Risky Bulletin: Windows Update will patch third party apps - Risky Bulletin

Summary

Summary of Risky Bulletin: Windows Update Will Patch Third-Party Apps

Host: Caitlin Sorey
Prepared by: Catalyn Campanu
Release Date: May 30, 2025

1. Microsoft Enhances Windows Update for Third-Party Applications

Caitlin Sorey [00:04]: "Microsoft will allow third parties to distribute patches via Windows Update app and driver."

Microsoft is set to revolutionize its Windows Update system by enabling third-party developers to distribute updates for their applications and drivers directly through the Windows Update interface. This initiative aims to streamline the update process, ensuring users receive timely patches without the need to rely solely on individual software providers. Developers are being encouraged to register and participate in testing this new update mechanism, which is slated for inclusion in a future release of Windows 11.

2. Massive Leak Exposes Russia's Nuclear Secrets

A significant breach has led to the exposure of Russia's nuclear secrets through an internet-accessible database containing over 2 million documents. The leaked information includes detailed blueprints of nuclear missile sites, specifics on recent repairs, and plans for new facilities and bases. This alarming disclosure was uncovered by Danish journalists collaborating with reporters from Der Spiegel, raising concerns about national security and the potential implications for global stability.

3. Czech Republic Accuses China of Cyber Espionage

In a severe allegation, the Czech Republic has accused China of orchestrating a cyberattack against its Ministry of Foreign Affairs in 2022. The breach targeted an unclassified network connected to the ministry, potentially linked to telecommunications infrastructure. Officials have identified APT31, a cyber espionage group associated with China's Ministry of State Security, as the perpetrator. In response, NATO and the European Union have publicly supported the Czech Republic, emphasizing the importance of collective cybersecurity measures.

4. United Kingdom Establishes New Cyber Command

The UK government has announced the creation of the Cyber and Electromagnetic Command, a new military division tasked with coordinating both defensive and offensive cyber operations to support national security missions. General Sir James Hockenhull will lead this initiative, which underscores the UK's commitment to enhancing its cyber defense capabilities in an increasingly digital battleground.

5. US Banks Challenge SEC's Cyber Breach Disclosure Rule

Five major US banking associations have formally requested the Securities and Exchange Commission (SEC) to repeal its Cyber Incident Disclosure Rule. Adopted last year, the rule mandates that businesses disclose data breaches within four business days of determining their material impact. The banks argue that this requirement complicates incident management and introduces additional risks. They also highlight that certain ransomware groups exploit the SEC's disclosure timelines to exert greater pressure on victims.

6. NATO Integrates Cybersecurity into Defense Spending Targets

NATO is pushing to include cybersecurity, alongside border and coastal security, in its new defense spending framework. The proposed target allocates 5% of GDP to defense, with 3.5% designated for "hard" defense expenditures and the remaining 1.5% covering defense-related initiatives, including cybersecurity. Member states are scheduled to vote on this revised spending target in June, reflecting the growing recognition of cyber threats in international security strategies.

7. India Implements Strict Regulations on Foreign Surveillance Cameras

India has enacted legislation requiring all foreign-manufactured surveillance cameras to undergo mandatory testing in government laboratories before being introduced to the market. This law mandates that companies submit the source code for all camera firmware and permit Indian officials to audit their factory processes. While aimed at enhancing national security, several manufacturers have raised concerns regarding the invasiveness of factory inspections and the slow pace of the approval process.

8. ConnectWise Reports APT Breach in Remote Access Platform

IT software company ConnectWise has disclosed a breach in its ScreenConnect remote access platform, attributing the incident to a state-sponsored Advanced Persistent Threat (APT) group. Although the company states that only a small number of customers were affected, it has proactively notified those impacted and is conducting a thorough investigation to assess the extent and implications of the breach.

9. Victoria's Secret Suffers Cyber Attack, US Website Taken Down

Lingerie giant Victoria's Secret has temporarily taken down its US website following a cyberattack. While physical stores remain operational, certain in-store services have been suspended as the company works to restore its IT systems. Victoria's Secret manages over 1,300 retail locations across 70 countries, and the attack underscores the vulnerabilities faced by global retail operations in the digital age.

