02.05.2025

Infosecurity Magazine 01.05.2025 17:45
Anthropic has found its Claude chatbot is being used for automated political messaging, enabling AI-driven influence campaigns

Heise Security 01.05.2025 16:57
Nachdem aus dem CCC-Umfeld erneut Sicherheitslücken bei der elektronische Patientenakte bekannt geworden sind, äußert sich nun auch das BSI.

The Hacker News 01.05.2025 13:02
Artificial intelligence (AI) company Anthropic has revealed that unknown threat actors leveraged its Claude chatbot for an "influence-as-a-service" operation to engage with authentic accounts across Facebook and X.
The sophisticated activity, branded as financially-motivated, is said to have used its AI tool to orchestrate 100 distinct persons on the two social media platforms, creating a

The Hacker News 01.05.2025 11:27
Russian companies have been targeted as part of a large-scale phishing campaign that’s designed to deliver a known malware called DarkWatchman.
Targets of the attacks include entities in the media, tourism, finance and insurance, manufacturing, retail, energy, telecom, transport, and biotechnology sectors, Russian cybersecurity company F6 said.
The activity is assessed to be the work of a

CSO Online 01.05.2025 11:00

As you walk around trying to avoid the 41,000 participants at RSA Conference in San Francisco, you become aware of the Waymo autonomous cars in the streets that always elicit an extra glance. Yes, there is no driver in that seat!

Waymo cars aim to revolutionize transportation through fully autonomous driving technology that offers the promise of a safer, more accessible, and sustainable way to get around.

At RSA Conference it is hard to not see the same proposition at the macro level of nearly every cybersecurity provider talking up the AI capabilities of their products and services. The sales pitch is equivalent to Waymo’s: These AI-enabled cyber tools will be safer, more accessible, and sustainable.

David Gee

Indeed, “way more” AI is what we are seeing in the current offerings and product roadmaps — not just at RSA, but throughout the industry today.

This promise is very enticing for CISOs, especially on the back of the very real shortage of cyber resources they are enduring. Many companies are already looking to AI to help bridge their cyber skills gaps. But the future of security with AI is yet to be shaped. How this future will unfold and impact their organizations should be top of mind for every CISO today.

RSA offered some interesting early insights CISOs should keep in mind as they further develop their strategies for implementing AI defenses and securing AI use in their enterprises.

Shaping the future of AI security

One early morning panel session I attended featured a lively discussion facilitated by Jamil Jaffer, a venture partner and strategic advisor at Paladin Capital. Joining Jaffer on stage were Jason Clinton, CISO of Anthropic; Matt Knight, CISO of OpenAI; and Sandra Joyce, VP at Google Threat Intelligence.

The panel explored how collaboration between industry and government is vital to ensuring secure AI systems. But the discussion around the use of AI tools to stave off cyberattacks and bolster cyber defenses offered fodder for thought that goes beyond the frame of the conversation.

Here are the key points of insight around AI’s evolution in cybersecurity that I gleaned from this discussion along with my own quick-take commentary on how they impact CISOs and security teams going forward.

1. AI presents a complex duality for cybersecurity, potentially offering an unfair advantage to attackers while also providing significant benefits for defenders.  

At the moment, it ap

Heise Security 30.04.2025 19:22
Am Tag nach dem Start der ePA muss die Gematik melden, dass sie mit einer "Sofortmaßnahme" eine weitere Sicherheitslücke geschlossen hat.

Heise Security 30.04.2025 18:51
Wie Sicherheitsexperten auf der BlackHat Asia enthüllten, gelang es ihnen, Daten über USB von Smartphones zu klauen – und Geräte sogar zu löschen.

The Hacker News 30.04.2025 17:59
As the field of artificial intelligence (AI) continues to evolve at a rapid pace, new research has found how techniques that render the Model Context Protocol (MCP) susceptible to prompt injection attacks could be used to develop security tooling or identify malicious tools, according to a new report from Tenable.
MCP, launched by Anthropic in November 2024, is a framework designed to connect

Heise Security 30.04.2025 15:57
Über 400 IT-Sicherheitsexperten beteiligen sich an offenen Brief der EFF, der Trump-Regierung auffordert, Chris Krebs in Ruhe zu lassen.

