Microsoft Authenticator passkeys, StealC malware upgraded, CISA budget slashed - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines: Episode Summary

Podcast Title: Cyber Security Headlines
Host: CISO Series
Episode Title: Microsoft Authenticator Passkeys, StealC Malware Upgraded, CISA Budget Slashed
Release Date: May 5, 2025

1. Microsoft Authenticator Passkeys Phasing Out Autofill

In the opening segment, host Steve Prentiss discusses Microsoft's strategic shift concerning its authentication tools. As of May 5, 2025, Microsoft has announced the deprecation of the password autofill feature in its Authenticator app. This change aims to streamline credential management by consolidating autofill support under Microsoft Edge.

“Microsoft ends authenticator password autofill in favor of Edge password storage,” [00:07] Prentiss explains.

Users are given a deadline until August 1st, 2025, to export their stored credentials from the Authenticator app. Post-deprecation, the autofill functionality, initially introduced in December 2020, will no longer be available, urging users to transition to Edge for a more integrated experience.

2. StealC Malware Receives Significant Upgrades

The podcast delves into the evolving threat landscape with the emergence of the upgraded StealC malware. According to a report by Zscaler, StealC, known for its prowess in information stealing and malware downloading, has released a more sophisticated version, 2.2.4, enhancing its stealth and data theft capabilities.

“StealC has introduced Telegram bot support for real-time alerts to operators,” [02:15] Prentiss highlights.

Key enhancements include:

Bypassing Chrome’s App-Bound Encryption: Making it easier to infiltrate Google accounts.
Cookie Theft Defenses: Allows regeneration of expired cookies, facilitating persistent access.
Multi-Monitor Support for Screenshots: Enables comprehensive data capture from victims' desktops.

These updates significantly increase the malware’s efficiency and the threat it poses to both individual users and organizations.

3. White House Proposes $491 Million Cut to CISA Budget

A major development in governmental cybersecurity funding is addressed next. The President's fiscal 2026 budget proposal includes a $491 million reduction from the Cybersecurity and Infrastructure Security Agency’s (CISA) nearly $3 billion annual budget, marking a nearly 17% cut.

“The budget refocuses CISA on its core mission,” [03:30] Prentiss reports.

The administration emphasizes that the reduction aims to eliminate duplicative programs and minimize expenditures on disinformation and misinformation initiatives. However, specific details regarding which areas or services will be affected remain undisclosed. The refocusing is intended to bolster federal network defense and enhance the security and resilience of critical infrastructure.

4. Surge in Ransomware Attacks on Food and Agriculture Sector

The conversation shifts to the alarming rise in ransomware incidents targeting the food and agriculture industries. Jonathan Braley, Director of the Food and Agriculture Information Sharing and Analysis Center (Food and Ag ISAC), presented at RSA Conference, shedding light on the issue.

“Many of these attacks go unreported, preventing visibility into the full scope of the problem,” [04:45] Prentiss conveys Braley’s insights.

From January to March 2025, there were 84 ransomware attacks, more than double compared to the same period in 2024. Notable perpetrators include the KLOPP ransomware gang, exploiting tools like Move It Go Anywhere and Accelon, alongside Ransom Hub and Akira groups. The prevalence of legacy systems and outdated industrial control systems in these sectors makes them particularly vulnerable targets.

5. Harrods Suffers Cyberattack Amid Rising Trends

UK luxury retailer Harrods has fallen victim to a cyberattack, echoing recent incidents involving other major UK retailers such as Marks & Spencer and Co-op. A Harrods spokesperson confirmed the attempted breach, assuring that both in-store and online operations remain unaffected.

“Our IT security team immediately took proactive steps to keep systems safe,” [05:40] stated the spokesperson.

The attack underscores the ongoing trend of cyber threats targeting high-profile retail establishments, emphasizing the need for robust security measures to protect consumer data and maintain operational integrity.

6. Microsoft Implements Passwordless Default for New Accounts

In a significant move towards enhancing user security, Microsoft is setting passkeys as the default authentication method for new accounts, effectively making them passwordless by default.

“Microsoft must use passkeys by default,” [06:05] Prentiss summarizes.

Existing users retain the option to delete their passwords via account settings, promoting a more secure and streamlined sign-in process. Microsoft has also refined the user experience by enabling the system to automatically select the most appropriate authentication method available for each user account.

7. Disney’s Slack Channels Compromised by Individual Attacker

An intriguing case involving the Walt Disney Company was discussed, revealing that the Slack breach previously attributed to hacktivist groups was actually perpetrated by an individual named Ryan Mitchell Kramer from California.

“Kramer published a program… that contained malware,” [06:35] Prentiss explains.

Kramer's malicious software masqueraded as an AI art generation application but instead provided him with remote access to victims' computers. This allowed him to harvest login credentials and compromise Disney’s Slack accounts. Kramer has agreed to plead guilty to accessing a computer and obtaining information, as well as threatening to damage a protected computer, potentially facing up to 10 years in prison.

8. Potential Cyberattack on Peru’s Government Raises Concerns

The episode concludes with reports of a possible cyberattack on Peru’s governmental digital platform, Goblin. The Raisida ransomware gang claims responsibility, demanding a ransom of 5 Bitcoin and presenting alleged stolen documents as evidence.

“Peruvian officials are denying any ransomware attack,” [07:20] notes Prentiss, referencing claims from Comparitech researchers who attribute the disruption to technical glitches instead.

This conflicting information highlights the challenges in accurately assessing and responding to cyber incidents within governmental infrastructures.