10. International Crackdown on Phishing Operations

Pakistan: Authorities have arrested 21 individuals in connection with the Heart Sender phishing group. Dutch and US authorities had previously seized the group's servers in January, revealing that they sold phishing kits and templates and operated a marketplace for stolen credentials. The Heart Sender group is implicated in phishing scams resulting in over $50 million in losses within the United States.
India: In the city of Visakhapatnam, Indian authorities raided a cyber scam operation compound, detaining over 100 suspects. The group ran call centers targeting English-speaking victims, similar to operations seen in Cambodia and Myanmar.
Philippines: The US has sanctioned Funnel Technologies and its administrator, Lou Liz, for providing internet infrastructure to scam operations. Funnel servers have been linked to more than $200 million in reported losses, with the FBI releasing numerous Indicators of Compromise (IOCs) tied to Funnel-hosted scam infrastructures over the past three years.

In the UK, online fraud has resulted in nearly £1.2 billion in losses across over 3 million reported cases, with investment scams being the most detrimental. According to the Organized Crime and Corruption Reporting Project, fraud constitutes 41% of all reported crimes in the UK.

11. New Botnet Targets Asus, Cisco, D-Link, and Linksys Devices

A newly identified botnet named "Asish" has compromised over 9,000 Asus routers by exploiting a vulnerable Trend Micro security feature. Additionally, a smaller number of Cisco, D-Link, and Linksys devices have been infected. Active since March, Asish appears to be part of a larger botnet operation known as "Vicious Trap." Security firm Sequoia Grainoy suggests that the botnet's complexity points to the involvement of an APT group, indicating a sophisticated level of cyber threat.

12. Vulnerability in OneDrive File Picker Component Exposes User Accounts

A security flaw in the OneDrive file picker component has been identified, allowing attackers to access entire OneDrive accounts. The vulnerability stems from improperly defined OAuth permissions within the OneDrive service. Security firm Oasis reported the bug to Microsoft, and it affects applications such as Slack, Trello, and ChatGPT. Microsoft is currently addressing the issue to secure affected systems.

13. Texas Enacts Age Verification Requirements for Mobile App Downloads

Texas has passed a new law mandating that mobile app stores verify the ages of users before allowing them to download applications. Governor Greg Abbott signed the bill, which is set to take effect next year and primarily impacts major platforms like Apple and Google. Both companies have publicly criticized the law, highlighting potential challenges in implementation. A similar regulation was previously enacted in Utah earlier this year.

Conclusion

The Risky Bulletin delivered a comprehensive overview of recent cybersecurity developments, highlighting significant breaches, regulatory changes, and evolving threats. From Microsoft's initiative to streamline third-party updates via Windows Update to the international crackdown on sophisticated phishing operations, the episode underscored the dynamic and multifaceted nature of the cybersecurity landscape. Listeners are encouraged to stay informed and vigilant in navigating these complex challenges.

This summary was prepared based on the podcast episode "Risky Bulletin: Windows Update will patch third party apps" released on May 30, 2025.

Transcript

Caitlin Sorey (0:04)