CSO Online 30.04.2025 14:24

The RSA 2025 Conference is back in San Francisco and, as always, is packed with the latest on cybersecurity trends, technologies, and insights. Keynote speakers include industry leaders, security experts, and maybe even some surprise guests. You can anticipate a wide range of topics, including a focus on the following:

AI in cybersecurity (both as a threat and a defense)

Cloud security challenges and solutions

The latest ransomware tactics and how to defend against them

Privacy regulations and data protection

Emerging threats like quantum computing

Keep an eye out for emerging trends that will be highlighted at the conference. This year, expect a strong focus on topics such as XDR (extended detection and response), zero-trust security, security automation, and the evolving role of the CISO.

RSA Conference 2025 coverage

HPE adds ‘digital circuit breaker’ to protect GreenLake customers

April 30, 2025: HPE has introduced new security features for its Aruba Networking and GreenLake platforms to enhance cloud and network security in hybrid IT environments. The updates include an AI-driven policy engine for network access control, tighter integration between Aruba Central and HPE OpsRamp for unified visibility, and real-time threat response across SD-WAN and SSE.

HPE Aruba boosts NAC security, adds GreenLake ‘kill switch’

April 29, 2025: HPE Aruba announced a variety of updates, including a new policy manager for network access control (NAC), tighter integration between Aruba Networking Central and HPE OpsRamp, and new security components for its SD-WAN and SSE packages.

Palo Alto unpacks security platform to protect AI resource

April 29, 2025: Palo Alto Networks unveiled its Prisma AIRS AI security platform that the company says is designed to protect the developing enterprise AI ecosystem from attacks.

Huntress expands ITDR capabilities to combat credential theft and BEC

April 29, 2025: Cybersecurity outfit Huntress, known for its threat-detection solutions, has announced expanding identity-specific offerings – including protection from credential theft and business email compromise (BEC) – on its existing managed identity threat detection and response (ITDR) offering.

Cisco automates AI-driven security across enterprise networks

April 28, 2025: At RSA Conference 2025, Cisco unveiled agentic AI capabilities in Cisco XDR, the latest version of Splunk SOAR, and an open-sour

CSO Online 30.04.2025 13:47

Git configuration files exposed in public repositories are being aggressively dug up and looked into by threat actors to reveal sensitive secrets and authentication tokens unintentionally left behind in Git projects.

A GreyNoise observation recorded a significant spike in search attempts for exposed Git configuration files between April 20 and April 21.

“While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials,” GreyNoise researchers said in a blog post. Git configuration files define settings and behaviors for how Git–the distributed version control system–operates, often containing sensitive information such as plain-text credentials including access tokens or hard-coded secrets, remote repository URLs, branch structure and naming conventions, and metadata providing insight into internal development processes.

When developers leave .git/ directories publicly accessible, they unintentionally hand out internal files–prime snooping targets that give attackers a head start.

About 5k unique searches in a day

According to a screenshot shared by GreyNoise, an in-house tracker instrument, “Git Config Crawler” — used to identify IPs crawling the internet for sensitive Git config files — recorded a total of 11,885 unique IPs in the last 90 days, of which nearly 4,800 came between April 20 and April 21 alone.

GreyNoise researchers said they have observed four spikes since September 2024, each involving approximately 3,000 unique IPs. They were observed in September 2024, December 2024, February 2025, and April 2025.

While the GreyNoise report does not specify the exact causes for these spikes, a few possible factors include publicly disclosed vulnerabilities related to Git or associated development tools just before the spike, automated reconnaissance campaigns, responses to exposed Git Configurations, or preparatory stages in targeted cyberattacks.

Snooping attempts originated from all over the world, with hackers from Singapore (4933), the US (3807), Germany (473), and the UK (395) leading these activities in the last 90 days.