Conclusion:
In this episode of Cyber Security Headlines, CISO Series provides a comprehensive overview of the latest developments in the cybersecurity landscape, ranging from significant shifts in authentication practices by Microsoft to the escalating sophistication of malware threats like StealC. The proposed budget cuts to CISA and the rise in ransomware attacks on critical industries underscore the evolving challenges faced by both public and private sectors. Additionally, high-profile incidents involving major retailers and corporations like Harrods and Disney illustrate the persistent vulnerabilities within organizational cybersecurity defenses. Lastly, the uncertainty surrounding potential cyberattacks on governmental platforms emphasizes the need for vigilance and robust security measures across all levels of infrastructure.

For those seeking to stay informed on the latest in cybersecurity, this episode offers valuable insights and detailed analysis of pressing issues impacting the field today.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the Cybersecurity headlines for Monday, May 5, 2025. I'm Steve Prentiss. Microsoft ends authenticator password autofill in favor of edge password storage and autofill features in the Microsoft Authenticator app will start deprecation in July and will be completed by August. The goal is to streamline autofill support and consolidate credentials management under Microsoft Edge. As such, users will have up to August 1st of this year to export their information from Authenticator or risk losing it. The autofill feature was added to mobile authenticator apps in December 2020, allowing users to fill their credentials saved in Authenticator on sign in forms automatically. Steel C Malware enhanced with stealth upgrades and data Theft According to a new report from Zscaler, the people behind Steelsea that is S T E L C, a well known and much used information stealer and malware downloader, have released a new and improved version. Steelsea first appeared on the dark web in early 2023 and sold access for $200 a month. Improvements made in 2024 included a bypassing mechanism for Chrome's app bound encryption, cookie theft defenses allowing the regeneration of expired cookies for hijacking Google accounts. Among the improvements in the version 2.2.4 this year are added Telegram bot support for real time alerts to operators and added capability to screenshot the victim's desktop with multi monitor support. White House proposes cutting $491 million from CISA budget the President's fiscal 2026 budget proposal was described in a summary released Friday. The dollar amount represents a nearly 17% reduction to the agency's almost $3 billion per year budget. The administration did not release details about what areas or services were to be cut. Instead, it stated that the budget refocuses CISA on its core mission, federal network defense and enhancing the security and resilience of critical infrastructure, targeting a reduction of what it describes as so called disinformation and misinformation programs and offices and duplicative programs. At state and federal level, ransomware attacks on food and agriculture industry have increased this year. Speaking at rsa, Jonathan Braley, director of the Food and Agriculture Information Sharing and Analysis center known as Food and Ag isac, said that paired with the increase in ransomware attacks is the fact that many of these attacks go unreported, preventing visibility into the full scope of the problem. The increase in attacks seems to stem from activities by the KLOPP ransomware gang, specifically its exploitation of move IT Go Anywhere and Acceleon, as well as activity from the groups Ransom Hub and Akira. The industry saw 84 attacks from January to March, more than double the number seen in the first quarter of 2024. A report from Food and Ag ISAC says that industries in food, agriculture and manufacturing typically face ransomware attacks because they tend to have more legacy equipment and industrial control systems, making them easier targets. Huge thanks to our sponsor ThreatLocker. ThreatLocker is a global leader in Zero Trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and to start your free trial, visit threatlocker.com CISO that is T-H-R E A T L O C K-E R.com CISO UK retailer Harrods suffers cyberattack the trend in attacking UK retailers seems to be continuing this time the upscale London based department store Harrods has announced that it detected an attempted cyber attack, which is similar to the statements made by fellow retailers Marks and Spencer and Co Op this past week. A Harrods spokesperson said the IT security team immediately took proactive steps to keep systems safe, end quote, and added that both in person and online online shopping remained unaffected. Microsoft sets passkeys default for new accounts this represents a big change that ensures that individuals signing up for new accounts at Microsoft must use passkeys by default, which therefore means passwordless by default. In addition, existing users can visit their account settings to delete their password. Microsoft adds that it has also simplified the sign in and sign up user experience by prioritizing passwordless methods. Furthermore, the sign in process now automatically detects the best available method on a user's account and sets that as the default Disney Slack attacker. Turns out to be Ryan from California. Following up on a story we covered last July in which the Walt Disney company suffered the theft of more than one terabyte of data through its Slack channels. It turns out that the perpetrator was not a Russian hacktivist group, but was instead 25 year old California resident Rya Mitchell Kramer. The hack was originally described as retribution against Disney for how it handled artist contracts, the use of AI and how it treated its consumers. Now, however, according to the Department of Justice, Kramer published a program online that purported to be an AI art generation app but actually contained malware that gave him remote access to victims computers. A Disney employee downloaded the program, allowing Kramer to nab login credentials for various accounts in their name, including their Disney Slack account. Ryan Kramer has agreed to plead guilty to one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer, which could lead to 10 years in prison. The government of Peru possibly suffers cyber attack According to researcher Dominic Alvieri, the Raisida ransomware gang is claiming responsibility for this breach, which affected the government's official digital platform Goblin. The gang is demanding a ransom of 5 bitcoin and is allowing until May 9 for payment. It has posted images of documents allegedly stolen in the attack. Other cyber industry sources are not so sure. Researchers at the security firm Comparitech state that Peruvian officials are denying any ransomware attack took place, attributing the disruption to glitches on the government's website. Don't forget to join us this Friday for Super Cyber Friday, where the topic will be Hacking the Validity of Genai, an hour of critical thinking about embracing these new tools while still meeting your compliance requirements. For more information and to register, go to CISO series.com I'm Steve Prentiss reporting for the CISO series.
[07:46]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.