Windows Update will deliver third party app updates A public database exposed Russia's nuclear secrets. US banks asked the SEC to rescind Cyber Breach Disclosure rule and Connectwise discloses an APT breach. This is the risky bulletin prepared by Catalyn Campanu and read by me, Caitlin sorey. Today is May 30th and this podcast episode is brought to you by Sublime Security, an email security platform that's not a black box. Microsoft will allow third parties to distribute patches via Windows Update app and driver. Developers are being encouraged to sign up and help test out the new update system. The feature will ship in a future Release of Windows 11. Sensitive details about Russia's nuclear weapons bases have been leaked via an Internet exposed database. The database contained more than 2 million documents and included detailed blueprints of Russia's nuclear missile sites. It also contained information on recent repairs, new buildings and bases. The database was discovered by Danish journalists who analyzed the data with reporters from Der Spiegel the Czech Republic has accused China of hacking its Ministry of foreign affairs in 2022. We're relying on machine translation here, but it looks like the hack targeted an unclassified network with ties to the ministry, and we're guessing it was a telco. Officials attributed the attacks to APT31, a cyber espionage group linked to China's Ministry of State Security. NATO and the EU have issued statements supporting the Czech Republic. The UK government has established a new cyber command within its military. The Cyber and Electromagnetic Command will be responsible for coordinating defensive and offensive cyber operations to support military missions. It will be led by General Sir James Hockenhull. Five US banking associations have urged the securities and Exchange Commission to rescind its Cyber Incident Disclosure Rule. The rule was adopted last year and requires businesses to disclose data breaches within four business days of determining material impact. Banks claim the rule complicates incident management and creates additional risk. Some ransomware groups have leveraged unfulfilled SEC disclosure requirements to put additional pressure on victims. NATO wants to include cybersecurity, border and coastal security expenditure in its new defence spending target. The new target will be 5% of GDP, with 3.5% to be spent on so called hard defence expenditures. The other 1.5% will account for defence related items. Under NATO's proposal, this would include cybersecurity. Member states are set to vote on the new spending target in June. India has passed a law requiring foreign surveillance camera makers to submit their products for testing before they're allowed on the market. The tests will be conducted in government labs and are mandatory for any Internet connected cameras. Companies must submit source code for all camera firmware and allow Indian officials to audit factory processes. Several manufacturers have expressed concerns about factory visits and the slow pace of testing. IT software company ConnectWise suspects a state sponsored group has breached its ScreenConnect remote access platform. The company says the breach affected a very small number of customers. Connectwise has notified affected customers and is investigating. Lingerie company Victoria's Secret has taken down its US Website following a cyber attack. Its physical stores are open, but some in store services have been suspended while IT systems are restored. The company did not provide further details. Victoria's Secret operates more than 1300 retail stores across 70 countries. 21 suspects have been arrested in Pakistan over their alleged ties to a phishing group. Dutch and US Authorities seized the servers of the Heart Sender group in January. The group sold phishing kits and templates. It also ran a marketplace that sold stolen credentials. Heart center has been linked to more than $50 million lost to phishing scams in the United States alone. Indian authorities have raided a cyber scam compound in the city of Vishakhar patnam. More than 100 suspects were detained. The group allegedly ran call centers that defrauded English speaking victims. Authorities described the call centers as smaller versions of the scam compounds operating in Cambodia and Myanmar. The US has sanctioned a CDN in the Philippines for providing Internet infrastructure to scam compounds. Sanctions were levied against Funnel Technologies as well as its Administrator Lou Liz. He Officials have linked funnel servers to more than $200 million in victim reported losses. In the past three years, the FBI has released many IOCs related to scam infrastructure hosted on Funnel servers. Companies in the UK have lost almost 1.2 billion pounds to online fraud across more than 3 million reported cases. The largest losses were linked to investment scams. According to the Organized Crime and Corruption Reporting project, Fraud accounts for 41% of all reported crime in the UK. More than 9,000 Asus routers have been affected by a new botnet named Asish. The botnet enables a vulnerable Trend Micro security protection feature in Asus routers and then exploits it. A smaller number of Cisco D Link and Linksys devices have also also been infected. The botnet has been active since March and appears to be part of a larger botnet that security company Sequoia calls vicious trap. Grainoy says the botnet appears to be the work of an APT group. A vulnerability in the OneDrive file picker component can be abused to access users entire OneDrive accounts. The bug is caused by improperly defined OAuth permissions for the OneDrive service. Security firm Oasis reported the bug to Microsoft. Apps like Slack, Trello and chatgpt use the component. A new law in Texas will require mobile app stores to verify users ages before they can download apps. The bill was signed by Texas Governor Greg Abbott and will be effective from next year. It primarily impacts Apple and Google. Both companies have criticised the law. A similar law was also passed in Utah earlier this year. That's all for this podcast edition. Today's show was brought to you by our sponsor, Sublime Security. Find them at Sublime.