M&S and Qantas leaders remain mum on ransomware payments

Don't miss my latest CSO piece that examines how Trump's civilian cyber budget cuts for FY2026 could weaken federal defenses, shrink the cyber talent pipeline, and strip state and local governments of vital grant funding.

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

Archie Norman, the chairman of UK department store Marks and Spencer, said that UK businesses should be legally required to report major cyberattacks, given that he claimed two hacks involving “large British companies” had gone unreported in recent months.

In evidence to MPs about the impact of the massive cyber-attack on M&S that forced it to close down its online store for almost seven weeks, Norman said the business was still in “rebuild mode”.

He said its key online clothing distribution center in Castle Donington in Leicestershire was still offline, adding: “It would not be an overstatement to describe [the attack] as traumatic” and “like an out-of-body experience”.

Norman told parliament’s business and trade subcommittee on economic security, arms and export controls that M&S had been quick to report the hack to the UK’s cyber watchdog, the National Cyber Security Centre (NCSC), which had helped other businesses protect themselves from hackers.

Norman said making reporting to the NCSC mandatory was “a very interesting idea” as “it is apparent to us quite a large number of serious cyber-attacks never get reported."

Norman said that M&S had been in touch with the US’s FBI intelligence and security service as well as the UK’s National Crime Agency and the Metropolitan police after the hack.

However, Norman declined to tell a panel of lawmakers whether the company paid the hackers following a ransomware attack earlier this year. This sort of non-response has become known in the cybersecurity community as a tacit admission of paying ransom to the attackers.

“We’ve said that we are not discussing any of the details of our interaction with the threat actor,” said chairman Archie Norman, referring to the ransom payment. “We don’t think it’s in the public interest to go into that subject, partly because it is a matter of law enforcement.”

Norman said that “nobody” at Marks & Spencer interacted directly with the cybercriminals, which he attributed to the ransomware gang DragonForce. (Sarah Butler / The Guardian and Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Financial Times, Reuters, Silicon Republic, Ars Technica, Telegraph, The Times, Bloomberg, Mirror, Yahoo Finance, The Grocer, The Independent, Computer Weekly, Bleeping Computer, The Sun, Infosecurity Magazine

Vanessa Hudson, the boss of Qantas, would not confirm or deny if the company has been asked to pay a ransom, after the airline put the number of customers impacted by last week's cyber attack at 5.7 million.

In an interview with ABC's The Business, Hudson said she could not comment further on demands for money or what the company's policy was regarding payment of ransom demands. Cybersecurity professionals generally consider non-denials of ransom payments as tacit admissions of payment.

"We have confirmed that we have received contact from somebody purporting to be the criminal actor in this instance," Hudson said.

"But what we are also saying is, this is the subject of a criminal investigation and the AFP are leading that, and we are not going to make any more comments about that."

Hudson said Qantas had "immediately improved and enhanced controls" in the wake of the cyber attack and would "learn from" the incident. (Stephanie Chalmers / ABC.net.au)

Related: Qantas News Room, 9News, Sydney Morning Herald, Bloomberg, Reuters, APA.AZ, ABC, Australian Financial Review, The Daily Hodl, ABC, Sydney Morning Herald, r/australia, RNZ, KarryOn, Cyber Daily, APA, The Economic Times, Al Arabiya, The New Zealand Herald

The US Treasury Department announced it has sanctioned a North Korean man,  Song Kum Hyok, for participating in the widespread IT worker scheme that allegedly benefits the government of North Korea.

It’s the second time in as many weeks that feds have taken action against people it says are associated with the IT worker scam, which benefits the illicit aims of the Democratic People’s Republic of Korea, following last week’s arrest, indictments, and seizures.

Treasury’s Office of Foreign Assets Control levied the sanctions against Song Kum Hyok, whom it said was associated with the North Korea government-linked hacking group Andariel, also known as Onyx Sleet. That hacker outfit is thought to be a subset of the umbrella Lazarus Group.

Treasury also levied sanctions against Gayk Asatryan, a Russian man whom the department said used his Russia-based companies to employ North Korean IT workers.

Treasury additionally sanctioned four companies, two of which are his: Songkwang Trading, which the agency said Asatryan had signed a deal to dispatch 30 IT workers to his company Asatryan LLC, as well as Saenal Trading, which signed a deal to dispatch 50 IT workers to Fortuna LLC. (Tim Starks / Cyberscoop)

Related: Treasury Department, State Department, NK News, CBS News, CryptoRank, UPI, The Record, CoinDesk, South China Morning Post, The Straits Times, RBC-Ukraine

Government sources and a State Department cable say an impostor pretending to be Secretary of State Marco Rubio contacted foreign ministers, a US governor, and a member of Congress by sending them voice and text messages that mimic Rubio’s voice and writing style using artificial intelligence-powered software.

