Microsoft Previews Centralized Windows Update Platform; OneDrive Files Exposed by File Picker Flaw; Reset ASUS Routers to Fix Persistent Backdoor

Microsoft is previewing the Windows Update Orchestration Platform, which will allow third-party apps to update through Windows Update. According to the Windows IT Pro blog, "Built on the Windows Update stack, the orchestration platform aims to provide developers and product teams building apps and management tools with an API for onboarding their update(s) that supports the needs of their installers. The orchestrator will coordinate across all onboarded products that are updated on Windows 11, in addition to Windows Update, to provide IT admins and users with a consistent management plane and experience, respectively."

Researchers from Oasis have discovered a flaw in Microsoft's OneDrive File Picker that could be exploited to let websites access all of a user's OneDrive content. Oasis researchers say that the issue is due to excessive permissions and unsecurely stored secrets. The Oasis Research Team writes, "While users are prompted to provide consent before completing an upload, the promptÕs vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks." Oasis offers mitigation recommendations, including checking to see if you have granted access to vendors in the past, checking to see if websites use OneDrive File Picker, and in web applications, "temporarily remov[ing] the option to upload files using OneDrive through OAuth until Microsoft provides a secure alternative" and storing access tokens securely.

Since March, thousands of ASUS routers have been backdoored, creating a collection of compromised devices that could someday be used as a botnet. Researchers from GreyNoise have published an advisory describing the campaign. The backdoor is persistent, able to survive reboots and firmware updates. Those responsible for infecting the routers do so by exploiting vulnerabilities that have since been patched, though not all have been assigned CVEs. If a router is suspected to have been compromised, GreyNoise recommends performing a full factory reset and manual reconfiguration.

The US Federal Bureau of Investigation's (FBI's) Cyber Division has published a Private Industry Notification warning that a cyberthreat actor known as Silent Ransom Group (SRG) / Luna Moth / Chatty Spider / UNC3753 is targeting US law firms. Specifically, the threat actors are using callback phishing schemes and IT-related social engineering to gain access to the firms' networks. The threat actors do not encrypt data; instead, they demand a ransom not to leak or sell data they have stolen from the law firms' networks. The FBI's notification includes indicators of compromise as well as recommendations to improve cyber hygiene.

Researchers from DomainTools detected a malware campaign that used a phony Bitdefender website to spread malicious programs designed to steal sensitive information. Users' devices become infected after they click on a button on the fake Download for Windows website. Instead of downloading the file users are expecting, the site downloads a malicious executable that deploys a payload containing three malicious tools: VenomRAT, StormKitty, and SilentTrinity. According to DomainTools, "VenomRAT provides initial and ongoing access to victim machines; StormKitty quickly gathers credentials on the system; and SilentTrinity is used for exfiltration and stealthy long term access."

Mandiant researchers have uncovered a campaign that uses phony AI video generation websites to spread malware. The campaign, which has been active since at least the middle of 2024, comprises more than 30 websites that masquerade as well-known AI tools. The sites serve up malware that leads to machines becoming infected with information stealers and backdoors. Users generally visit the malicious sites by following links in advertisements on social media platforms. "Mandiant Threat Defense has observed UNC6032 compromises culminating in the exfiltration of login credentials, cookies, credit card data, and Facebook information through the Telegram API." Mandiant also points out that Morphisec published a write-up of a similar investigation earlier in May.

On Monday, May 26, 2025, MathWorks confirmed that the outages they had been reporting since May 18 were due to a ransomware attack. The incident affected both online applications used by customers and internal systems used by staff. MATLAB, which has more than five million users worldwide, "is a programming and numeric computing platform for engineering and scientific applications like data analysis, signal and image processing, control systems, wireless communications, and robotics. MATLAB includes a programming language, interactive apps, highly specialized libraries, and tools for automatically generating embedded code. MATLAB is also the foundation for Simulink¨, a block diagram environment for simulating complex multi-domain systems." As of May 29, MathWorks writes that they have brought some of the affected systems back online.

Two more retailers have reported cyber incidents. Adidas said that a breach of a third-party customer support partner resulted in the theft of some customer data. Adidas has begun notifying affected customers. The company has not provided details about the service provider, number of affected individuals, or when the incident was first detected. Adidas is based in Herzogenaurach, Bavaria, Germany. In a separate story, Victoria's Secret took down their US website on Wednesday, May 28, 2025, in the wake of what they say is a "security incident." While some of the Ohio-based company's in-store services are also unavailable, both Victoria's Secret and PINK stores remain open.

Google and Mozilla have both released updated versions of their flagship browsers, addressing a total of 21 vulnerabilities. Google has updated the stable channel for Chrome to version 137 for Windows, macOS, and Linux. The newest version of the browser includes fixes for 11 security issues, eight of which were detected by external researchers. Of those, two are rated high-severity: a use-after-free defect in Compositing (CVE-2025-5063) and an out-of-bounds write flaw in the V8 JavaScript engine (CVE-2025-5280). Firefox 139 addresses 10 security issues, including a critical double-free issue in libvpx encoder that does not have an assigned CVE.

Wisconsin-based telecommunications provider Cellcom says that calling and text-messaging services are nearly fully restored following a cyberattack that prompted the company to take its network offline in mid-May 2025. In a statement on their website, the company acknowledged that "some intermittent issues may still occur as systems continue to stabilize." In a Tuesday, May 27 filing with the US Securities and Exchange Commission (SEC), California-based medical device manufacturer Masimo provided additional information regarding a "cybersecurity-related incident." Specifically, Masimo "does not expect the cybersecurity-related incident reported under Item 8.01 of Form 8-K on May 6, 2025 ... to materially impact the Company's revenue for fiscal year 2025." Masimo expected that most of the costs incurred will be covered through their cyber insurance policy. Masimo also notes that they are operating "at near full capacity, and the Company's critical order-taking, distribution and shipping systems are fully operational." On Friday, May 23, Nova Scotia Power acknowledged that they experienced a ransomware attack. The company initially referred to a "cybersecurity incident" that resulted in the theft of customer data. Nova Scotia Power says they have not paid the ransom demand.