Mark's and Spencer Data Breach, Vulnerable Routers, Fortinet Exploits, and New Ransomware Threats - Cybersecurity Today

Summary

Cybersecurity Today: In-Depth Summary of the May 14, 2025 Episode

Host: Jim Love

1. Mark’s and Spencer Data Breach

Overview: Mark’s and Spencer (M&S), a prominent retail giant, recently confirmed a significant data breach that compromised customer personal information. The attack has disrupted M&S operations since late April, particularly affecting the company’s online services.

Details of the Breach: The cyber attack, executed over the Easter weekend, resulted in unauthorized access to various customer data points, including:

Personal Information: Names, dates of birth, home and email addresses, phone numbers.
Household Details: Information regarding household composition.
Order Histories: Records of online purchases.

Critical Insights:

Data Protection: Importantly, M&S clarified that no usable payment card details or account passwords were accessed, mitigating immediate financial risks to customers.
Attribution: The breach has been linked to Dragon Force, a notorious cybercrime group known for its ransomware and extortion tactics.

Operational Impact:

Service Disruption: M&S’s online ordering systems remain offline, with no specified timeline for resumption.
Customer Precautions: Customers are advised to reset their passwords and remain vigilant against potential phishing attempts. M&S emphasized, "We will never request personal account information via unsolicited communications" ([00:00]).

Collaborative Response: The UK’s National Cyber Security Centre is actively collaborating with M&S and law enforcement agencies to investigate the incident and mitigate further risks.

2. Vulnerable Routers Exposed by FBI

Overview: In a concerning development, the FBI has issued an urgent alert regarding the exploitation of 13 outdated router models by cybercriminals. These routers, primarily from Linksys, Cradlepoint, and Cisco, have reached their end of life, meaning they no longer receive security updates and are now highly susceptible to malware attacks.

Affected Models:

Linksys: E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N, WRT610N
Cradlepoint: E100 series
Cisco: M10 series

Exploitation Method: Hackers are leveraging variants of the Moon malware to exploit these outdated routers. This malware enables attackers to:

Gain Unauthorized Access: Compromise routers and turn them into proxy nodes.
Conduct Malicious Activities: Facilitate data theft and orchestrate further cyber attacks.

Signs of Compromise: Users should watch for indicators such as:

Unusual overheating of the router.
Frequent internet disconnections.
Unexpected changes in router settings.
Appearance of unknown devices on the network.

Recommended Actions: Jim Love advises, "Replacement should be done for any network device that is no longer supported" ([03:30]). For those unable to replace immediately, the FBI recommends:

Disabling remote administration.
Accessing router settings to turn off remote management features.

Impact on Different Sectors: While larger companies may find it manageable to replace outdated equipment, smaller businesses and home offices face a significant threat due to limited resources.

3. Critical Fortinet Vulnerabilities and Patches

Overview: Fortinet, a leading cybersecurity firm, has identified and patched a critical zero-day vulnerability (CVE-2025-32756) affecting its FortiVoice enterprise phone systems. This vulnerability has already been exploited in targeted, real-world attacks.

Technical Details:

Nature of Vulnerability: A stack-based buffer overflow that allows unauthenticated attackers to remotely execute code via specially crafted HTTP requests.
Discovery: Fortinet’s product security team uncovered the flaw through observed attacker behaviors, including network scans and system log deletions aimed at covering their tracks.

Immediate Actions: Fortinet has released patches and recommends the following temporary mitigations:

Disable HTTP/HTTPS Administrative Interfaces: To prevent unauthorized access until patches can be applied.

Historical Context: This is part of a series of security issues impacting Fortinet products:

Previous Vulnerabilities:
- CVE-2025-24472: An authentication bypass flaw in FortiOS and FortiProxy allowing attackers to gain Super Admin access.
- Earlier this month, the Shadow Server Foundation reported 16,000 internet-exposed Fortinet devices compromised by the Simlink backdoor, granting threat actors read-only access to sensitive files.

Urgent Recommendations: Jim Love emphasizes, "Organizations relying on FortiVoice or other impacted Fortinet products should act quickly" ([15:45]). Immediate steps include:

Auditing systems for signs of compromise.
Applying all available patches without delay.

Risk Assessment: The confirmed use of this vulnerability in active attacks elevates the risk for unpatched systems, necessitating swift action to prevent further exploitation.

