Kintetsu World Express Recovering From Ransomware; Ascension Healthcare Data Stolen From Third Party; New OpenEoX Framework Defines Product Lifecycles; SANS RSAC 2025 Keynote

Each year, the SANS Institute’s must-see keynote session at RSA Conference delivers a forward-looking briefing on the most critical and emerging attack vectors in cybersecurity. The 2025 session surfaced five new attack techniques that are reshaping how enterprises must think about cyber risk. Moderated by SANS Technology Institute President Ed Skoudis, the 45-minute session brought together top SANS experts to assess how today’s attackers are escalating both their technical sophistication and their impact on business operations.

The attack techniques outlined in the SANS RSAC 2025 keynote underscore a common theme: cybersecurity is no longer confined to the security operations center—it’s a leadership issue that impacts every layer of the enterprise. The threats of tomorrow demand a strategic, integrated response rooted in visibility, agility, and cross-functional alignment.

Read more about this year’s keynote:

www.sans.org/press/: RSAC 2025: The SANS Institute’s Top 5 Most Dangerous New Attack Techniques to Watch

www.sans.org/blog/: Inside RSAC 2025: The Five Emerging Attack Techniques That Demand Your Attention

Following a cyberattack discovered April 23, 2025, Japanese freight logistics company Kintetsu World Express (KWE) has continued to update a “Customer Notice for Service Disruptions” page on their website, posting a separate update on April 28 identifying the incident as a ransomware attack. The company described the impact as “ongoing server failure,” stating that the system had not recovered and operations were still affected. KWE has established an Emergency Response Headquarters, has notified the Japanese police, and is working with external professionals to investigate the scope and cause of the incident. An April 30 update states that most systems are now fully functional while the company remediates and recovers systems, simultaneously “conducting a comprehensive environmental assessment” and “collaborating with external IT partners to enhance [their] environment using industry standard cybersecurity solutions.” Investigation is ongoing, and customers will be immediately notified if their data have been impacted.

Ascension Healthcare, which operates 142 hospitals across the US, has begun notifying patients of a third-party breach that compromised their personal and health information. According to a breach notification sent to patients, Ascension learned of the incident in early December 2024. A subsequent investigation found that "Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner." This in not Ascension’s first encounter with breaches; a May 2024 ransomware attack prompted the company to notify 5.4 million people that their data had been compromised.

A group of technology vendors has published a draft framework for a standard companies can use to announce end of support for their products. OpenEoX categorizes a product’s lifecycle into General Availability (GA), End of Sale (EoS), End of Security Support (EoSSec), and End of Life (EoL). The document, which was published through the Organization for the Advancement of Structured Information Standards (OASIS), notes that "Currently, information about End-of-Life (EoL), End-of-Security-Support (EoSSec), and other states for software, hardware, services and specifications is often fragmented and inconsistently defined across the industry." The project’s "core objectives" are transparency, efficiency, and unification.

The UK Information Commissioner’s Office (ICO) will not investigate a 2023 ransomware attack that disrupted the British Library’s operations for months. The Library reported the incident to ICO in October 2023 and subsequently published a detailed review of the incident in March 2024: the "likely … point of entry" was determined to be a server that was not protected with multi-factor authentication (MFA). In a recent statement, the ICO writes that "further investigation would not be the most effective use of [their] resources." The decision is indicative of a government stance that avoids imposing penalties on organizations responding to ransomware attacks with best practices. The ICO writes that they "commend the British Library for being open and transparent about its system vulnerabilities that contributed to the incident, the impact it has had, and the improvements made so far to protect people’s personal information." 

Oligo Security has published a blog post describing their discovery of 23 vulnerabilities in the Apple AirPlay software development kit (SDK) and AirPlay Protocol. Oligo emphasizes the enormous number of potentially vulnerable devices, as these flaws affect iOS, iPadOS, macOS Sequoia, Sonoma, and Ventura, visionOS, watchOS, tvOS, and CarPlay, as well as tens of millions of "third-party devices that leverage the AirPlay SDK," such as speakers. Attackers could exploit these vulnerabilities to carry out attacks via shared wireless networks or peer-to-peer connections; two of the flaws are wormable zero-click RCE exploits that could allow attackers to "deploy malware that spreads to devices on any local network the infected device connects to." Possible attacks enabled by these flaws include "Remote Code Execution (RCE), Access Control List (ACL) and user interaction bypass, Local Arbitrary File Read, Sensitive Information Disclosure, Man-in-the-Middle (MITM) attacks, and Denial of Service (DoS) attacks." The researchers have dubbed the collection of chainable flaws and attack vectors "Airborne." Users are urged to update all devices to the latest software versions; Oligo also recommends disabling AirPlay Receiver, restricting AirPlay access via firewall rules, and restricting AirPlay settings to only allow AirPlay for "Current User."

