UK retailer update, Microsoft Defender disabler, deepfakes target officials

Cyber Security Headlines

•

Published: Mon May 19 2025

Scattered Spider facilitates UK retail hacks and is moving to the U.S. Defendnot tool can disable Microsoft Defender FBI warns government officials about new waves of deepfakes Huge thanks to our sponsor, Conveyor Are you dealing with security...

Summary

Cyber Security Headlines – Episode Summary

Hosted by Steve Prentiss from the CISO Series
Release Date: May 19, 2025

1. Scattered Spider Expands from UK to U.S. Retail Sectors

Overview:
Cybersecurity experts from Google have identified the Scattered Spider group as the orchestrator behind a series of high-profile cyberattacks targeting UK retailers, including Marks and Spencer, the Co Op, and Harrods. Recently, the group has shifted its focus to the United States, impacting unnamed retailers across the country.

Key Insights:

Charles Carmichael, Chief Technology Officer at Google's Mandiant unit, remarked at [00:02:15] – "The threat has moved to the US in a pattern typical of Scattered Spider assailants, demonstrating their strategic focus on specific industries and geographies before moving on."
Attack Techniques:
- Social Engineering: The group makes phone calls to IT help desks, impersonating employees or contractors to gain unauthorized access to company systems.
- Operational Pattern: Their methodical approach involves targeting a sector intensively for weeks before transitioning to a new target.

Implications:
Retailers in the U.S. need to bolster their defenses against sophisticated social engineering tactics and remain vigilant for signs of Scattered Spider’s activities.

2. DefendNot Tool Compromises Microsoft Defender

Overview:
A new malicious tool named DefendNot has emerged, capable of disabling Microsoft Defender on Windows devices. This tool, developed by an individual known as es3n1n, registers a fake antivirus product to trick Windows into deactivating its native security measures.

Notable Details:

Technical Mechanism:
- API Exploitation: DefendNot leverages an undocumented Windows Security Center API, which typically allows antivirus software to register with Windows for real-time protection.
- Outcome: Once the fake antivirus is registered, Windows automatically disables Microsoft Defender to prevent conflicts between multiple security applications.
Response:
- Microsoft’s Action: Following the discovery, Microsoft has implemented measures to detect and quarantine DefendNot, mitigating its effectiveness.

Quote:
At [00:04:30], Steve Prentiss explained, "DefendNot can disable Microsoft Defender on Windows devices simply by registering a fake antivirus product, exploiting a vulnerability in the Windows Security Center API."

Recommendation:
Users and organizations are urged to ensure their systems are updated with the latest security patches and to remain cautious of unauthorized antivirus installations.

3. FBI Alerts Officials to Rising Deepfake Threats

Overview:
Since April 2025, the FBI has been proactively warning U.S. government officials about an ongoing cyber campaign utilizing AI-generated deepfake voice messages and texts. These deepfakes are designed to impersonate senior officials and disseminate malicious links, particularly concerning transitions between messaging platforms.

Key Points:

Malicious Intent:
- Fraudulent Communications: Deepfakes are used to trick officials into clicking harmful links or executing unauthorized actions.
FBI’s Guidance:
- Vigilance: Officials are advised to scrutinize messages for subtle errors, unnatural speech patterns, or visual discrepancies in video communications.

Quote:
Steve Prentiss highlighted at [00:06:45], "The FBI urges vigilance, reminding people to check for subtle errors in messaging and to be wary of unnatural speech or visuals."

Impact:
The rise of deepfake technology poses significant risks to national security and the integrity of governmental communications, necessitating enhanced verification protocols.

4. Security Flaws Found in Chinese-Made Power Inverters

Overview:
U.S. security experts have uncovered hidden kill switches and undocumented cellular radios embedded within Chinese-manufactured power inverters used in U.S. and European solar farms. These rogue components present a potential risk for remote sabotage of critical energy infrastructure.

Detailed Findings:

Covert Hardware:
- Kill Switches: Allow for the remote disabling of power inverters during conflicts or emergencies.
- Undocumented Radios: Enable unauthorized communication channels that are not mentioned in product documentation.
Prevalence:
- Similar rogue devices have been identified in batteries from multiple Chinese suppliers over the past nine months, indicating a widespread issue.

Security Concerns:
The presence of such hidden systems increases the vulnerability of energy infrastructure to foreign interference, highlighting the need for rigorous hardware inspections and supply chain security measures.

5. Japan Enacts Proactive Cyber Defense Law

Overview:
Japan has recently passed a landmark law granting its authorities the capability to engage adversaries proactively through offensive cyber operations. This legislative change marks a significant shift from Japan's traditional defensive stance, aligning its cyber defense posture with that of major Western powers.

