This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Subscribe

Social Media Links

| 3 minute read

Ankura CTIX FLASH Update - May 20, 2025

Malware Activity

 

From Disabling Defender to Advanced Ransomware Tactics

Es3n1n's newly released tool, DefendNot, exemplifies a deceptive approach to bypass Windows security by exploiting registry and policy settings to disable Microsoft Defender Antivirus automatically. This highlights both its convenience and security risks by potentially allowing malicious bypasses. Concurrently, ransomware groups are elevating their attack sophistication by deploying Skitnet post-exploitation malware. This facilitates persistent access, data exfiltration, and covert control over compromised systems. Thereby complicating detection and remediation efforts. This shift towards multi-stage, stealthy attack frameworks underscores the urgent need for security professionals to enhance their defenses and adapt to these evolving threats that threaten system integrity and data security. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

 

Threat Actor Activity

 

UNC3944 Observed Targeting US Sector After Recent Attacks on UK Retailers 

Google has issued a warning that the hacking group responsible for recent cyberattacks on UK retailers is now targeting companies in the US. The researchers highlighted the activities of UNC3944, also known as Scattered Spider, which utilizes social engineering, SIM swapping, ransomware, and extortion in its attacks across various industries. UNC3944 has been curating targeted attacks on financial services and food services sectors, with recent reports linking the group to attacks on UK retailers such as Co-op, Harrods, and Marks & Spencer (M&S), where customer data was confirmed stolen. While the UK attacks havenโ€™t been directly linked to Scattered Spider or DragonForce, it is suspected that the group is now focusing on the US retail sector, which is considered an attractive target due to the large volume of personally identifiable information (PII) and financial data. Retailers may be more inclined to pay ransom demands if their ability to process financial transactions is compromised. It should be noted that DragonForce recently took control of the RansomHub ransomware-as-a-service (RaaS) platform, with Scattered Spider being an affiliate in 2024. Cybersecurity experts warn that financially motivated groups are likely to continue targeting retailers, and the importance of strengthening defenses against these threats should be of emphasis. It has been confirmed that less than ten (10) US retailers have been targeted so far. Some victims have taken proactive measures by taking systems offline to contain the intrusions, although this has impacted their operations. The group has been known to exploit help desks to reset passwords and gain access to their targets, showcasing their resourcefulness and speed.

 

Vulnerabilities

 

Pwn2Own Berlin 2025 Hacking Competition Demonstrates Exploitation of Multiple Critical Vulnerabilities 

At the Pwn2Own Berlin 2025, held during the OffensiveCon conference from May 15th to 17th, security researchers demonstrated the exploitation of twenty (20) zero-day vulnerabilities over the first two (2) days, earning a total reward of $695,000. Mozilla addressed two (2) critical Firefox vulnerabilities (CVE-2025-4918 and CVE-2025-4919) disclosed during the contest, which allowed out-of-bounds access in JavaScript components but did not bypass the browser sandbox. These flaws, credited to researchers from Palo Alto Networks and independent expert Manfred Paul, were patched in Firefox 138.0.4 and related ESR versions. On the second day of the event, standout exploits included a $150,000 VMware ESXi integer overflow by STARLabs SG, a $100,000 SharePoint auth bypass and deserialization chain by Viettel Cyber Security, and successful zero-days in Firefox, Red Hat Enterprise Linux, Oracle VirtualBox, and AI platforms like Redis and Nvidiaโ€™s Triton Inference Server. With over $1 million in potential rewards across enterprise, cloud, AI, and automotive targets, Pwn2Own Berlin 2025 highlighted ongoing researcher focus on high-impact enterprise and virtualization vulnerabilities. CTIX will continue to report on novel critical vulnerabilities to keep our readers informed of potential gaps in security.

 

๐Ÿ“ง Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

ยฉ Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Tags

report, cybersecurity & data privacy, data & technology, cyber response, data privacy & cyber risk

Letโ€™s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

Iโ€™m interested in

I need help with