Apple Airplay-Enabled Devices Can Be Hacked, Google tracked 75 zero days, France ties Russian APT28 hackers to 12 cyberattacks - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines - Episode Summary

Podcast Information:

Title: Cyber Security Headlines
Host/Author: CISO Series
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.
Episode: Apple Airplay-Enabled Devices Can Be Hacked, Google Tracked 75 Zero Days, France Ties Russian APT28 Hackers to 12 Cyberattacks
Release Date: April 30, 2025

1. Apple AirPlay-Enabled Devices Vulnerable to Hacking

Timestamp: [00:07]

Sarah Lane opens the episode by discussing a significant vulnerability in Apple's AirPlay SDK. Cybersecurity firm Oligo revealed that millions of third-party devices—including smart TVs, speakers, and CarPlay systems—are exposed to remote code execution via shared Wi-Fi networks.

Key Points:

Vulnerability Details: The disclosed vulnerabilities allow for remote code execution, which can lead to lateral movement within networks, persistent access, and potential surveillance.
Apple's Response: While Apple has patched its own hardware, Oligo warns that many third-party vendors may not have implemented these patches, leaving numerous devices at risk.

Notable Quote: "Apple has patched its own hardware, but Oligo warns many third-party vendors may have not, which poses risk for lateral movement, network persistence and potential surveillance." – Sarah Lane [00:07]

2. Google Tracks 75 Zero-Day Exploits in 2024

Timestamp: [00:57]

Sarah moves on to Google's alarming findings regarding zero-day vulnerabilities. According to Google's Threat Intelligence Group, there were 75 zero-day exploits tracked in the wild during 2024.

Key Points:

Trend Analysis: Although this number is a decrease from 98 in 2023, it surpasses the total for 2022, indicating an upward trend in zero-day activities over the past four years.
Target Focus: The majority of these exploits still target end-user platforms. However, there is a noticeable increase in attacks on enterprise technologies, particularly those related to security and networking appliances, which account for over 60% of enterprise-targeted zero days.
Attribution: More than half of the known exploits are attributed to cyber espionage actors.

Notable Quote: "75 zero day vulnerabilities were exploited in the wild in 2024... pointing to an upward trend in zero day activity over the past four years." – Sarah Lane [00:57]

3. France Attributes 12 Cyberattacks to Russian APT28

Timestamp: [02:20]

The discussion shifts to international cybersecurity incidents, with France officially attributing 12 cyberattacks to the Russian state-backed hacking group APT28, linked to the GRU.

Key Points:

Targets: The attacks have targeted various sectors, including government, defense, aerospace, and research organizations within France.
French Response: The French Foreign Ministry condemned these attacks as violations of UN norms. Additionally, the National Cybersecurity Agency (ANSI) reported that APT28 employed tactics such as phishing, email service exploits, and the use of low-cost anonymous infrastructure.

Notable Quote: "The French Foreign Ministry denounced the attacks as breaches of UN norms..." – Sarah Lane [02:20]

4. Marks and Spencer Suffers Scattered Spider Ransomware Attack

Timestamp: [03:30]

Sarah provides an update on the Marks and Spencer breach, previously reported as experiencing outages. Computer sources now confirm it was a ransomware attack linked to the Scattered Spider threat group.

Key Points:

Attack Timeline: The attackers reportedly gained access as early as February, stealing the NTDS.DIT Active Directory database and deploying DragonForce ransomware on April 24th.
Impact: The ransomware encrypted VMware XE hosts, disrupting critical operations, including payment systems and online orders.
Response: Marks and Spencer has engaged cybersecurity firms CrowdStrike, Microsoft, and Fenix24 to assist in the investigation and recovery process.

Notable Quote: "The attackers reportedly gained access as early as February, stealing the NTDS.DIT Active Directory database and on April 24th deployed DragonForce ransomware..." – Sarah Lane [03:30]

5. EFF and Cybersecurity Experts Urge US to Drop Investigation into Chris Krebs

Timestamp: [05:10]

In a related cybersecurity governance issue, the Electronic Frontier Foundation (EFF), along with over 400 cybersecurity and election security experts, have called on the US administration to cease its investigation into former CESA Director Chris Krebs.

Key Points:

Reason for Urging: The collective signatories argue that targeting Krebs and his employer, SentinelOne, undermines the independence of the infosec community and discourages honest, nonpartisan security reporting.
Impact: Continual investigations into Krebs are seen as a threat to the integrity and freedom within the cybersecurity sector.

