This Week in Issue

A Canadian electric utility suffered a significant cyberattack, raising concerns over critical infrastructure resilience. Microsoft now defaults to passwordless accounts, accelerating the shift away from traditional login methods. North Korean and Chinese threat actors are actively targeting cybersecurity firms and exploiting IPv6 protocols. Iranian hackers were found maintaining undetected access to telecom networks for over two years. Meanwhile, TikTok faces a record $530 million GDPR fine, and brute-force attacks are now faster than ever—highlighting the urgent need for strong authentication practices..

CYBER NEWS ROUNDUP

1. Canadian Electric Utility Hit by Cyberattack
A major Canadian electric utility suffered a cyberattack disrupting IT systems, though power delivery remained unaffected. The incident highlights growing threats to critical infrastructure, particularly in the energy sector. Authorities have not yet confirmed attribution, but the attack underscores the need for continuous monitoring and segmented network architecture. Utilities are urged to enhance incident response capabilities and secure both OT and IT environments.
Read more: https://www.securityweek.com/canadian-electric-utility-hit-by-cyberattack/

2. Microsoft Accounts Go Passwordless by Default
Microsoft is now making passwordless authentication the default for personal accounts, leveraging biometrics and app-based authentication instead. This move aims to reduce phishing and credential-based attacks, which remain top entry points for cyber intrusions. It reflects an industry-wide push toward zero-trust and identity-first security strategies. Organizations should consider adopting similar practices to reduce reliance on vulnerable password-based logins.
Read more: https://www.securityweek.com/microsoft-accounts-go-passwordless-by-default/

3. SentinelOne Targeted by North Korean IT Workers, Ransomware Gangs, and Chinese Hackers
Cybersecurity firm SentinelOne disclosed multiple targeting attempts by North Korean IT workers, Chinese APTs, and ransomware gangs. These campaigns involved fake job applicants, malicious code insertion, and espionage tactics aimed at exploiting trust within cyber defense companies. The attacks demonstrate how threat actors are evolving their social engineering and insider techniques. Security teams should bolster employee vetting processes and monitor internal development environments for anomalies.
Read more: https://www.securityweek.com/sentinelone-targeted-by-north-korean-it-workers-ransomware-groups-chinese-hackers/

4. TikTok Slammed With €530 Million GDPR Fine Over Child Privacy Violations
The Irish Data Protection Commission fined TikTok a record €530 million for violating GDPR rules around the processing of children's data. The investigation revealed inadequate safeguards for underage users and default public settings that exposed minors to risk. The case emphasizes the increasing regulatory scrutiny on social media platforms handling sensitive data. Organizations must audit their data privacy practices and ensure compliance with regional privacy laws.
Read more: https://thehackernews.com/2025/05/tiktok-slammed-with-530-million-gdpr.html

5. Iranian Hackers Maintain 2-Year Access to Middle Eastern Telecom Networks
Iranian state-backed actors maintained covert access to telecom infrastructure in the Middle East for over two years. The campaign leveraged advanced persistence and reconnaissance techniques to monitor high-value targets without detection. This operation reveals the long-term risk posed by APTs with geopolitical motives and deep technical capabilities. Organizations in telecom and adjacent sectors should conduct comprehensive threat hunts and enforce strict access controls.
Read more: https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.html

6. Chinese Hackers Abuse IPv6 SLAAC to Evade Detection
Chinese APTs have been observed exploiting IPv6's SLAAC (Stateless Address Autoconfiguration) to stealthily move within networks. This tactic allows attackers to bypass traditional IPv4-based monitoring tools and maintain covert lateral movement. The rise of dual-stack networks increases the risk of blind spots in enterprise defenses. Security teams must ensure IPv6 traffic is logged, monitored, and subject to the same scrutiny as IPv4.
Read more: https://thehackernews.com/2025/04/chinese-hackers-abuse-ipv6-slaac-for.html

7. ISC Diary: Detecting DNS Exfiltration in Your Environment
DNS exfiltration remains a favored tactic for stealthily extracting data from compromised systems. The SANS ISC diary outlines practical detection strategies including anomaly-based monitoring, traffic baselining, and packet inspection. Attackers often exploit overlooked DNS channels to bypass firewalls and SIEM detection. Defenders should tune alerts for unusually long DNS queries and implement strict DNS egress policies.
Read more: https://isc.sans.edu/diary/rss/31916

8. How Long It Takes to Brute-Force Your Password in 2025
With modern GPUs and AI-driven cracking tools, hackers can brute-force 8-character passwords in minutes—especially those without symbols or uppercase letters. The article outlines how password length and complexity remain critical, as even common hashing algorithms can’t keep pace with modern cracking speed. Password managers and passphrases are now essential for personal and enterprise security. Users should adopt 12+ character passwords and enable multi-factor authentication wherever possible.
Read more: https://darkwebinformer.com/time-it-takes-a-hacker-to-brute-force-your-password-in-2025/