Hackers’ favourite for stealing credentials

Threat actors have used this technique earlier in large-scale operations. A threat campaign reported in October 2024, “EmeraldWhale,” scanned for exposed configuration files t

The Hacker News 30.04.2025 12:20
Cybersecurity researchers have shed light on a Russian-speaking cyber espionage group called Nebulous Mantis that has deployed a remote access trojan called RomCom RAT since mid-2022.
RomCom "employs advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications, while continuously evolving its infrastructure – leveraging

CSO Online 30.04.2025 10:00

Cloud security isn’t just about finding risks — it’s about fixing them, and fast. Every organization using the cloud faces the same problem: too much data, too many alerts, and not enough resources to deal with them all. Security teams are drowning in information, struggling to separate real threats from noise, and unable to assess the real impact of a security decision on the business. The question isn’t just whether to buy cloud security solutions or build an in-house program; it’s about finding a practical way to cut through the chaos to actually secure your cloud environment.

Most companies don’t have the security expertise or bandwidth to handle cloud security on their own. Managed solutions, tools, services, and external expertise all promise automation and efficiency, but they also introduce dependencies and limitations. But while building cloud security tools in-house gives organizations control, it also requires experienced talent, resources, and constant maintenance. The reality is, neither option alone is enough. Organizations must find the right balance between automation and human insight to ensure their security strategy isn’t just checking boxes but actually reducing risk.

More data, more problems

Cloud platforms generate an overwhelming amount of data, and security teams are expected to make sense of it all. The problem? Humans can’t manually triage every alert, determine what’s exploitable, and prioritize risks effectively. Legacy approaches relying on human-led investigations and ticket queues don’t scale. Security teams need intelligent automation systems that can filter out the noise, highlight real threats, and recommend actionable fixes.

Making matters worse, security doesn’t operate in a vacuum. Every security change, whether it’s restricting permissions, modifying configurations, or patching vulnerabilities, has downstream effects on infrastructure, applications, and business operations. Without a clear understanding of those dependencies, security teams risk breaking critical systems in their attempt to protect them. In reality, even the best security teams are unlikely to function as full-time consultants to the business, no matter how experienced they are.

The case for managed cloud security tools and services

The rapid pace of cloud adoption has made it highly challenging for companies to keep up with misconfigurations, compliance requirements, and emerging threats

Heise Security 30.04.2025 8:28
Frankreich wirft Russland vor, seit 2021 Cyberangriffe auf Einrichtungen wie Ministerien auszuführen. Ziel sei die Destabilisierung.

We Live Security 29.04.2025 13:43
From the near-demise of MITRE’s CVE program to a report showing that AI outperforms elite red teamers in spearphishing, April 2025 was another whirlwind month in cybersecurity

The Hacker News 29.04.2025 18:18
Various generative artificial intelligence (GenAI) services have been found vulnerable to two types of jailbreak attacks that make it possible to produce illicit or dangerous content.
The first of the two techniques, codenamed Inception, instructs an AI tool to imagine a fictitious scenario, which can then be adapted into a second scenario within the first one where there exists no safety

CSO Online 29.04.2025 17:05

Zero-day vulnerabilities may have declined in 2024, but the number of flaws in enterprise products that didn’t have a patch at the time of exploitation is increasing, highlighting the increased focused attackers have in exploiting enterprise software and devices to achieve initial access to corporate networks.

“While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts,” researchers from Google’s Threat Intelligence Group (GTIG) wrote in their annual zero-day report.

GTIG tracked a total of 75 zero-day vulnerabilities in 2024 compared to 98 in 2023. Of the identified zero-day flaws, 33 targeted enterprise technologies (44%), a 7% increase over 2023, primarily fueled by increased exploitation of security and networking appliances.

The remaining 42 zero-days that Google categorized as impacting end-user products are vulnerabilities in operating systems and browsers, which also impact enterprises.

Browser and mobile zero-days declining

Microsoft Windows saw the biggest increase in zero-day exploitation last year with 22 flaws compared to 16 in 2023. Android saw exploitation of seven zero-day flaws, on par with 2023, while iOS zero days dropped significantly from nine to two.