Notable Quote: "Targeting Krebs and his employer, Sentinel One, for contradicting election fraud claims undermines the infosec community's independence and discourages truthful nonpartisan security reporting." – Sarah Lane [05:10]

6. Nova Scotia Power Faces Cyberattack on IT Infrastructure

Timestamp: [05:50]

Nova Scotia Power disclosed a cyberattack that occurred on April 25th, affecting parts of its Canadian IT infrastructure, including the customer care center and online portal.

Key Points:

Operational Impact: There was no disruption to power generation or grid operations. However, the company had to isolate the impacted servers to manage the incident.
Response: The parent company, Emira, is collaborating with law enforcement and cybersecurity experts to investigate and recover from the attack. Physical operations and international subsidiaries remain unaffected.

Notable Quote: "No disruption occurred to power generation or grid operations, but the company isolated impacted servers to contain the incident." – Sarah Lane [05:50]

7. SentinelOne Reports China-Linked APT Group Purple Haze's Reconnaissance Attempts

Timestamp: [06:30]

SentinelOne has identified attempts by the China-linked APT Group Purple Haze to conduct reconnaissance on its infrastructure and high-value clients, signaling potential future cyber espionage activities.

Key Points:

Tools Used: The group employed tools like GoReshell, Backdoor, and ShadowPad malware, which have also been observed in broader China Nexus campaigns.
Additional Threats: SentinelOne detected over 1,000 job applications from North Korea-linked fake personas, aiming to infiltrate its Sentinel Labs intelligence team.

Notable Quote: "SentinelOne also detected over 1,000 job applications from North Korea linked fake Personas, including attempts to infiltrate its Sentinel Labs intelligence team." – Sarah Lane [06:30]

8. US House Passes Routers Act to Address National Security Risks

Timestamp: [07:10]

The US House of Representatives has passed the Routers Act, mandating the Department of Commerce to evaluate the national security risks posed by routers and modems controlled by foreign adversaries, specifically China.

Key Points:

Legislative Intent: The act emphasizes the importance of securing U.S. communication networks as a critical component of national infrastructure.
Context: This legislation builds on previous efforts aimed at removing untrusted equipment following cybersecurity threats, such as those posed by the SALT Typhoon hacker group's exploitation of telecom networks.

Notable Quote: "Lawmakers have emphasized that securing U.S. communications networks is a critical role in national infrastructure." – Sarah Lane [07:10]

9. Linux Malware Evades Detection by Cisco-Watched Antivirus Tools

Timestamp: [07:50]

A new proof-of-concept program named Curine has exposed a blind spot in Linux security tools that depend on syscall monitoring. Introduced with the Iorene interface in Linux kernel 5.1, this mechanism allows applications to bypass traditional system calls for I/O operations.

Key Points:

Security Implications: Since Iorene operates outside the traditional syscall paths, malware exploiting this can evade detection by antivirus tools like Falco, Tetragon, and Microsoft Defender.
Developer Response: Armo, the developer of Curine, highlights this as a major security blind spot and suggests potential solutions such as updating antivirus tools or disabling Iorene altogether.
Industry Action: Google has already disabled Iorene in Chrome OS after investing $1 million in related bug bounties.

Notable Quote: "As IO arena operates outside the Cisco path, malware exploiting IT may evade detection by tools like Falco, Tetragon and Microsoft Defender." – Sarah Lane [07:50]

Conclusion

Sarah Lane wraps up the episode by reminding listeners to visit CISOseries.com for comprehensive stories behind these headlines and to stay informed on the latest cybersecurity developments.