Why This matters

This week’s developments paint a stark picture of the evolving cyber threat landscape. From nation-state actors infiltrating telecom infrastructure for years undetected, to sophisticated abuse of IPv6 protocols and fake job applicants targeting cybersecurity firms, adversaries are adapting faster than defenses. Even consumer-facing platforms like TikTok are facing massive fines for privacy failures, underscoring regulatory scrutiny alongside technical risk. The growing speed of brute-force attacks and Microsoft's shift to passwordless defaults signal an urgent shift in authentication strategy one that organizations can’t afford to ignore.

The latest CISA alerts and ICS advisories reinforce this urgency. Actively exploited vulnerabilities and critical medical device flaws show that no sector is safe from infrastructure to healthcare. These aren't isolated threats they're signs of a maturing threat environment where stealth, persistence, and exploitation of overlooked systems are the norm. Staying ahead requires more than patching systems it demands vigilant monitoring, proactive threat hunting, and a zero-trust mindset at every layer of the enterprise.

Cyber Hygiene Tips – Week of May 5, 2025

1. Patch known exploited vulnerabilities now CISA added two more high-risk flaws to its KEV catalog this week, highlighting active use by attackers. Prioritize immediate updates to all affected systems to block common entry points.
   (Source: CISA KEV alerts)

2. Monitor for unauthorized DNS traffic DNS exfiltration remains a stealthy method for data theft, often bypassing firewalls. Set alerts for abnormal query lengths, volume spikes, or DNS to rare domains.
   (Source: SANS ISC Diary on DNS exfiltration)

3. Review and restrict IPv6 configurations—Chinese APTs are using SLAAC in IPv6 networks to hide lateral movement. Ensure IPv6 logging is enabled, disable unused IPv6 services, and apply monitoring rules.
   (Source: The Hacker News – IPv6 SLAAC abuse)

4. Enable passwordless authentication where supported Microsoft is shifting to passwordless logins to prevent phishing and brute-force attacks. Adopt modern identity solutions like FIDO2 and app-based logins to reduce credential theft.
   (Source: Microsoft passwordless default)

5. Strengthen vetting of job applicants and contractors SentinelOne was targeted by fake North Korean IT workers injecting malicious code. Verify identities during hiring, scan documents for malware, and monitor internal developer activity.
   (Source: SentinelOne threat disclosure)

6. Isolate and secure critical medical devices—Medtronic insulin pumps were flagged in a CISA advisory for cyber risks. Segment medical equipment from main networks and apply firmware updates where available.
   (Source: ICSMA-25-121-01 advisory)

7. Audit telecom and critical infrastructure for long-term intrusions—Iranian hackers maintained covert access to networks for over two years. Conduct deep packet inspections and threat hunts focused on persistence and exfiltration paths.
   (Source: The Hacker News – Iranian telecom compromise)

8. Enforce strong passwords and MFA across all systems—New reports show that brute-force attacks can crack weak passwords in minutes using 2025-grade hardware. Require 12+ character passphrases and use multi-factor authentication to stop account takeovers.
   (Source: Dark Web Informer – password cracking trends)

9. Check privacy settings on public-facing platforms TikTok was fined €530M for failing to protect children’s data due to default public profiles. Review and adjust privacy defaults for any services your org uses or offers to customers.
   (Source: The Hacker News – TikTok GDPR fine)

10. Stay updated on CISA and vendor advisories weekly Threat actors are exploiting newly disclosed vulnerabilities faster than ever. Make it routine to review official feeds and immediately triage your environment for impacted assets.
    (Source: Weekly CISA alerts and advisories)d security like firewalls, EDR, and phishing training even on limited budgets.

Government advisories

CISA Adds Two Known Exploited Vulnerabilities to Catalog
https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-exploited-vulnerabilities-catalog

CISA Adds Two Known Exploited Vulnerabilities to Catalog
https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-adds-two-known-exploited-vulnerabilities-catalog

Medtronic MiniMed 600 Series Insulin Pumps (ICSMA-25-121-01)
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-121-01

APT29 Using Legitimate Software to Conduct Widespread Spearphishing Campaign
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

THREAT FOCUS INFORMATION

Threat Intelligence Brief: Molatori Phishing Campaign Using Fake SSA Emails and ScreenConnect

Overview
A newly reported phishing campaign attributed to a threat group called Molatori is targeting individuals across the United States with fake emails impersonating the U.S. Social Security Administration (SSA). The emails attempt to lure recipients into downloading ScreenConnect a legitimate remote support tool disguised as an official SSA document or update. Once installed, ScreenConnect provides Molatori operatives with full remote access to the victim’s system, enabling credential theft, data exfiltration, and potential financial fraud. This campaign is highly evasive, using image-based email content to avoid filters and compromised WordPress domains for hosting malicious payloads.