4. Novel Ransomware Threats via CPU Microcode

Overview: A groundbreaking and alarming development in ransomware tactics was presented by cybersecurity researcher Christian Beek from Rapid7. Beek demonstrated a Proof of Concept (POC) that showcases how ransomware could be embedded directly into a computer’s CPU through microcode updates, potentially evading all traditional security measures.

Technical Breakdown:

Inspiration: The POC was inspired by a critical flaw in AMD’s Zen processors, previously identified by Google researchers.
Methodology: The flaw allows attackers to modify the RD RAND instruction, enabling the injection of custom microcode.
Weaponization: Beek’s approach involves embedding ransomware within the processor’s microcode—a low-level layer between hardware and machine code typically reserved for bug fixes and reliability improvements.

Implications of the POC:

Bypassing Security: Since the ransomware operates beneath the software layer, it can evade detection by conventional security technologies.
Persistence: Malware at the CPU level could survive system reboots, hardware replacements, and software reinstalls, making it exceptionally persistent and difficult to eradicate.

Historical Precedents: Beek references the Black Lotus Bootkit, notorious for compromising UEFI firmware and infecting systems protected by secure boot protocols. Additionally, leaked chat logs from the Conti Ransomware Group in 2022 revealed attempts to develop ransomware capable of embedding directly into UEFI firmware, highlighting a trend toward more deeply embedded and stealthy malware.

Industry Impact: This research serves as a stark warning to chip and PC manufacturers about the necessity of addressing vulnerabilities at the hardware level. Developing defenses against such deeply embedded threats is now imperative to maintain cybersecurity integrity.

Jim Love’s Commentary: Jim underscores the gravity of this development, noting, "The ability to embed ransomware at the CPU level represents a significant escalation in cyberattack capabilities" ([28:20]). This advancement could fundamentally challenge the effectiveness of existing cybersecurity measures.

Conclusion

In this episode of Cybersecurity Today, host Jim Love delved into several pressing cybersecurity threats affecting both large corporations and individual users. From the significant data breach at Mark’s and Spencer to the vulnerabilities in outdated routers and critical Fortinet exploits, the episode highlighted the evolving nature of cyber threats. Most notably, the discussion on embedding ransomware at the CPU level underscores the increasing sophistication of cybercriminals and the urgent need for advancements in cybersecurity defenses.

Key Takeaways:

Vigilance is Crucial: Organizations and individuals must stay informed and proactive in addressing vulnerabilities.
Timely Updates and Patches: Regularly updating hardware and software is essential to mitigate potential threats.
Emerging Threats Require Innovative Defenses: As cyber threats become more sophisticated, so must the strategies to combat them.

For those seeking to bolster their cybersecurity measures, staying abreast of such developments and implementing recommended safeguards is more important than ever.

Stay tuned for more updates and expert insights on the latest in cybersecurity by subscribing to Cybersecurity Today. For further discussions and opinions, reach out via LinkedIn or leave a comment on our YouTube channel.

Transcript

Jim Love (0:00)