Note: This summary excludes advertisements and non-content sections as per the podcast's guidelines.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, April 30, 2025. I'm Sarah Lane. Millions of Apple AirPlay enabled devices can be hacked via Wi Fi researchers at Cybersecurity firm Oligo have disclosed airborne a set of vulnerabilities in Apple's AirPlay SDK that expose millions of third party devices such such as smart TVs, speakers and CarPlay systems to remote code execution over shared WI fi. Apple has patched its own hardware, but Oligo warns many third party vendors may have not, which poses risk for lateral movement, network persistence and potential surveillance. Google tracked 75 zero days exploited in the wild in 2024 According to Google's Threat Intelligence Group, 75 zero day vulnerabilities were exploited in the wild in 2024. That's down from 98 in 2023, but above 2022's total, pointing to an upward trend in zero day activity over the past four years. Most exploits still target end user platforms, but there's an increase in attacks on enterprise technologies, especially security and networking appliances, which make up over 60% of enterprise targeted 0 days. The group attributes more than half of all known exploits to cyber espionage actors. France ties Russian APT28 hackers to 12 cyber attacks on French orgs France has officially blamed the Russian state backed hacking group APT28, tied to the GRU, for 12 cyber attacks on French entities since 2021, including targets in government, defense, aerospace and research. The French Foreign Ministry denounced the attacks as breaches of UN norms, while the National Cybersecurity Agency ANSI reported that AP28 used phishing, email service exploits and low cost anonymous infrastructure. Marks and Spencer breach linked to scattered spider ransomware attack we reported last week that British retailer Marks and Spencer was experiencing outages, believing computer sources now say it's a ransomware attack linked to the Scattered Spider threat group. The attackers reportedly gained access as early as February, stealing the NTDS DIT Active Directory database and and on April 24th deployed DragonForce ransomware to encrypt VMware XE hosts, disrupting operations including payment systems and online orders. Marks and Spencer has enlisted CrowdStrike, Microsoft and Fenix24 to aid in investigation and recovery. Huge thanks to our sponsor ThreatLocker. ThreatLocker is a global leader in zero trust endpoint security, offering cybersecurity controls to protect protect businesses from zero day attacks and ransomware. Threat Locker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com CSO that's threadlocker.com CISO the Electronic Frontier foundation, or EFF, along with more than 400 cybersecurity and election security experts, has publicly urged the US administration to drop its investigation into former CESA director Chris Krebs. In an open letter, the signatories warn that targeting Krebs and his employer, Sentinel One, for contradicting election fraud claims undermines the infosec community's independence and discourages truthful nonpartisan security reporting. Nova Scotia energy provider takes some servers offline following cyber incident Nova Scotia Power disclosed that it experienced a cyber attack on April 25th affecting parts of its Canadian IT infrastructure, including its customer care center and online portal. No disruption occurred to power generation or grid operations, but the company isolated impacted servers to contain the incident. The nature of the attack has not been confirmed, but Emira, Nova Scotia Power's parent company, says it's working with law enforcement and cybersecurity experts to investigate and recover. Physical operations and international subsidiaries remain unaffected. Sentinel One reports that China linked Apt Group Purple Haze attempted reconnaissance on its infrastructure and high value clients, indicating targeted cyber espionage with potential for future attacks. The group, known to be tied to apt 15, is said to have used tools like the Go reshell, backdoor and shadowpad malware, also seen in broader China Nexus campaigns. SentinelOne also detected over 1,000 job applications from North Korea linked fake Personas, including attempts to infiltrate its Sentinel Labs intelligence team. House passes bill to study routers national security risks the US House representatives passed the Routers act, which mandates the Department of Commerce to study national security risks posed by routers and modems controlled by foreign adversaries, namely China. Lawmakers have emphasized that securing U.S. communications networks is a critical role in national infrastructure. This builds on previous efforts to remove untrusted equipment following cybersecurity threats, such as the SALT Typhoon hacker group's exploitation of telecom networks. Watch out for any Linux malware sneakily evading Cisco watching Antivirus A new proof of concept program, Curine, highlights a blind spot in Linux security tools that rely on syscall monitoring. The Iorene interface, introduced in Linux kernel 5.1, lets applications bypass traditional systems calls for I O operations, which many antivirus tools rely on to detect threats. As IO arena operates outside the Cisco path, malware exploiting IT may evade detection by tools like Falco, Tetragon and Microsoft Defender. Armo, which developed the proof of concept, calls it a major blind spot and suggests that solutions like updating antivirus tools or disabling Ioaring altogether. Google disabled it in Chrome os after spending $1 million on related bug bounties. Make sure to check out our latest episode of Security. You should know we just released a new episode with Threat Locker, looking into what they're doing to help control elevated privileges in your environment. Look for the show over@cisoseries.com or wherever you get your podcasts. I'm Sarah Lane reporting for the CISO series, and we will talk to you next time.
[07:50]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.

Cyber Security Headlines - Episode Summary

Podcast Information:

Title: Cyber Security Headlines
Host/Author: CISO Series
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.
Episode: Apple Airplay-Enabled Devices Can Be Hacked, Google Tracked 75 Zero Days, France Ties Russian APT28 Hackers to 12 Cyberattacks
Release Date: April 30, 2025

1. Apple AirPlay-Enabled Devices Vulnerable to Hacking

Timestamp: [00:07]

Key Points:

Vulnerability Details: The disclosed vulnerabilities allow for remote code execution, which can lead to lateral movement within networks, persistent access, and potential surveillance.
Apple's Response: While Apple has patched its own hardware, Oligo warns that many third-party vendors may not have implemented these patches, leaving numerous devices at risk.

2. Google Tracks 75 Zero-Day Exploits in 2024

Timestamp: [00:57]

Key Points:

Trend Analysis: Although this number is a decrease from 98 in 2023, it surpasses the total for 2022, indicating an upward trend in zero-day activities over the past four years.
Target Focus: The majority of these exploits still target end-user platforms. However, there is a noticeable increase in attacks on enterprise technologies, particularly those related to security and networking appliances, which account for over 60% of enterprise-targeted zero days.
Attribution: More than half of the known exploits are attributed to cyber espionage actors.