Threat Actor Profile
Name: Molatori
Target Sectors: Government, Finance
Target Geography: United States
Primary Objectives: Remote access, data theft, financial fraud
Tactics: Social engineering, impersonation, remote administration abuse

• Tools and Techniques

  • Malware/Tool Used: ScreenConnect (legitimate remote access tool abused as malware)

  • Delivery Mechanism: Phishing emails with spoofed SSA themes, image-based content to evade detection

  • Hosting Infrastructure: Compromised WordPress websites

  Mapped MITRE ATT&CK Techniques:

  • T1566 – Phishing

  • T1204 – User Execution

  • T1219 – Remote Access Software

  • T1105 – Ingress Tool Transfer

  • T1059 – Command and Scripting Interpreter

  • T1078 – Valid Accounts

Indicators of Compromise (IOCs)
The following indicators are defanged to prevent accidental engagement. Use caution and validate within your own threat intel platforms.

The following domains are associated with this campaign and should be blocked or monitored:

atmolatori[.]icu 

gomolatori[.]cyou 

molatoriby[.]cyou 

molatorier[.]cyou 

molatorier[.]icu 

molatoriist[.]cyou 

molatorila[.]cyou 

molatoriora[.]cyou 

molatoriora[.]icu 

molatoripro[.]cyou 

molatoripro[.]icu 

molatorisy[.]cyou 

molatorisy[.]icu 

onmolatori[.]icu 

promolatori[.]icu 

samolatori[.]cyou 

samolatori[.]icu 

umolatori[.]icu 

Why This Threat Matters
The Molatori campaign is a stark reminder that attackers don’t need complex malware to succeed just convincing pretexts and access to dual-use tools. As geopolitical tensions and financial exploitation tactics increase, we’re seeing a broader trend of cybercriminals turning common IT solutions into stealthy compromise vectors. The campaign's low technical barrier, combined with its ability to bypass standard email defenses, makes it a growing concern for defenders across public and private sectors.

Strategic Implications
This campaign underscores the increasing use of trusted tools like ScreenConnect as malware proxies, making detection and response more difficult for defenders. The impersonation of a widely recognized government agency such as the SSA increases the likelihood of user interaction and successful compromise. As more cybercriminals adopt “living-off-the-land” tactics using legitimate tools and infrastructure, organizations must rely on behavior-based monitoring and endpoint visibility instead of traditional signature-based defenses.

Defensive Recommendations

• Block the listed IOCs at your firewall, DNS filter, and email security gateways

• Restrict installation and use of remote access tools like ScreenConnect unless explicitly authorized

• Educate staff and end-users about phishing campaigns that impersonate government agencies

• Implement EDR/XDR solutions with anomaly detection for remote access behavior

• Audit logs for unusual remote connections and software installs from non-trusted domains or hosts

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats with Curated Threat Intelligence

In today’s fast-moving cyber landscape, raw data isn’t enough you need actionable intelligence tailored to your business. Our Curated Threat Intelligence Service delivers real-time insights, customized threat profiles, and prioritized alerts focused on your industry, your risks, and your critical assets.

We filter the noise, track evolving threat actors, and highlight only what matters most so you can act faster, defend smarter, and stay resilient. Every report includes high-confidence indicators of compromise (IOCs), mapped MITRE ATT&CK techniques, and strategic recommendations designed to strengthen your defenses.

Protect your business with intelligence built for action, not overwhelm.
Contact us today to start receiving tailored threat intelligence you can trust.

Whether you’re focused on penetration testing, compliance, data privacy, or building out your security operations, Nexus-Dragon equips you with the tools, knowledge, and strategies to lead from the front.

Partner Spotlight

Organize, Track, and Succeed with Monday.com

We’re proud to be sponsored by Monday.com, the all-in-one work operating system that helps teams stay organized, efficient, and ahead of schedule. Whether you're managing cybersecurity projects, coordinating threat intelligence reports, or streamlining daily operations, Monday.com offers customizable workflows, real-time collaboration, and powerful automation all in one easy-to-use platform.

Ready to take control of your projects and boost your team's productivity?
Get started today with Monday.com

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:

[email protected]
Or explore our solutions directly at:

Meet the Nexus-Dragon

TELL US HOW WE’RE DOING!

We value your feedback! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278