Marks and Spencer confirms that customer personal data was accessed in a recent hack. The FBI warns of 13 outdated routers hijacked by hackers, Fortinet patches, a zero day in FortiVoice actively exploited in targeted attacks and joy o rapture unforeseen ransomware reaches the cpu welcome to Cybersecurity today. I'm your host, Jim Lof. Marks and Spencer has confirmed that hackers accessed personal customer data during a cyber attack that has disrupted its operations since late April. The breach, which occurred over the Easter weekend, compromised information including names, dates of birth, home and email addresses, phone numbers, household details and even online order histories. But importantly, Marks and Spencer stated that no usable payment card details were or account passwords were accessed. The attack has been linked to the cybercrime group Dragon Force, known for ransomware and extortion tactics. Marks and Spencer's online ordering systems remain offline and the company is not specified when services will resume. Customers are being prompted to reset their passwords as a precaution. And Marks and Spencer's advises vigilance against potential phishing attempts and emphasizes it will never request personal account information via unsolicited communications. The UK's National Cyber Security center is collaborating with Mark Spencer and law enforcement to investigate the incident. The old saying if it ain't broke, don't fix it might not apply to routers. It turns out that some of those old reliable Linksys routers may might be a significant security risk. The FBI has issued an urgent alert regarding 13 older router models being actively exploited by cybercriminals. These devices, primarily from Linksys Cradlepoint and Cisco, have reached their end of life and are no longer receiving security updates, making them vulnerable to malware attacks. For many larger companies, we would hope this wouldn't be an issue. Replacement should be done for any network device that is no longer supported. But for smaller companies or home offices this could be a real threat. So the Linksys E1200E2500, E1000, E4200, E1500E300E3200E1550WRT320N, WRT310N and WRT610N are are affected. From Cradlepoint, the E100 series is, and from Cisco, the M10 series. Hackers are exploiting these outdated routers using variants of the Moon malware. The malware allows attackers to gain unauthorized access, turning compromised routers into proxy nodes for malicious activity such as data theft and cyber attacks. Once infected, these routers can be controlled remotely, often without the owner's knowledge. Some signs of compromise might include unusual overheating, frequent Internet disconnections, unexpected changes in router settings, or appearance of unknown devices on your network. If you own one of the affected models, the FBI is strongly advising replacing it with a newer model that regularly receives security updates, but if not, at least ensure that you disable remote administration, access your router settings and turn off remote management features to at least try to prevent unauthorized access. Fortinet has issued a critical fix for a zero day vulnerability CVE 2025 32,756 affecting its 40 voice enterprise phone systems after confirming the flaw was actively exploited in real world attacks. The the vulnerability is a stack based buffer overflow that allows unauthenticated attackers to remotely execute code by sending specially crafted HTTP requests. Fortinet's product security team discovered the issue following the attacker's activities, including network scans, system crash log deletions to cover their tracks, and FCGI debugging being toggled on to log credentials from the system or SSH login attempts to the company has released patches and advises administrators to disable the HTTP or HTTPs administrative interfaces as a temporary mitigation. This is the latest in a string of critical security issues affecting Fortinet products. Last month, the Shadow Server foundation reported on 16,000 Internet exposed Fortinet devices that were compromised using a new simlink backdoor back that provides threat actors with read only access to sensitive files on now patched devices hacked in previous attacks. Earlier this year, Fortinet patched another vulnerability, CVE202524472, an authentication bypass flaw in Fort iOS and Forti proxy that allowed attackers to gain Super Admin access. The company has urged all customers to audit systems for signs of compromise and apply patches immediately. Organizations relying on 40 voice or other impacted Fortinet products, including 40 mail, 40 NDR, 40 recorder and 4D camera, should act quickly. The nature of the exploit and its confirmed use in the wild makes this vulnerability especially high risk for unpatched systems. And finally, a cybersecurity researcher has developed a proof of concept demonstrating that ransomware can be embedded directly into a computer's CPU via Micro Code updates, potentially bypassing all traditional security measures. Christian Beek, a senior director at cybersecurity firm Rapid7, created the POC inspired by a critical flaw in AMD's Zen processors. The flaw, previously identified by Google researchers, allows attackers to modify the RD RAND instruction, enabling the injection of custom microcode. Bics approach involves weaponizing microcode updates, a low level layer between hardware and machine code typically used by chip makers to fix bugs and improve CPU reliability to hide ransomware payloads within the processor itself. While microcode updates are generally exclusive to CPU manufacturers, Beak's research indicates that injecting custom microcode, although challenging, is actually feasible. His poc, which he has no plans to release publicly, demonstrates how such an attack could render traditional security technologies ineffective. As the malware operates beneath the software layer, the development underscores the evolving sophistication of cyber threats. Beak references the Black Lotus Boot kit known for compromising UEFI firmware and infecting systems protected by secure boot and as a precedent for such low level attacks. Additionally, leaked chat logs from the Conti Ransomware Group in 2022 revealed efforts to develop ransomware capable of installing directly into the UEFI firmware, highlighting a trend towards more persistent and stealthy malware. The ability to embed ransomware at the CPU level would represent a significant escalation in cyberattack capabilities, potentially allowing malware to survive system reboots, hardware replacements, and even software reinstalls. This research serves as a warning to both chip manufacturers and PC manufacturers about the need to address vulnerabilities at the hardware level and to develop defenses against such deeply embedded threats. And on that happy note, that's our show. We're always interested in your opinion and you can contact us at editorialechnewsday. You can find me on LinkedIn or if you're watching this on YouTube, you know what to do. Leave a comment under the video. I'm your host Jim Love. Thanks for listening.