after DragonForce ransomware claims attack
• MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks
• Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts
• Hitachi Vantara takes servers offline after Akira ransomware attack
• Harrods the next UK retailer targeted in a cyberattack

Other News Events of Note and Interest

• Cool Tool: DevToys – A Swiss Army knife for developers
• How I Turned My Handwriting Into a Font (And How You Can Too)
• World’s first computer that combines human brain with silicon now available
• Storage device boiled in salt water, then grilled in an oven as proof of durability
• You asked, we built it: Firefox tab groups are here
• Firefox could be doomed without Google search deal, says executive
• 10 passkey survival tips: The best preparation for a password-less future is to start living there now
• Browser-stored passwords: Why it is a bad idea to do it
• Microsoft ends Authenticator password autofill, moves users to Edge
• The Vatican, a cybersecurity powerhouse
• European Commission fines Apple and Meta $800 million
• House passes “Take it Down Act,” sending revenge porn bill backed by Melania Trump to president’s desk
• ‘Godfather of AI’ Says Humans Would Be Powerless If AI Seized Control
• What Happens When AI Starts To Ask the Questions?
• AI models routinely lie when honesty conflicts with their goals
• AI-generated code could be a disaster for the software supply chain. Here’s why.
• Claude’s AI research mode now runs for up to 45 minutes before delivering reports
• Microsoft CEO says up to 30% of the company’s code was written by AI
• Meta has finally launched its ChatGPT competitor
• Thirteen new MCP servers from Cloudflare you can use today
• Not everything needs an LLM: A framework for evaluating when AI makes sense
• Amazon launches first Kuiper satellites in bid to take on Starlink
• JPMorgan Chase CISO Fires Warning Shot Ahead of RSA Conference
• Microsoft Leadership Urges U.S., Allies to Double Down on Quantum
• DeepSeek speculation swirls online over Chinese AI start-up’s much-anticipated R2 model
• Microsoft fixes Outlook paste, blank calendar rendering issues
• Microsoft pitches pay-to-patch reboot reduction subscription for Windows Server 2025
• Microsoft to Charge $1.50 per Core Each Month for Windows Server Updates
• Microsoft: Windows Server hotpatching to require subscription
• Microsoft: Windows 11 24H2 updates fail with 0x80240069 errors
• Microsoft Readies Administrator Protection Option for Windows 11
• Microsoft is getting ready to host Elon Musk’s Grok AI model
• Microsoft fixes Exchange Online bug flagging Gmail emails as spam
• Microsoft finally fixes Windows 11’s folders so they open much faster with new update
• Microsoft to Make Passkeys the Default for New Accounts, Phasing Out Passwords