On the browser front, Google Chrome was targeted through seven unpatched vulnerabilities, Mozilla Firefox through one, and Apple’s Safari with three (down from 11 in 2023).

Because of added security layers on mobile devices such as application sandboxing, exploitation usually requires chaining multiple vulnerabilities together to achieve remote code execution with elevated privileges. Mobile devices, including mobile browsers, are particularly targeted by commercial surveillance vendors (CSVs) who sell their products to governments and intelligence agencies. These customers typically seek to obtain information from their surveillance targets’ mobile phones, either remotely or through physical access.

One example is an exploit chain that combined three vulnerabilities to unlock the seized Android phone of a student activist in Serbia last year with a product developed by Cellebrite, an Israeli digital forensics company. One of the vulnerabilities used in the chain, CVE-202

The Hacker News 29.04.2025 15:07
Cybersecurity company SentinelOne has revealed that a China-nexus threat cluster dubbed PurpleHaze conducted reconnaissance attempts against its infrastructure and some of its high-value customers.
"We first became aware of this threat cluster during a 2024 intrusion conducted against an organization previously providing hardware logistics services for SentinelOne employees," security

CSO Online 29.04.2025 14:40

Over 40 leading cybersecurity professionals and infosec experts have signed an open letter condemning the political persecution of former CISA Director Christopher Krebs. They have urged the Trump administration to rescind the recent executive actions targeting Krebs and his former employer, SentinelOne.

The letter, organized by the Electronic Frontier Foundation (EFF), responds to a presidential executive order issued on April 9, 2025, that directed the Attorney General and Homeland Security Secretary to investigate Krebs and instructed the Attorney General and the Director of National Intelligence to revoke security clearances held by Krebs and SentinelOne employees. The executive order labeled Chris Krebs a “significant bad-faith actor” who allegedly misused his authority while leading CISA.

Industry leaders raise alarm

In their April 28 letter to President Trump, the 40 signatories, comprising prominent voting-security experts, computer-science professors, tech executives, and security researchers, denounced the investigation as “retribution” for Krebs’ accurate affirmation that the 2020 election was fair and secure.

President Trump appointed Krebs as Director of the Cybersecurity and Infrastructure Security Agency (CISA) in November 2018, only to fire him in November 2020 after Krebs publicly contradicted Trump’s claims of widespread fraud in the 2020 presidential election, affirming it was “the most secure in American history.”

On his first day back in office in January 2025, President Trump revoked security clearances for 51 former intelligence officials. Subsequently, on April 9, a presidential executive order specifically targeted Krebs and SentinelOne, where Krebs had been serving as Chief Intelligence and Public Policy Officer.

The letter supporting Krebs is signed by a group of experts, including Harold Abelson, MIT Professor of Computer Science; David L. Dill, Donald E. Knuth Professor Emeritus in the School of Engineering at Stanford University; and Joseph Lorenzo Hall, Distinguished Technologist at the Internet Society.

“I’m proud to be one of the security experts who signed the Electronic Frontier Foundation (EFF) letter in support of Chris Krebs,” wrote entrepreneur and technologist Adam Shostack in a LinkedIn post.

The letter EFF said, “By placing Krebs and SentinelOne in the crosshairs, the President is signaling that cybersecurity professionals whose findings conflic

Heise Security 29.04.2025 12:48
Die elektronische Patientenakte, die jetzt 70 Millionen Versicherte haben, ist unsicher und Patienten sind kaum informiert, lautet die wiederkehrende Kritik.

Golem 29.04.2025 12:26
Cloudflare gewährt Einblicke in die DDoS-Attacken, die der Konzern im ersten Quartal 2025 abgewehrt hat. Ein Großteil davon war auf Deutschland gerichtet. (Cybercrime, Cyberwar)

The Hacker News 29.04.2025 12:11
Google has revealed that it observed 75 zero-day vulnerabilities exploited in the wild in 2024, down from 98 in 2023 but an increase from 63 the year before.
Of the 75 zero-days, 44% of them targeted enterprise products. As many as 20 flaws were identified in security software and appliances.
"Zero-day exploitation of browsers and mobile devices fell drastically, decreasing by about a third for

