This Week in Cyber 2nd May 2025

Analyst Insight

This week in cyber, we have seen two major UK retailers fall victim to cyberattacks causing major disruptions across their operations including online ordering and logistics, impacting their customers directly. This has caused a significant financial and reputational impact to the retail giants. We have also seen other industries hit with breaches and malware, with a large South Korean telecoms provider getting breached and a targeted malware campaign against healthcare and pharmaceutical sectors. To improve cyber defence, MITRE has updated their ATT&CK framework to version 17, including a wider range of modern threats, allowing defenders to be better prepared on threat actor TTPs. Sonicwall disclosed and released patches for a couple high severity vulnerabilities affecting their Secure Mobile Access (SMA) appliances. May 1st is World Password Day, we at Telesoft recommend our readers to ensure good cyber hygiene by using strong passwords, discouraging reuse, and securely storing them in a password manager.

Marks & Spencer Suffers Cyber Attack Causing Widespread Disruption

British retail giant, Marks & Spencer, suffered a cyber attack resulting in widespread disruption across its operations, including contactless payments and online ordering. The cyber incident was disclosed last Friday, with the retailer explaining “As part of our proactive management of a cyber incident, we have made the decision to pause taking orders via our M&S.com websites and apps.” Reassuring customers that there is “no need for them to take any action.” Some news sources are saying that the cyber attack is ransomware and attributing it to the “Scattered Spider” group. The disruption is still ongoing at the time of writing.

SK Telecom Suffers Data Breach: Firm Offers New Sim Cards to Customers

A South Korean mobile provider fell victim to a data breach this week, after the firm detected malware running within its network allowing the attackers to steal customer data relating to SIM cards. This left affected customers open to “SIM Swapping” attacks, where the attackers can transfer a victim’s phone number to a new SIM card. In response, SK Telecom offered 24.2 million customers free replacement SIMs at a significant cost to the company. About 70,000 customers have moved to rival mobile networks.

MITRE Releases ATT&CK v17

MITRE has released version 17 of its ATT&CK framework, bringing many updates to complement cybersecurity defences. Some notable changes include: four new techniques specifically targeting VMware ESXi, reflecting the increasing need to secure virtualized environments. The framework also sees the renaming of the “Network platform” to “Network Devices”, better representing techniques used on network infrastructure like routers, switches, and load balancers. Additionally, two sub-techniques, DLL Side-Loading and DLL Search Order Hijacking, have been merged into a single category called “Hijack Execution Flow: DLL” due to their overlapping characteristics. A new technique, “Remote Access Tools: Remote Access Hardware,” has been added to highlight remote work phishing campaigns utilised by nation state threat actors. These updates aim to provide a more accurate and comprehensive depiction of adversary behaviours, helping defenders to track and stay ahead of evolving threats.

SonicWall Secure Mobile Access VPN Vulnerabilities Actively Exploited

SonicWall disclosed vulnerabilities affecting its Secure Mobile Access (SMA) appliances, which have been seen actively exploited in the attacks. CVE-2023-44221 is a high severity vulnerability, allowing remote authenticated attackers with administrative privileges to inject arbitrary commands. CVE-2024-38475 involves improper escaping of output in Apache HTTP Server, allowing threat actors to map URLs to file system locations. Cyber attackers are leveraging these flaws to gain unauthorized access to networks, posing significant security risks. SonicWall has released patches to address these issues, urging users to update their devices immediately.

Healthcare and Pharma Targeted by ResolverRAT Malware

A Remote Access Trojan (RAT) has been discovered by Morphisec Threat Labs targeting healthcare and pharmaceutical sectors. Dubbed “ResolverRAT,” the malware integrates sophisticated in-memory execution with multiple layers of evasion techniques, making it difficult to detect and analyze. These combined methods create significant challenges for malware analysts attempting to identify and mitigate the threat. To gain initial access, ResolverRAT uses social engineering techniques. Observed attacks show employees receiving personalised phishing emails in their own spoken language.