UK retailer update, Microsoft Defender disabler, deepfakes target officials - Cybersecurity Headlines

Summary7 min read

Cyber Security Headlines – Episode Summary

Hosted by Steve Prentiss from the CISO Series
Release Date: May 19, 2025

1. Scattered Spider Expands from UK to U.S. Retail Sectors

Overview:
Cybersecurity experts from Google have identified the Scattered Spider group as the orchestrator behind a series of high-profile cyberattacks targeting UK retailers, including Marks and Spencer, the Co Op, and Harrods. Recently, the group has shifted its focus to the United States, impacting unnamed retailers across the country.

Key Insights:

Charles Carmichael, Chief Technology Officer at Google's Mandiant unit, remarked at [00:02:15] – "The threat has moved to the US in a pattern typical of Scattered Spider assailants, demonstrating their strategic focus on specific industries and geographies before moving on."
Attack Techniques:
- Social Engineering: The group makes phone calls to IT help desks, impersonating employees or contractors to gain unauthorized access to company systems.
- Operational Pattern: Their methodical approach involves targeting a sector intensively for weeks before transitioning to a new target.

Implications:
Retailers in the U.S. need to bolster their defenses against sophisticated social engineering tactics and remain vigilant for signs of Scattered Spider’s activities.

2. DefendNot Tool Compromises Microsoft Defender

Overview:
A new malicious tool named DefendNot has emerged, capable of disabling Microsoft Defender on Windows devices. This tool, developed by an individual known as es3n1n, registers a fake antivirus product to trick Windows into deactivating its native security measures.

Notable Details:

Technical Mechanism:
- API Exploitation: DefendNot leverages an undocumented Windows Security Center API, which typically allows antivirus software to register with Windows for real-time protection.
- Outcome: Once the fake antivirus is registered, Windows automatically disables Microsoft Defender to prevent conflicts between multiple security applications.
Response:
- Microsoft’s Action: Following the discovery, Microsoft has implemented measures to detect and quarantine DefendNot, mitigating its effectiveness.

Quote:
At [00:04:30], Steve Prentiss explained, "DefendNot can disable Microsoft Defender on Windows devices simply by registering a fake antivirus product, exploiting a vulnerability in the Windows Security Center API."

Recommendation:
Users and organizations are urged to ensure their systems are updated with the latest security patches and to remain cautious of unauthorized antivirus installations.

3. FBI Alerts Officials to Rising Deepfake Threats

Overview:
Since April 2025, the FBI has been proactively warning U.S. government officials about an ongoing cyber campaign utilizing AI-generated deepfake voice messages and texts. These deepfakes are designed to impersonate senior officials and disseminate malicious links, particularly concerning transitions between messaging platforms.

Key Points:

Malicious Intent:
- Fraudulent Communications: Deepfakes are used to trick officials into clicking harmful links or executing unauthorized actions.
FBI’s Guidance:
- Vigilance: Officials are advised to scrutinize messages for subtle errors, unnatural speech patterns, or visual discrepancies in video communications.

Quote:
Steve Prentiss highlighted at [00:06:45], "The FBI urges vigilance, reminding people to check for subtle errors in messaging and to be wary of unnatural speech or visuals."

Impact:
The rise of deepfake technology poses significant risks to national security and the integrity of governmental communications, necessitating enhanced verification protocols.

4. Security Flaws Found in Chinese-Made Power Inverters

Overview:
U.S. security experts have uncovered hidden kill switches and undocumented cellular radios embedded within Chinese-manufactured power inverters used in U.S. and European solar farms. These rogue components present a potential risk for remote sabotage of critical energy infrastructure.

Detailed Findings:

Covert Hardware:
- Kill Switches: Allow for the remote disabling of power inverters during conflicts or emergencies.
- Undocumented Radios: Enable unauthorized communication channels that are not mentioned in product documentation.
Prevalence:
- Similar rogue devices have been identified in batteries from multiple Chinese suppliers over the past nine months, indicating a widespread issue.

Security Concerns:
The presence of such hidden systems increases the vulnerability of energy infrastructure to foreign interference, highlighting the need for rigorous hardware inspections and supply chain security measures.

5. Japan Enacts Proactive Cyber Defense Law

Overview:
Japan has recently passed a landmark law granting its authorities the capability to engage adversaries proactively through offensive cyber operations. This legislative change marks a significant shift from Japan's traditional defensive stance, aligning its cyber defense posture with that of major Western powers.

Legislative Background:

Original Proposal: The law was initially proposed in 2022 and is designed to enhance Japan’s cyber defense mechanisms.
Constitutional Context: This move represents a departure from Japan's Article 9 constitutional commitment to pacifism, expanding its strategic autonomy in cyberspace.

Quote:
At [00:10:20], Steve Prentiss stated, "This law marks a break from Japan's traditional approach to cyber defense, allowing preemptive offensive actions to suppress threats before they escalate."

Implications:
Japan's proactive stance may influence regional cyber dynamics and necessitate adjustments in diplomatic and cooperative cybersecurity efforts with neighboring countries.

6. Alabama Hacker Receives 14-Month Sentence for SEC Twitter Attack

Overview:
Eric Council Jr., an Alabama resident, has been sentenced to 14 months in prison for hacking into the Securities and Exchange Commission's (SEC) Twitter (formerly X) account. His attack involved executing a SIM swap to gain control, with the intent to post fraudulent content that could manipulate Bitcoin's market value.

Legal Proceedings:

Sentence Details:
- Imprisonment: 14 months behind bars.
- Financial Penalty: Forfeiture of $50,000.
- Post-Sentence Supervision: Three years of supervised release, during which he is prohibited from accessing the dark web or engaging in identity fraud.

Quote:
Steve Prentiss summarized at [00:12:50], "Council must forfeit $50,000 and, following the sentence, will face three years of supervised release with the condition that he not use computers to access the dark web or commit further identity fraud."

Significance:
This case underscores the legal repercussions of social media account hacks and serves as a deterrent against attempts to manipulate financial markets through digital platforms.

7. CFPB Withdraws Biden-Era Rule on Data Brokers

Overview:
The Consumer Financial Protection Bureau (CFPB) has announced the withdrawal of a Biden-era rule aimed at regulating data brokers who sell personal and financial information. A notice published in the Federal Register confirms that the CFPB will not pursue further legislative rulemaking on this issue at this time.

Details:

Rule Withdrawal: The CFPB decided that legislative rulemaking is neither necessary nor appropriate to address the concerns surrounding data brokers.
Impact: This move could potentially loosen restrictions on data brokers, affecting consumer privacy and data protection standards.

Quote:
At [00:14:30], Steve Prentiss conveyed, "The Bureau has determined that legislative rulemaking is not necessary or appropriate at this time to address the subject matter further and will therefore not take any further action."

Implications:
Consumers and privacy advocates may view this withdrawal as a setback in efforts to regulate the data brokerage industry and protect personal information from unauthorized sales and usage.

8. Ransomware Groups Exploit the IT-OT Gap

Overview:
Ransomware gangs are increasingly targeting the vulnerable space between Information Technology (IT) and Operational Technology (OT) within organizations. This niche area presents unique opportunities for cybercriminals to disrupt core business and industrial operations.

Expert Insight:

Timothy Conway, Technical Director at the SANS Institute's Industrial Control Systems Programs, discussed the trend in an interview with The Register at [00:16:45]. He explained that:
- Targeting Middle Systems: Cybercriminals exploit systems that bridge IT and OT, such as those managing critical infrastructure like energy pipelines.
- Example Scenario: Diverting jet fuel to a home heating oil pipeline could cause significant operational disruptions.
- Ease of Encryption: Encrypting middle systems is less technically challenging than attacking OT directly, yet yields high returns as victims are more likely to pay ransoms to restore essential services.

Organization Spotlight:
SANS Institute (Sysadmin Audit Network and Security) remains a pivotal organization providing training, research, and certification in cybersecurity, particularly concerning industrial control systems.

Quote:
At [00:17:30], Steve Prentiss highlighted, "Sans stands for Sysadmin Audit Network and Security. It is a training, research, and certification organization focused on strengthening cybersecurity across various sectors."

Recommendations:
Organizations should prioritize securing the IT-OT interface and implement comprehensive monitoring to detect and respond to ransomware threats targeting these critical systems.

Additional Resources

Featured Segment:

ThreatLocker:
- Topic: Navigating unauthorized site access and the role of ThreatLocker in enhancing security measures.
- Availability: Information can be found at cisoceries.com, as well as on YouTube, Spotify, and other podcast platforms.

Highlighted Article:

Title: "What Would Happen If Your CISO Was Not Around During a Cyberattack?"
Details: This article explores the resilience of organizations in the absence of their Chief Information Security Officer (CISO) during a crisis, featuring insights from three CISO colleagues.
Access: Available on the front page of cisoseries.com as of May 19, 2025.

Conclusion:
This episode of Cyber Security Headlines provided a comprehensive overview of significant cybersecurity developments, from international cyber threats to legislative changes and the evolving tactics of ransomware groups. Staying informed and proactive is essential for organizations and individuals alike to navigate the ever-changing cyber landscape.

For more detailed stories behind these headlines, visit cisoseries.com.

Reported by Steve Prentiss for the CISO Series.