CSO Online 29.04.2025 11:23

width="2490" height="1400" sizes="(max-width: 2490px) 100vw, 2490px">Auf Berlins Info- und Serviceportal berlin.de ging Ende April 2025 nichts mehr. Hacker haben die Seite per DDoS-Attacke lahmgelegt.canadastock – shutterstock.com

Hacker haben das Hauptstadt-Portal berlin.de per DDoS-Attacke lahmgelegt. Bereits seit Freitag, dem 25. April, sei die Website Ziel eines massiven Cyberangriffs, teilte die Senatskanzlei mit. „Sämtliche Bereiche von berlin.de und dem Serviceportal service.berlin.de sind seitdem nur eingeschränkt erreichbar“, hieß es. Es sei jedoch zu keinem Datenabfluss gekommen, so die Betreiber. Wer hinter der Cyberattacke steckt, ist bislang nicht bekannt.

Diese Unternehmen hat es schon erwischt

Es ist nicht der erste Angriff dieser Art, dem die Hauptstadt-Website ausgesetzt ist. Bereits Anfang April 2023 hatten unbekannte Hacker das Service-Portal im Zuge einer DDoS-Attacke mit Anfragen überlastet. Vor zwei Jahren hatte es bundesweit Cyberangriffe auf verschiedene Behörden und Einrichtungen der öffentlichen Hand gegeben.

Berlin vernachlässigt Cybersicherheit

Die Berliner Verwaltung stand in der Vergangenheit immer wieder in der Kritik, in Sachen Cybersicherheit zu schlampen. Im Februar 2023 hatte der Berliner Landesbevollmächtigte für Informationssicherheit, Klaus-Peter Waniek, bemängelt, dass im Netzwerk der Stadtverwaltung noch Dutzende Server mit veralteten Windows-Versionen liefen. Demnach würden dort Rechner mit Windows Server 2008 betrieben, die teils schon über 15 Jahre alt seien und für die Microsoft keine Sicherheits-Updates mehr liefere. Waniek bezeichnete den Weiterbetrieb der Server damals als „Schwachstelle mit höchster Kritikalität“. 

Infosecurity Magazine 29.04.2025 11:00
Europol has launched a new initiative designed to combat recruitment of youngsters into violent organized crime groups

Heise Security 29.04.2025 9:49
Die Betreiber des BreachForums geben an, dass sich Ermittler durch das Ausnutzen einer Sicherheitslücke Zugriff auf den Online-Schwarzmarkt verschafft haben.

Golem 29.04.2025 9:48
Der Mann nahm für Allergiker äußerst gefährliche Änderungen an Speisekarten von Disney-Restaurants vor – ein Vergeltungsakt für seine vorherige Entlassung. (Cybercrime, Disney)

CSO Online 29.04.2025 9:13

Die Ransomware-Gruppe Akira soll bei Hitachis IT-Services- und Infrastruktur-Tochter zugeschlagen haben.TY Lim | shutterstock.com

Vertreter von Hitachi Vantara haben gegenüber dem Security-Portal Bleeping Computer (BC) eingeräumt, dass das Unternehmen am 26. April mit Ransomware angegriffen wurde und in der Folge einige seiner Systeme offline nehmen musste.

Als Tochterunternehmen des japanischen Hitachi-Konzerns ist Hitachi Vantara auf Datenplattformen und Infrastruktursysteme für Unternehmen und Behörden spezialisiert. Zum Kundenkreis von Hitachi Vantara zählen diverse namhafte Firmen verschiedener Branchen, darunter zum Beispiel auch BMW, Datev und die Santander Bank.

Erpresst von Akira?

„Nachdem wir verdächtige Aktivitäten festgestellt haben, haben wir umgehend Incident-Response-Maßnahmen ergriffen und mit externen Sicherheitsexperten Kontakt aufgenommen, um den Remediation-Prozess einzuleiten und den Vorfall zu untersuchen“, zitiert BC das Unternehmen. Die Webseite(n) von Hitachi Vantara sind derzeit nicht verfügbar.