Legislative Background:

Original Proposal: The law was initially proposed in 2022 and is designed to enhance Japan’s cyber defense mechanisms.
Constitutional Context: This move represents a departure from Japan's Article 9 constitutional commitment to pacifism, expanding its strategic autonomy in cyberspace.

Quote:
At [00:10:20], Steve Prentiss stated, "This law marks a break from Japan's traditional approach to cyber defense, allowing preemptive offensive actions to suppress threats before they escalate."

Implications:
Japan's proactive stance may influence regional cyber dynamics and necessitate adjustments in diplomatic and cooperative cybersecurity efforts with neighboring countries.

6. Alabama Hacker Receives 14-Month Sentence for SEC Twitter Attack

Overview:
Eric Council Jr., an Alabama resident, has been sentenced to 14 months in prison for hacking into the Securities and Exchange Commission's (SEC) Twitter (formerly X) account. His attack involved executing a SIM swap to gain control, with the intent to post fraudulent content that could manipulate Bitcoin's market value.

Legal Proceedings:

Sentence Details:
- Imprisonment: 14 months behind bars.
- Financial Penalty: Forfeiture of $50,000.
- Post-Sentence Supervision: Three years of supervised release, during which he is prohibited from accessing the dark web or engaging in identity fraud.

Quote:
Steve Prentiss summarized at [00:12:50], "Council must forfeit $50,000 and, following the sentence, will face three years of supervised release with the condition that he not use computers to access the dark web or commit further identity fraud."

Significance:
This case underscores the legal repercussions of social media account hacks and serves as a deterrent against attempts to manipulate financial markets through digital platforms.

7. CFPB Withdraws Biden-Era Rule on Data Brokers

Overview:
The Consumer Financial Protection Bureau (CFPB) has announced the withdrawal of a Biden-era rule aimed at regulating data brokers who sell personal and financial information. A notice published in the Federal Register confirms that the CFPB will not pursue further legislative rulemaking on this issue at this time.

Details:

Rule Withdrawal: The CFPB decided that legislative rulemaking is neither necessary nor appropriate to address the concerns surrounding data brokers.
Impact: This move could potentially loosen restrictions on data brokers, affecting consumer privacy and data protection standards.

Quote:
At [00:14:30], Steve Prentiss conveyed, "The Bureau has determined that legislative rulemaking is not necessary or appropriate at this time to address the subject matter further and will therefore not take any further action."

Implications:
Consumers and privacy advocates may view this withdrawal as a setback in efforts to regulate the data brokerage industry and protect personal information from unauthorized sales and usage.

8. Ransomware Groups Exploit the IT-OT Gap

Overview:
Ransomware gangs are increasingly targeting the vulnerable space between Information Technology (IT) and Operational Technology (OT) within organizations. This niche area presents unique opportunities for cybercriminals to disrupt core business and industrial operations.

Expert Insight:

Timothy Conway, Technical Director at the SANS Institute's Industrial Control Systems Programs, discussed the trend in an interview with The Register at [00:16:45]. He explained that:
- Targeting Middle Systems: Cybercriminals exploit systems that bridge IT and OT, such as those managing critical infrastructure like energy pipelines.
- Example Scenario: Diverting jet fuel to a home heating oil pipeline could cause significant operational disruptions.
- Ease of Encryption: Encrypting middle systems is less technically challenging than attacking OT directly, yet yields high returns as victims are more likely to pay ransoms to restore essential services.

Organization Spotlight:
SANS Institute (Sysadmin Audit Network and Security) remains a pivotal organization providing training, research, and certification in cybersecurity, particularly concerning industrial control systems.

Quote:
At [00:17:30], Steve Prentiss highlighted, "Sans stands for Sysadmin Audit Network and Security. It is a training, research, and certification organization focused on strengthening cybersecurity across various sectors."

Recommendations:
Organizations should prioritize securing the IT-OT interface and implement comprehensive monitoring to detect and respond to ransomware threats targeting these critical systems.

Additional Resources

Featured Segment:

ThreatLocker:
- Topic: Navigating unauthorized site access and the role of ThreatLocker in enhancing security measures.
- Availability: Information can be found at cisoceries.com, as well as on YouTube, Spotify, and other podcast platforms.

Highlighted Article:

Title: "What Would Happen If Your CISO Was Not Around During a Cyberattack?"
Details: This article explores the resilience of organizations in the absence of their Chief Information Security Officer (CISO) during a crisis, featuring insights from three CISO colleagues.
Access: Available on the front page of cisoseries.com as of May 19, 2025.

Conclusion:
This episode of Cyber Security Headlines provided a comprehensive overview of significant cybersecurity developments, from international cyber threats to legislative changes and the evolving tactics of ransomware groups. Staying informed and proactive is essential for organizations and individuals alike to navigate the ever-changing cyber landscape.

For more detailed stories behind these headlines, visit cisoseries.com.

Reported by Steve Prentiss for the CISO Series.