Authorities do not know who is behind the string of impersonation attempts, but they believe the culprit was probably attempting to manipulate powerful government officials “with the goal of gaining access to information or accounts,” according to a cable sent by Rubio’s office to State Department employees.

Using both text messaging and the encrypted messaging app Signal, which the Trump administration uses extensively, the impostor “contacted at least five non-Department individuals, including three foreign ministers, a U.S. governor, and a U.S. member of Congress,” said the cable, dated July 3.

The impersonation campaign began in mid-June when the impostor created a Signal account using the display name “Marco.Rubio@state.gov” to contact unsuspecting foreign and domestic diplomats and politicians, said the cable. The display name is not his real email address.

“The actor left voicemails on Signal for at least two targeted individuals and in one instance, sent a text message inviting the individual to communicate on Signal,” said the cable. It also noted that other State Department personnel were impersonated using email.

When asked about the cable, the State Department responded that it would “carry out a thorough investigation and continue to implement safeguards to prevent this from happening in the future.” Officials declined to discuss the contents of the messages or the names of the diplomats and officials who were targeted. (John Hudson and Hannah Natanson / The Washington Post)

Related: Forbes, Associated Press, Time, CNN, The Guardian, UPI, MSNBC, The Overspill, Biometric Update, Benzinga, SiliconANGLE, USA Today, Agence France-Presse, Newser, Financial Times, Daily Kos, Washington Examiner, NBC News, Breitbart, GovTech, Axios, Bloomberg, New York Times, r/singularity, r/technology, r/geopolitics, r/artificial, r/neoliberal, r/politics

In this month's Patch Tuesday updates, Microsoft issued fixes for at least 137 security vulnerabilities in its Windows operating systems and supported software.

None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.

While not listed as critical, CVE-2025-49719 is a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft rates CVE-2025-49719 as less likely to be exploited, but the availability of proof-of-concept code for this flaw means its patch should probably be a priority for affected enterprises.

CVE-2025-47981, a vulnerability with a CVSS score of 9.8, is a remote code execution bug in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. This pre-authentication vulnerability affects any Windows client machine running Windows 10 1607 or above, and all current versions of Windows Server. Microsoft considers it more likely that attackers will exploit this flaw.

Microsoft also patched at least four critical, remote code execution flaws in Office (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The first two are both rated by Microsoft as having a higher likelihood of exploitation, do not require user interaction, and can be triggered through the Preview Pane.

Two more high-severity bugs include CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the former is a weakness that could allow malicious files to bypass screening by Microsoft Defender SmartScreen, a built-in feature of Windows that tries to block untrusted downloads and malicious sites. (Brian Krebs / Krebs on Security)

Related:  Microsoft Threat Intelligence, Cyber Security News, CSO Online, SANS Internet Storm Center, Security Week, Daily Security Review, Talos Intel, CERT Recently Published Vulnerability Notes, Reddit cybersecurity, Dark Reading, Tenable Blog, The Cyber Express, Qualys Blog, Crowdstrike, Zero Day Initiative - Blog, Cyber Kendra, AndroidHeadlines.com, SC Media, Cyberscoop, Security Affairs, CyberInsider, Redmond Magazine, Daily Security Review, Bleeping Computer, ITSEC News, GBHackers On Security, Techzine, IT Wire, Ask Woody

The US Justice Department has begun the extradition process to get Chinese national Zhang Yu back from Italy, where he was arrested, to the US, where he faces wire fraud, identity theft, and hacking-related charges for being part of a hacking team that stole coveted US research into a coronavirus vaccine on behalf of Chinese intelligence.

He is one of the first hackers linked to Chinese intelligence services to be captured by the FBI,” the FBI’s Houston field office posted on X.

The arrest sets up an extradition battle that could put pressure on the Italian government, which has sought to court US President Donald Trump while also maintaining good relations with China, a significant trading partner. (Sean Lyngaas and Antonia Mortensen / CNN)

Related: Justice Department, Texas Border Business, Cyberscoop, TechCrunch, Houston Chronicle, Reuters, HackRead, NBC News

Journalists from WDR, NDR, and Süddeutsche Zeitung have unofficially learned that two suppliers of the German Bundeswehr or military unit have been hit by severe cyberattacks in recent times, with evidence pointing to Russian hackers as the culprits.

In mid-June, a Hessian company that provides satellite-based communications services to the Bundeswehr fell victim to a cyberattack, believed to be a ransomware attack, that was initially considered to be a leak of classified information.