Bleeping Computer will zudem über anonyme Quellen erfahren haben, dass die Ransomware-Bande Akira hinter dem Angriff auf Hitachi Vantara steckt und offenbar auch Daten abgegriffen hat. Demnach sollen von der Attacke auch mehrere Behörden- respektive Regierungsprojekte betroffen sein. (fm)

🚨 Ransom group “Akira” breaches “Hitachi Vantara” – United States 🇺🇸📍 Location: Santa Clara, California, USA💾 Industry: Data Storage & IT ServicesHitachi Vantara, a subsidiary of Hitachi Ltd., specializes in data storage solutions, cloud services, and digital… pic.twitter.com/qU9oCwYxzg— Ransom-DB (@Ransom_DB) April 28, 2025 Sie wollen weitere interessante Beiträge rund um das Thema IT-Sicherheit lesen? Unser kostenloser Newsletter liefert Ihnen alles, was Sicherheitsentscheider und -experten wissen sollten, direkt in Ihre Inbox.

Heise Security 29.04.2025 8:33
Angreifer nehmen junge Schwachstellen in Commvault, Brocade Fabric OS und Active! Mail ins Visier und kompromittieren Systeme.

CSO Online 29.04.2025 8:21

Der britische Retail-Riese Marks & Spencer wurde von Cyberkriminellen heimgesucht und kämpft nun mit den Folgen.WD Stock Photos | shutterstock.com

Wie Marks & Spencer (M&S) im Rahmen eines “Cyber Incident Update” vom 22. April mitteilte, hat die Unternehmensgruppe mit einem “Cybervorfall” zu kämpfen. Das Einzelhandelsunternehmen gehört zu den größten seiner Art in Großbritannien und betreibt knapp 400 Filialen allein auf der Insel. Details dazu, was sich genau abgespielt hat und ob Kunden- oder Unternehmensdaten abgegriffen wurden, gab es zunächst nicht.

“Nachdem der Vorfall entdeckt wurde, mussten wir unsere Filialprozesse temporär anpassen, um unsere Kunden und das Unternehmen zu schützen”, hieß es in der initialen Mitteilung des Konzerns. Demnach hat Marks & Spencer externe Cybersicherheitsexperten hinzugezogen, um den Cybervorfall aufzuarbeiten und zu managen sowie die zuständigen Behörden eingeschaltet.

Ransomware-Verdacht

Während Webseite und App nach Angaben von Marks & Spencer anfangs noch wie gewohnt funktionierten, hat der Konzern seit dem 25. April sämtliche Online-Bestellmöglichkeiten auf Eis gelegt. “Im Rahmen unseres proaktiven Herangehens an diesen Cybervorfall haben wir uns dazu entschieden, vorübergehend keine Bestellungen mehr über unsere Webseiten und Apps anzunehmen. Unser Produktangebot bleibt online einsehbar. Wir entschuldigen uns für die Unannehmlichkeiten”, schrieb M&S in einem Update. Allerdings scheinen sich die Einschränkungen bei Marks & Spencer inzwischen nicht mehr nur auf Online-Kanäle zu beschränken: Wie Sky News berichtet, wurden hunderte MItarbeiter des M&S-Logistikzentrums in Großbritannien angewiesen, vorübergehend nicht zur Arbeit zu erscheinen.

Laut dem Security-Portal Bleeping Computer (BC) soll M&S von der Ransomware-Bande “Scattered Spider” angegriffen worden sein. Demnach haben sich die Cyberkriminellen bereits im Februar 2025 Zugang zu den Servern des Unternehmens verschafft und Datenbankinformationen entwendet. Diese wurden vermutlich dazu genutzt, weitere Daten von Netzwerkgeräten und Servern zu stehlen – und letztendlich virtuelle Maschinen zu verschlüsseln, wie BC unter Berufung auf anonyme Quellen berichtet.

Marks & Spencer breach linked to Scattered Spider ransomware attack – @LawrenceAbramshttps://t.co/95lbru098zhttps://t.co/95lbru098z— BleepingComputer (@BleepinComputer) Apri