WEEKLY TOP TEN: May 12, 2025, 16:00 GMT
- Two 0-Day Exploits in Ivanti Endpoint Management Used in the Wild
Two serious security flaws (CVE-2025-4427 and CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) let attackers run harmful code from afar without needing to log in, which is a big threat to business systems. Cybersecurity firm watchTowr revealed that these flaws—stemming from an authentication bypass and a remote code execution bug in open-source libraries—can be easily chained to compromise affected servers fully, urging immediate patching. - Pwn2Own Berlin Contestants Discover 0-Day Exploits in SharePoint, ESXi and More
On the second day of Pwn2Own Berlin 2025, hackers earned $435,000 by exploiting zero-day vulnerabilities in major enterprise products like VMware ESXi, Microsoft SharePoint, and Mozilla Firefox, with standout prizes awarded for critical exploits including an integer overflow in ESXi and an auth bypass-deserialization chain in SharePoint. The contest, which now includes an AI category, has seen $695,000 awarded over the first two days, with researchers showcasing 20 unique zero-days in technologies spanning virtualization, servers, browsers, and AI systems. - Procolored Printer Drivers Unknowingly Distribute Malware
For at least six months, official software bundled with Procolored printers was unknowingly distributing malware, including the XRedRAT remote access trojan and a cryptocurrency-stealing clipper called SnipVex. The infection, discovered by a YouTuber and confirmed by G Data researchers, affected multiple printer models and likely originated from compromised developer systems or USB drives used to upload files. Although Procolored initially denied the issue, it has since removed the infected software, launched an internal investigation, and released clean versions while urging customers to update and thoroughly scan their systems. - Windows 10 Updates Cause Bootlocker Encryption
Microsoft has confirmed that the May 2025 security update (KB5058379) is causing some Windows 10 and Windows 10 Enterprise LTSC 2021 systems to boot into BitLocker recovery mode unexpectedly. This issue, which may present after failed startup attempts or during automatic repair processes, is affecting devices from multiple manufacturers and displays LSASS errors and update failures in logs. Microsoft is investigating the root cause and recommends affected users retrieve their BitLocker recovery key or adjust BIOS settings as temporary workarounds. - Russian Linked SpyPress Malware Used to Spy on Ukrainian Organizations
ESET has uncovered Operation RoundPress, a cyber espionage campaign attributed to Russia’s Fancy Bear (APT28), targeting Ukraine-linked organizations through vulnerabilities in webmail platforms like Roundcube, Zimbra, and MDaemon. The attackers use spearphishing emails to exploit XSS flaws and deploy custom malware variants (SpyPress) to exfiltrate sensitive data, with some malware capable of forwarding messages or maintaining persistent access. The campaign emphasizes the need to provide timely patching, secure configurations, and phishing defenses across both commercial and open-source email systems. - AI Vishing Campaign Impersonates Government Officials
The FBI has issued a warning about a sophisticated AI-driven smishing and vishing campaign in which attackers use AI-generated voice memos to impersonate senior U.S. officials and deceive their contacts. These scams aim to steal credentials or install malware through malicious links, posing a cascading risk as they use compromised accounts to target others. The campaign underscores the growing threat of AI-powered social engineering, with experts urging heightened vigilance and awareness of spoofed calls and messages. - DefendNot Bypasses Defender by Registering Fake AV Solutions
A new tool called DefendNot can disable Microsoft Defender by registering a fake antivirus via an undocumented Windows Security Center API, tricking Windows into thinking real-time protection is already handled. Created by researcher es3n1n, the tool bypasses protections by injecting a dummy antivirus DLL into a trusted system process, causing Defender to shut off automatically without any actual antivirus running. Though intended as a research project, DefendNot highlights how trusted Windows mechanisms can be exploited to disable core security features; Microsoft Defender now flags the tool as malicious. - Coinbase Sets $20M Bounty on Their Attackers
Coinbase has responded to a recent extortion attempt by offering a $20 million bounty for information leading to the attackers’ arrest, matching the ransom they were asked to pay. The attackers had infiltrated the company through insider help, stealing sensitive personal data of less than 1% of users—but not login credentials or crypto keys. - Australian Human Rights Commission Suffers Data Leak
The Australian Human Rights Commission (AHRC) has disclosed a data breach caused by an internal error that exposed sensitive documents submitted through its website forms between March 24 and May 5. Around 670 documents containing personal data—such as names, contact details, health information, and more—were mistakenly made publicly accessible due to a misconfiguration, though the breach was not the result of a cyberattack. The AHRC has launched an investigation, notified regulators, disabled affected web forms, and urged potentially impacted individuals to monitor for suspicious activity. - HTTPBot Botnet Targets Gaming and Tech Industries
Cybersecurity researchers at NSFOCUS have discovered a new botnet named HTTPBot, which is targeting China’s gaming, tech, and education sectors. First detected in August 2024, the botnet’s activity surged by April 2025. HTTPBot uses advanced DDoS tactics like HTTP floods and obfuscation techniques to carry out highly targeted attacks on specific victims. It employs seven HTTP-based attack methods, including BrowserAttack and HttpAutoAttack, to mimic legitimate user behavior and overwhelm servers. The botnet is especially dangerous due to its precision and ability to bypass detection, posing a significant threat to industries relying on real-time interactions. HTTPBot operates on Windows, marking a shift from typical DDoS botnets that target Linux and IoT platforms.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: