FBI Warns Against Deepfakes Mimicking Gov't. Officials; Japan Passes Active Cyber Defense Law; UK Legal Aid Applicant's Data Stolen

The US Federal Bureau of Investigation (FBI) has published an alert warning that criminals are impersonating government officials in phony voice and text messages. The alert says that the campaign has been active since April of this year and appears to be targeting certain people, "many of whom are current or former senior US federal or state government officials and their contacts." The FBI offers advice for spotting fraudulent messages, which includes "independently identify[ing] a phone number for the person and call[ing] to verify their authenticity," as well as examining the message closely for elements that feel "off", such as spelling, grammar, tone, diction, and images.

Japanese legislators have passed a new Active Cyber Defense Law that allows the country to conduct offensive cyber operations in the hope of preempting cyberthreats. Japan tried to pass similar legislation in 2022, but it was voted down. The law allows the country's government "to analyze foreign internet traffic either entering the country or just transiting through it," but does not allow for the collection and analysis of domestic internet traffic. It also "explicitly allows law enforcement agencies to infiltrate and neutralize hostile servers before any malicious activity has taken place and to do so below the level of an armed attack against Japan, while the Self-Defence Forces will take responsibility for tackling particularly sophisticated incidents." The Active Cyber Defense Law is set to take effect in 2027.

On May 19, 2025 the UK government's Legal Aid Agency (LAA) posted a statement providing details and updated information on a cyberattack first reported almost two weeks prior. The attack was first discovered on April 23, 2025, and affected the agency's online digital services, which legal aid providers use to log work and receive government compensation. The LAA immediately took steps "to bolster the security of the system," also informing providers that data including financial information may have been compromised. After working with the National Crime Agency and the National Cyber Security Centre (NCSC), by May 16, 2025 the LAA determined that a threat actor "accessed and downloaded a significant amount of personal data from those who applied for legal aid through [LAA's] digital service since 2010," possibly including "contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments." For any legal aid applicants from within this time period, the LAA urges password changes and vigilance for suspicious communications, making certain the identity of correspondents can be independently verified. Jane Harbottle, Chief Executive Officer of the Legal Aid Agency, says the online service has been taken down, and "We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time." Gareth Mott, a research fellow at the Royal United Services Institute think tank and former lecturer in security and intelligence at the University of Kent, notes that those who have applied for legal aid and have now possibly had their data compromised may represent "some of the most vulnerable people in our society."

Mozilla has updated the Firefox browser to address a pair of critical vulnerabilities that were found last week during Pwn2Own Berlin 2025. CVE-2025-4918 is an out-of-bounds access issue in the JavaScript engine when resolving Promise objects; CVE-2025-4919 is an out-of-bounds access issue when optimizing linear sums. The flaws affect Firefox before 138.0.4 (including Firefox for Android); Firefox Extended Support Release (ESR) before 128.10.1; and Firefox ESR before 115.23.1.

The public website for Procolored printers was serving drivers infected with malware for at least six months. The issue was initially detected by Cameron Coward, who, while reviewing a Procolored printer, found that "if [he tried] to download the files from their website or unzip the files on the USB drive they gave [him, his] computer immediately quarantines them." When Coward notified the company, they maintained the results were false positives. Coward then sought help from security professionals through Reddit. Karsten Hahn, a researcher from GData, investigated the issue and determined that 39 software downloads available on Procolored's website were infected with two strains of malware: a backdoor and an infostealer. Procolored has since removed the downloads in question from their website.

On May 15, 2025 the US Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability in Google Chrome to the Known Exploited Vulnerabilities (KEV) catalog, patched one day before in 136.0.7103.113/.114 for Windows and Mac, and in 136.0.7103.113 for Linux, with "knowledge" of the flaw in the wild known to Google at the time. CVE-2025-4664, CVSS score 4.3 but designated high severity by Google, allows a remote attacker to leak cross-origin data via a crafted HTML page due to insufficient policy enforcement in Google Chrome's Loader. Solidlab's Vsevolod Kokorin discovered the flaw, noting that "query parameters can contain sensitive data - for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource." Users should ensure Chrome is up to date with the patched versions in the Stable Desktop channel. Federal agencies have must patch by June 5.

The Alabama Governor's Office published a press release on May 12, 2025, announcing that the state's Office of Information Technology (OIT) is working with a third-party cybersecurity firm to investigate, secure systems, and restore services after a cyberattack detected on May 9, 2025. The initial press release urges citizens to exercise caution with any suspicious emails and states that "some state employee usernames and passwords were compromised," but that investigators do not believe personally identifiable information (PII) was involved in the breach. The OIT has posted a number of updates, stating that teams are "maintaining 24 hours-a-day, 7 days-a-week mitigation activities," working alongside executive-branch IT teams as well as two third-party firms, and that all executive-branch agencies will require a password reset for all employees. There have been no "major disruptions" to state services. A May 16, 2025 update declares "positive identification of the event's source" and a transition into remedial activity to defend against future threats, warning that websites and services may be intermittently disrupted by these protective measures, but "these disruptions should not be construed as nefarious and will be communicated in advance."

On May 14, 2025 the Brussels Court of Appeal ruled on a case between Interactive Advertising Bureau Europe (IAB Europe) and the Belgian Data Protection Authority (BE DPA) on the issue of IAB Europe's role in processing personal data online, establishing an important precedent regarding tracking in online advertising under the GDPR, according to Amnesty International. The case concerns IAB Europe's obligations around user preference data processed within the Transparency and Consent Framework (TCF), "a widespread mechanism that facilitates the management of users' preferences for online personalised advertising, and which plays a central role in what is known as Real Time Bidding (RTB)." IAB Europe contends that the decision does not rule the TCF illegal under the GDPR, but Amnesty International calls the case "a major win for the right to privacy and a clear message that the tech industry should move away from surveillance-based advertising."

In "open letter to all current, potential or aspiring suppliers to the NHS," the UK's National Health Service asks their vendors to sign the voluntary NHS Cyber Security Charter for Suppliers. Citing "the growing and ever-changing cyber security threat level that we collectively face," the NHS asks the suppliers to adopt certain cybersecurity practices, including ensuring that systems are kept current with available patches and updates; that systems are compliant with the NHS' Data Security and Protection Toolkit (DSPT); that networks and systems are protected with multi-factor authentication; that they keep "immutable backups" of their data; and that cyber incidents are promptly reported to business partners and regulators. NHS plans to release a self-assessment available this autumn," whereby suppliers can sign the charter." In a related story, information obtained from the UK government through the Freedom of Information Act indicates that two NHS cyberattacks in 2024 endangered patient safety.

An Alabama man was sentenced to 14 months in prison for his role in hacking into the X Account of the US Securities and Exchange Commission (SEC) and making fraudulent posts in the name of the then-SEC chairperson in an attempt to manipulate the value of Bitcoin. In early January 2024, Eric Council Jr. "conspired with others to ... execute a SIM swap of the mobile phone account associated with the @SECgov X account, the official account of the SEC." One of the co-conspirators then posted, falsely, that the SEC had approved Bitcoin Exchange Traded Funds, which temporarily caused an increase in the value of the cryptocurrency. Once the SEC regained control of the X Account and clarified the matter, the value of Bitcoin dropped. Council pleaded guilty to federal charges of conspiracy to commit aggravated identity theft and access device fraud earlier this year. He has also been ordered to forfeit $50,000.