Loading summary

Transcript1 lines

[00:00]
Steve Prentiss
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, May 19, 2025. I'm Steve Prentiss. Scattered Spider facilitates UK retail hacks and is moving to the U.S. this announcement comes from cybersecurity experts from Google. The Scattered Spider group has been linked to the attacks on UK retailers Marks and Spencer, the Co Op and Harrods, and now also unnamed retailers in the US are being impacted. Charles Carmichael, the chief technology officer at Google's Mandiant unit, said the threat had moved to the US in a pattern typical of Scattered Spider assailants, and this points out the way in which they focus on a particular industry, sector and geography for a few weeks and then move on. One of the gang's specific techniques is to make phone calls to IT help desks pretending to be an employee or a contractor in order to gain access to company systems. Defend not tool can disable Microsoft Defender this tool, spelt as one word, defend not, is built by a developer who goes by the handle es3n1n. Defend not can disable Microsoft Defender on Windows devices simply by registering a fake antivirus product either when no real antivirus is installed. As reported in Bleeping Computer, the tool utilizes an undocumented Windows Security Center API that antivirus software uses to tell Windows it is installed and is now managing the real time protection for the device. When this happens, Windows automatically disables Microsoft Defender to avoid conflicts from running multiple security applications on the same device. Microsoft has since taken steps to detect and quarantine this specific tool. FBI warns government officials about new waves of deepfakes Since April 2025, the FBI has warned of a cyber campaign targeting current and former US Government officials using AI generated deepfake voice messages and texts. Impersonating senior officials, the threat actors send malicious links specifically regarding transition from one messaging platform to another. The FBI, of course, urges vigilance, reminding people to check for subtle errors in messaging and to be wary of unnatural speech or visuals. Rogue devices found in Chinese made power inverters US Security experts have discovered hidden kill switches and undocumented cellular radios in Chinese made power inverters. Used in US And European solar farms, these rogue devices could allow Beijing to remotely disable parts of the power grid during a conflict, raising serious national security concerns. While inverters typically allow remote access for maintenance, experts found covert communication hardware not listed in product documentation. Over the past nine months, similar devices were found in batteries from multiple Chinese suppliers. The presence of such hidden systems suggests a potential for remote sabotage of critical energy infrastructure by foreign actors. Huge thanks to our sponsor Conveyor. Are you dealing with security questionnaire chaos this week? If so, get Conveyor's AI to knock them out for you. Connect Conveyor to any source, easily upload any format of questionnaire or use the browser extension for portals and their AI handles the rest, from parsing the questions to generating answers and auto tagging collaborators. Let Conveyor do the work for you. Learn more@conveyor.com that is C O N V E-Y-O-R.com Japan enacts proactive Cyber Defense Law Last Friday, Japan enacted a new law that would give its authorities the ability to preemptively engage with adversaries through offensive cyber operations to ensure threats are suppressed before they cause significant damage. This law was originally proposed in 2022 and is intended to help Japan strengthen its cyber defence to a level equal to major Western powers and marks a break from the country's traditional approach to cyber defence, which had tracked closely to its Article 9 constitutional commitment to pacif SEC social media hacker gets 14 month sentence following up on a story we covered in February, Alabama resident Eric Council Jr. Is now facing this sentence for hacking into the Twitter X account of the securities and Exchange Commission. He achieved this by executing a SIM swap and his motive was to create fraudulent posts through the SEC's account that would alter the market value of Bitcoin. In addition to the sentence, counsel must forfeit $50,000 and following the sentence will face three years of supervised release with the condition that he not use computers to access the dark web or commit further identity fraud. End quote CFPB withdraws Biden Era rule targeting Data Brokers the Consumer Financial Protection Bureau is set to withdraw a Biden Era rule aimed at cracking down on data brokers and their selling of personal and financial information. End quote A notice published last Thursday in the Federal Register confirms this action. The Bureau has determined that legislative rulemaking is not necessary or appropriate at this time to address the subject matter further and will therefore not take any further action. End quote Ransomware groups target the undefended space between IT and ot. In an interview with the Register, Timothy Conway, the technical director at the SANS Institute's Industrial Control Systems Programs, says that some criminal gangs focus on activities in organizations that exist between classic IT systems that run core business applications and operational tech systems that drive heavy industrial infrastructure. As an example, Conway suggests what might happen if jet fuel was diverted to a home heating oil pipeline. He added, all businesses have these middle systems and encrypting them isn't as difficult as developing ransomware to target ot. The victims, he says, are also more likely to pay the extortion demands. Sans, by the way, stands for sysadmin Audit Network and Security. It is a training, research and certification organization. It's Monday, and that means we've got a brand new episode of Security youy Should Know. This week we're learning what threatlocker is doing to help you navigate unauthorized site access. Look for it@cisoceries.com as well as YouTube, Spotify, or wherever you get your podcasts. And what would happen if you were away from your company and out of touch for a day or more? Exactly When a crisis happens, how well could your company cope temporarily without you? This is the topic of a new article we've released just this morning. A short read, but packed with valuable information from three of our CISO colleagues. Look for the article entitled what would happen if your CISO was not around during a cyberattack? On the front page of cisoseries.com today. I'm Steve Prentiss, reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines. Sam.