UK Gov't. to Replace SMS Verification with Passkeys; DDoS-for-Hire Service Suspects Arrested; PowerSchool Paid Ransom, but Extortion Continues; US DOD Software Fast Track Initiative

The UK government plans to roll out passkeys for digital services later this year. The technology will replace SMS-based verification. As described by the National Cyber Security Centre, "Passkeys are unique digital keys that are today tied to specific devices, such as a phone or a laptop, that help users log in safely without needing an additional text message or other code. When a user logs in to a website or app, their device uses this digital key to prove the user's identity without needing to send a code to a secondary device or to receive user input." The shift to passkeys will not only be cost effective, but also expected to improve security.

Polish law enforcement authorities have arrested four individuals with alleged ties to a distributed denial-of-service (DDoS)-services-for-hire operation, also known as stresser or booter services. The suspects are believed to be responsible for six such services that were used to conduct attacks against schools, government agencies, private companies, and other organizations. The law enforcement operation involved authorities in four countries Ð Poland, Germany, the Netherlands, and the US Ð with support from Europol.

Cloud-based education software provider PowerSchool stated in communication with BleepingComputer that "a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident." The company's Student Information System (SIS) was breached using a compromised support credential as early as August 2024, and in December 2024 a threat actor stole data including personally identifiable information (PII) belonging to tens of millions of current and former students, teachers, and parents and guardians. PowerSchool has reported the extortion attempts to law enforcement in the US and Canada, and says, "[we] are working closely with our customers to support them," additionally offering two years of free credit monitoring and identity protection. The company also confirmed that they paid a ransom following the discovery of the breach, stating, "We thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us."

A US Department of Defense press release notes that "Current systems for software procurement were developed for a different environment and using processes that are outdated and slow, with little to no supply chain visibility." In light of these issues, DoD has announced the development of the Software Fast Track (SWFT) Initiative, which "will define clear, specific cybersecurity and Supply Chain Risk Management (SCRM) requirements; rigorous software security verification processes; secure information sharing mechanisms; and federal government-led risk determinations to expedite the cybersecurity authorizations for rapid software adoption." DoD has made three related Requests for Information (RFI); they expect to have the plan ready within 90 days.

The Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw to the Known Exploited Vulnerabilities (KEV) catalog: a critical vulnerability in Langflow, an open-source web-based tool for developing AI application workflows using components such as agents, data sources, LLMs, and prompts. CVE-2025-3248, CVSS score 9.8, would allow a remote unauthenticated attacker to execute arbitrary code by sending crafted HTTP requests, due to the /api/v1/validate/code endpoint being susceptible to code injection. This flaw was fixed in Langflow 1.3.0 on April 1, 2025, but users should update to the latest version, currently 1.4.0, released May 6, 2025. Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute, wrote in an Internet Storm Center diary on April 12, 2025: "The vulnerability went somewhat unnoticed, at least by me, until Horizon3 created a detailed writeup showing how easy it is to exploit the vulnerability and provide proof of concept exploit. Horizon3 published its blog on April 9th. We saw a first hit to the vulnerable URL ... on April 10th. Today (April 12th), we saw a significant increase in hits for this URL." Horizon3 notes that the 1.3.0 patch "puts the vulnerable endpoint behind authentication"; the researchers recommend restricting network access to Langflow, and if a recently developed AI tool must be exposed to the internet, "consider putting it an isolated VPC and/or behind SSO."

In the May 2025 Android Security Bulletin, Google announced fixes for 46 vulnerabilities, including a high-severity flaw in the FreeType open-source font rendering library affecting versions 2.13.0 and below, which was first found exploited in the wild and disclosed by Facebook on March 13, 2025. CVE-2025-27363, CVSS score 8.1, allows a user to execute arbitrary code when too small of a heap buffer is allocated when attempting to parse font subglyph structures related to TrueType GX and variable font files, leading to up to six signed long integers being written out of bounds relative to the buffer. Google's bulletin notes that code execution could occur "with no additional execution privileges needed," and that "user interaction is not needed for exploitation," also confirming indications that the flaw is under "limited, targeted exploitation." FreeType patched the vulnerability as of version 2.13.3, and users should update devices to the latest version of Android. On May 6, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to the Known Exploited Vulnerabilities (KEV) catalog; federal agencies must patch by May 27, 2025.

The US Federal Bureau of Investigation (FBI) has published a Public Service Announcement warning that cybercriminals are installing proxy services on vulnerable end-of-life routers and using the compromised devices to disguise their identities while conducting illegal activity. The FBI published a second related document that lists indicators of compromise (IoCs) and tactics, techniques, and procedures associated with cybercriminal groups that have been known to exploit these unsupported routers.

The US Cybersecurity and Infrastructure Security Agency has published an alert jointly with the FBI warning of "unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems." The notice emphasizes the threats of defacement, interference with configuration, operational disruption, and even physical damage, despite the simplicity of the intrusion techniques. Many systems are at risk due to poor cyber hygiene and exposed assets, and CISA refers critical infrastructure asset owners and operators to a fact sheet of mitigations authored by CISA, the FBI, the Environmental Protection Agency (EPA), and the Department of Energy (DOE). Expert commentary throughout journalistic coverage of this alert unanimously stresses the widespread danger of negligent security practices, cautioning against default credential use, unsecure remote access, and vulnerable third-party and support access, among other issues. The joint guidance on mitigation recommends owners and operators disconnect OT from the public internet; change default passwords to strong, unique passwords; strengthen security of remote access, documenting and configuring the process; segment IT and OT networks; and "practice and maintain the ability to operate OT systems manually" in the event of an incident.

In a May 6 filing with the US Securities and Exchange Commission (SEC), California-based medical device manufacturer Masimo has disclosed a cybersecurity incident that has disrupted the company's operations and interfered with their ability to process and fill customer orders. Masimo detected the unauthorized activity on their network on April 27, 2025, and took steps to contain the incident, "including proactively isolating impacted systems." Masimo makes patient monitoring devices, including "pulse oximeters, brain function monitors, hemodynamic monitoring systems, capnography and gas monitoring solutions, and remote patient monitoring platforms."

The UK government's Legal Aid Agency (LAA) has sent a letter notifying law firms of a "security incident." The letter states that the LAA cannot yet confirm whether information was accessed and if so what type was accessed, but warns legal offices that "it is possible that financial information relating to legal aid providers may have been accessed by a third party"; investigation is ongoing, and "action has been taken to mitigate the incident." Officers from the UK National Crime Agency are working with the National Cyber Security Centre and the Ministry of Justice (of which the LAA is an executive agency) to investigate and provide support. The LAA makes legal aid services available to the general public, funds the Civil Legal Advice service, publishes statistical information on legal aid, and runs the Public Defender Service, employing approximately 1,250 staff in England and Wales.

South African Airways (SAA) is investigating a cyber incident that "temporarily disrupted access to the airline's website, mobile application, and several internal operational systems," according to a company statement. SAA says they have successfully contained the incident, which began on Saturday, May 3. The company has brought in third-party forensic investigators to help them determine how the attackers gained access to their network and what data and systems were affected.