Microsoft informed Daniel Wade, an independent security researcher, that he is not the first to express alarm that Windows Remote Desktop Protocol (RDP) allows logins using revoked passwords, an issue which Wade says "isn't just a bug. It's a Trust Breakdown" because users expect a password change to curb unauthorized access. Wade's report states that "even newer passwords may be ignored while older ones continue to function," bypassing cloud verification, MFA, and Conditional Access policies to allow persistent RDP access. Microsoft has been aware of the issue since 2023 and does not consider it a vulnerability, claiming it is "a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline." After RDP authenticates a user's first login online, the credential is then stored locally in an encrypted format and used to validate future logins. If a user changes their Microsoft or Azure password in the cloud, the cached encrypted local credential is not updated or removed, so the old password will still grant access to the machine. Will Dormann, senior vulnerability analyst at Analygence, believes that Microsoft's updated documentation notifying users of password caching is not adequate, and he notes that if a Microsoft or Azure account is compromised, "the only course of action is to configure RDP to authenticate against locally stored credentials only."

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, one each affecting Broadcom Brocade Fabric OS, Qualitia Active! Mail clients, and Commvault Web Servers. CVE-2025-1976, CVSS score 8.6, patched in Brocade Fabric OS 9.1.1d7, allows an attacker with admin privileges to “execute arbitrary code as if they had full root level access,” potentially executing existing commands or modifying the OS itself, due to a flaw in IP address validation. CVE-2025-42599, CVSS score 9.8, fixed in Qualitia Active! Mail 6 BuildInfo: 6.60.06008562, allows a remote unauthenticated attacker to execute arbitrary code or create a denial-of-service (DoS) condition by sending a specially crafted request, due to a stack-based buffer overflow vulnerability. CVE-2025-3928, CVSS score 8.7, fixed in Commvault software versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux, allows a remote unauthenticated attacker to compromise webservers by creating and executing webshells, due to an unspecified vulnerability. Commvault disclosed the zero-day exploitation in a March 7, 2025 advisory, stating that the attacker was a “suspected nation-state threat actor,” following up on April 27, 2025 to add that they are working with affected customers, and “there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services.” The update shares best practices and indicators of compromise (IoCs), and states that Commvault is working with the FBI and CISA while improving key rotation and monitoring rules.

SonicWall has updated two security advisories – one from 2024 and another from 2023 – to indicate that the vulnerabilities they address are now being actively exploited. Both advisories address multiple vulnerabilities in SonicWall SMA100 SSL-VPN. The flaw from the 2024 advisory (CVE-2024-38475) that is being exploited is a critical path traversal vulnerability that "allows an attacker to map URLs to file system locations that are permitted to be served by the server." The flaw from the 2023 advisory (CVE-2023-44221) that is being exploited is a high-severity post authentication OS command injection vulnerability that "allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user." The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-44221 to the Known Exploited Vulnerabilities (KEV) catalog on May 1 with a mitigation due date of May 22.

Following close on the heels of a cyberattack that has disrupted operations at British retailer Marks & Spencer, both the Co-op and Harrods have reported being targeted by cyberattacks. On Wednesday, April 30, the Co-op shut down portions of their IT systems after they detected an attempted intrusion, disrupting the company’s back office and call center. On Thursday, May 1, Harrods reported that they "recently experienced attempts to gain unauthorised access to some of [their] systems …[and they] have restricted internet access at [their] sites." These attacks come days after Marks & Spencer experienced an attack that has caused them to temporarily shut down operations of their online stores.

Google and Mozilla have released updates for their Chrome and Firefox browsers to address multiple vulnerabilities. Google released Chrome 136 to the stable channel; the newest version of Chrome addresses eight vulnerabilities, four of which were brought to Google’s attention by external researchers. Of those, one is rated high-severity; the other three are rated medium- and low-severity. Mozilla released Firefox 138, which addresses 11 vulnerabilities, four of which are rated high-severity.