San Mateo, CA, May 5, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
UK and Canada demand 23andMe data safeguards
23andMe’s bankruptcy and search for a potential buyer has prompted the UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) to call for protection of the sensitive data involved in the sale. In a joint letter, the ICO and OPC warned prospective buyers that they could face legal action for misuse of the data, and outlined “requirements under UK and Canadian law for both 23andMe and any potential buyer of either the company or its customers’ personal data to adhere to UK General Data Protection Regulation (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).” 23andMe has said any buyer would be required to adhere to its privacy policies, but the regulators point out that the company’s policy states it “may make changes to this Privacy Statement from time to time.” Read more.
Apple alerts users to global spyware threat
According to two alleged targets, Apple has been sending notifications to users believed to have been targeted with government spyware. One victim, Italian journalist Ciro Pellegrino, wrote that the message he received from Apple said, “today’s notification is being sent to affected users in 100 countries.” Another victim, Dutch right-wing activist Eva Vlaardingerbroek, said her message from the company stated, “Apple detected a targeted mercenary spyware attack against your iPhone. This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.” It is not known what spyware campaign Apple has detected. Read more.
WordPress malware poses as plugin
Appearing in the file system as “WP-antymalwary-bot.php” or “wp-performance-booster.php,” a sophisticated WordPress malware posing as a security plugin has been identified by researchers at Wordfence. The malware, which combines “legitimate-appearing code structures with persistent infection mechanisms and sophisticated backdoor capabilities,” has several features that let hackers execute code remotely and serve unwanted advertisements. It also “includes mechanisms to ping Command & Control (C&C) servers, providing attackers with real-time information about infected sites and enabling coordinated attacks across compromised platforms.” The malware is able to modify the WordPress wp-cron.php file, allowing it to be reinstalled even after it has been removed. Read more.
Meta rolls out AI privacy and security tools
Meta has disclosed a “suite of new tools and updates designed to bolster security, enhance privacy and strengthen protection of its Llama large language model (LLM) for the open-source AI community.” Meta AI is set to be a standalone app powered by the company’s Llama 4 AI model. It will integrate with Meta AI glasses and provide responses based on users’ social media accounts. The company also unveiled LlamaFirewall, a “new security guardrail tool to prevent malicious activities targeting AI models and applications,” CyberSec Eval 4, “Meta’s latest edition of open-source cybersecurity benchmark suite, which includes two new tools, CyberSOC Eval and AutoPatchBench, to assess AI systems’ defense capabilities,” and the Llama Defenders Program, “a new industry initiative to help partner organizations and developers access a variety of open, early-access and closed AI solutions to address different security needs.” Read more.
House passes bill criminalizing deepfake porn
The House handily passed a bill that would make it a criminal act to use a person’s likeness to create deepfake adult content. With a vote of 402-2, the Take It Down Act is one of the nation’s first pieces of legislation that puts AI-generated deepfakes in the crosshairs. According to CyberScoop, “the bill makes it a federal crime to publicize nonconsensual imagery of others, both real and AI-generated, and requires companies to remove any images hosted or shared on their platforms within 48 hours of receiving notice. It also empowers the Federal Trade Commission to investigate and enforce compliance.” Having already passed in the Senate, only a presidential signature is needed for it to become law. Critics, however, feel that despite the bill’s good intentions it could hold “dangerous implications” with regard to online privacy and free speech. “The TAKE IT DOWN Act, while well-intentioned, was written without appropriate safeguards to prevent the mandated removal of content that is not nonconsensual intimate imagery, making it vulnerable to constitutional challenge and abusive takedown requests,” said Becca Branum, deputy director of the Free Expression Project at the Center for Democracy and Technology. Read more.
RansomHub gains ground amid RaaS fallout
Law enforcement operations hitting the ALPHV and LockBit ransomware groups and “multiple exit scams affecting major Ransomware-as-a-Service (RaaS) players” has prompted RansomHub to position itself as a trusted alternative for affiliates who have been affected. To that end, the group has been promoting services that make it favorable for criminals looking for a reliable operation such as low commission rates, support for cryptocurrency wallets, full affiliate control over victim negotiations, and additional customization in ransom notes. According to findings by Group-IB, as RaaS providers tend to offer similar ransomware capabilities, their branding, perceived reliability, communication, and affiliate trust are becoming more critical when it comes to attracting and retaining criminal partners. Read more.
Gremlin infostealer marketed on Telegram
Palo Alto Networks’ Unit 42 has shared a report on a new infostealer strain called Gremlin Stealer. The malware has been advertised since March of 2025 via a Telegram channel called CoderSharp. The malware seems to be under active development but is already said to be able to “steal data from a wide range of software on a Windows computer.” Gremlin Stealer can collect clipboard data, screenshots, local device metadata, credit card details, cookies, passwords, crypto wallet information, FTP service data, Steam data, VPN credentials, Discord tokens, and Telegram session data. The Gremlin Stealer website hosts 14 ZIP archives containing stolen data. The developer of Gremlin Stealer is selling the malware for $100. Read more.
AirPlay flaw enables remote takeovers
AirBorne is a newly discovered flaw in Apple’s AirPlay protocol that has “exposed over 2.35 billion active Apple devices and tens of millions of third-party gadgets to remote code execution (RCE) attacks requiring no user interaction.” Oligo Security researchers identified the flaw and determined that it “allows attackers on the same Wi-Fi network to hijack devices ranging from Macs and iPhones to CarPlay-enabled vehicles and smart speakers.” Apple has issued a patch for the vulnerability, but Oligo suggests that many third-party devices may remain exposed for years to come because of the widely adopted AirPlay protocol and “AirPlay’s integration into diverse ecosystems.” Read more.
Half of mobile devices run outdated OS
Zimperium’s 2025 Global Mobile Threat Report indicates that half of all mobile devices in use are running outdated operating systems. This makes the devices in question vulnerable to attack. The report also calls out a rise in mobile-targeting attacks and app vulnerabilities as hackers zero in on the use of smart devices in corporate environments. Smishing has surged to make up 69.3% of all mobile phishing attacks. Vishing rose by 28%. “The rise of sophisticated and large-scale mobile phishing campaigns reflects the evolving threat landscape,” said Darren Guccione, CEO of Keeper Security. “Cybercriminals are leveraging phishing pages that appear official to exploit users’ trust.” Zimperium’s report also highlights that more than 25% of mobile devices aren’t able to upgrade to the latest OS, more than 60% of iOS apps and 34% of Android apps don’t have basic code protection, and nearly 60% of iOS apps and 43% of Android apps are vulnerable to PII data leakage. Read more.
Cloudflare sees record DDoS volume
Cloudflare has reported that it mitigated a record number of DDoS attacks in 2024, with the total coming in at 21.3 million. That’s a 358% increase over 2023. 2025 is proving to be another record breaker, with the company saying it already mitigated 20.5 million DDoS attacks in the first quarter of the year. “Of the 20.5 million DDoS attacks, 16.8M were network-layer DDoS attacks, and of those 6.6M targeted Cloudflare’s network infrastructure directly,” said Cloudflare. “These attacks were part of an 18-day multi-vector DDoS campaign comprising SYN flood attacks, Mirai-generated DDoS attacks, SSDP amplification attacks to name a few.” Cloudflare said the biggest reason for the surge is an increase in network-layer attacks, which have seen huge growth in recent months with a 509% year-over-year jump. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