Notable Quote: "75 zero day vulnerabilities were exploited in the wild in 2024... pointing to an upward trend in zero day activity over the past four years." – Sarah Lane [00:57]

3. France Attributes 12 Cyberattacks to Russian APT28

Timestamp: [02:20]

The discussion shifts to international cybersecurity incidents, with France officially attributing 12 cyberattacks to the Russian state-backed hacking group APT28, linked to the GRU.

Key Points:

Targets: The attacks have targeted various sectors, including government, defense, aerospace, and research organizations within France.
French Response: The French Foreign Ministry condemned these attacks as violations of UN norms. Additionally, the National Cybersecurity Agency (ANSI) reported that APT28 employed tactics such as phishing, email service exploits, and the use of low-cost anonymous infrastructure.

Notable Quote: "The French Foreign Ministry denounced the attacks as breaches of UN norms..." – Sarah Lane [02:20]

4. Marks and Spencer Suffers Scattered Spider Ransomware Attack

Timestamp: [03:30]

Key Points:

Attack Timeline: The attackers reportedly gained access as early as February, stealing the NTDS.DIT Active Directory database and deploying DragonForce ransomware on April 24th.
Impact: The ransomware encrypted VMware XE hosts, disrupting critical operations, including payment systems and online orders.
Response: Marks and Spencer has engaged cybersecurity firms CrowdStrike, Microsoft, and Fenix24 to assist in the investigation and recovery process.

5. EFF and Cybersecurity Experts Urge US to Drop Investigation into Chris Krebs

Timestamp: [05:10]

Key Points:

Reason for Urging: The collective signatories argue that targeting Krebs and his employer, SentinelOne, undermines the independence of the infosec community and discourages honest, nonpartisan security reporting.
Impact: Continual investigations into Krebs are seen as a threat to the integrity and freedom within the cybersecurity sector.

6. Nova Scotia Power Faces Cyberattack on IT Infrastructure

Timestamp: [05:50]

Nova Scotia Power disclosed a cyberattack that occurred on April 25th, affecting parts of its Canadian IT infrastructure, including the customer care center and online portal.

Key Points:

Operational Impact: There was no disruption to power generation or grid operations. However, the company had to isolate the impacted servers to manage the incident.
Response: The parent company, Emira, is collaborating with law enforcement and cybersecurity experts to investigate and recover from the attack. Physical operations and international subsidiaries remain unaffected.

Notable Quote: "No disruption occurred to power generation or grid operations, but the company isolated impacted servers to contain the incident." – Sarah Lane [05:50]

7. SentinelOne Reports China-Linked APT Group Purple Haze's Reconnaissance Attempts

Timestamp: [06:30]

Key Points:

Tools Used: The group employed tools like GoReshell, Backdoor, and ShadowPad malware, which have also been observed in broader China Nexus campaigns.
Additional Threats: SentinelOne detected over 1,000 job applications from North Korea-linked fake personas, aiming to infiltrate its Sentinel Labs intelligence team.

8. US House Passes Routers Act to Address National Security Risks

Timestamp: [07:10]

Key Points:

Legislative Intent: The act emphasizes the importance of securing U.S. communication networks as a critical component of national infrastructure.
Context: This legislation builds on previous efforts aimed at removing untrusted equipment following cybersecurity threats, such as those posed by the SALT Typhoon hacker group's exploitation of telecom networks.

Notable Quote: "Lawmakers have emphasized that securing U.S. communications networks is a critical role in national infrastructure." – Sarah Lane [07:10]

9. Linux Malware Evades Detection by Cisco-Watched Antivirus Tools

Timestamp: [07:50]

Key Points:

Security Implications: Since Iorene operates outside the traditional syscall paths, malware exploiting this can evade detection by antivirus tools like Falco, Tetragon, and Microsoft Defender.
Developer Response: Armo, the developer of Curine, highlights this as a major security blind spot and suggests potential solutions such as updating antivirus tools or disabling Iorene altogether.
Industry Action: Google has already disabled Iorene in Chrome OS after investing $1 million in related bug bounties.

Notable Quote: "As IO arena operates outside the Cisco path, malware exploiting IT may evade detection by tools like Falco, Tetragon and Microsoft Defender." – Sarah Lane [07:50]

Conclusion

Sarah Lane wraps up the episode by reminding listeners to visit CISOseries.com for comprehensive stories behind these headlines and to stay informed on the latest cybersecurity developments.

Note: This summary excludes advertisements and non-content sections as per the podcast's guidelines.