However, operational information was likely also affected, potentially endangering the security of Bundeswehr missions, as satellite communications may also have been compromised. However, the Bundeswehr now assumes that the damage is likely to be limited.

In another cyber incident, an engineering firm in Lower Saxony was reportedly attacked by hackers. The company is contracted to build facilities for the Bundeswehr's Operational Command and is tasked, among other things, with implementing specifications from the classified "Operations Plan Germany."

This document regulates national and alliance defense, particularly the deployment and relocation of troops within the Federal Republic in times of tension or war.

It is unknown whether the hackers stole this secret information. In any case, authorities assume that the attackers originate from the Russian cybercrime scene. To what extent the attack has a purely criminal motive remains unclear. (Manuel Bewarder and Florian Flade / Tageschau)

Related: Caliber, RBC-Ukraine

A US federal appeals court on Tuesday ruled that a district court erred when it dismissed a lawsuit filed by a group of Salvadoran investigative journalists against spyware maker NSO Group whose product was allegedly used against them.

In March 2024, a California federal judge threw out a 2022 lawsuit filed by Carlos Dada and other journalists at El Faro, saying their case was “entirely foreign” and they therefore had no standing to sue in the US.

El Faro was investigating the Salvadoran government when Israel-based NSO Group’s powerful Pegasus spyware was installed on phones belonging to Dada and 21 other El Faro staffers, according to digital forensic researchers who pinpointed the timing of the attacks and diagnosed the infections.

Between June 2020 and November 2021, Pegasus was deployed on devices belonging to El Faro journalists at least 226 times, according to the Knight First Amendment Institute, which is representing Dada.

Dada filed an appeal, which led to the decision vacating the district court’s earlier ruling.

The appellate court sent the case back to the lower court for further consideration, saying it had “abused its discretion” and improperly applied the law when deciding Dada and his colleagues had no right to sue in US courts. (Suzanne Smalley / The Record)

Related: Knight First Amendment Institute, Cyberscoop

Personal information belonging to customers of UK bookmaker Paddy Power and Betfair has been compromised in a data breach.

According to a statement from Flutter, no passwords, identification documents, or payment details were acquired in the breach.  

However, in emails sent to customers that have been posted on social media, Flutter has outlined that details such as usernames, emails, contact information, the first line of their address, and their town or city could have been taken. 

While reassuring customers that it is "not aware" their personal information has been misused, the bookmaking giant has warned them to be vigilant.

A Flutter spokesman said: “We can confirm that our Paddy Power and Betfair businesses have suffered a data incident involving personal information for some of our customers.

The data breach at Betfair and Paddy Power comes just a month after the British Horseracing Authority was hit by a cyber attack that impacted its internal systems and data. (Peter Scargill / Racing Post)

Related: CDC Gaming, EGR Global, iGaming Today, SBC News, CasinoBeats, iGB, Next.io, Newsnet5, Gambling News

Based on their analysis of leaked datasets, researchers at SpyCloud say the Chinese nation-state threat actor tracked as Salt Typhoon is operated by a clutch of private hacking firms whose clients include multiple Chinese government agencies.

The firm spotted datasets sold on criminal forums in May that appear to have originated inside China's hack-for-hire ecosystem, a network of companies that take direct tasking orders from intelligence agencies and that also hack on spec in the hopes of later selling access or stolen data to the government.

The data included IP addresses of routers attacked by Salt Typhoon, employee details such as names, and internal chat logs. They also contained contracts, such as one between a Beijing hacking firm and a military supplier to the People's Liberation Army.

The identity protection company said it verified the authenticity of the leak by cross-referencing the personal information and matching it to real individuals in China. "Some of the listed router usernames correspond with actual Chinese internet service providers," SpyCloud researchers said. (Akshaya Asokan / GovInfoSecurity)

Related: SpyCloud

Researchers at Threat Fabric report that the Anatsa banking trojan has sneaked into Google Play once more via an app posing as a PDF viewer that counted more than 50,000 downloads.

The malware becomes active on the device immediately after installing the app, tracking users launching North American banking apps and serving them an overlay that allows accessing the account, keylogging, or automating transactions.

Anatsa shows users a fake message when they open the targeted apps, informing them of a scheduled banking system maintenance.

The notification is displayed on top of the banking app’s UI, obscuring the malware’s activity in the background and preventing victims from contacting their bank or checking their accounts for unauthorized transactions.

Threat Fabric reported the latest campaign to Google, which said that all of the identified malicious apps had been removed. (Bill Toulas / Bleeping Computer)

Related: ThreatFabric B.V., The Record, Tom's Guide, Forbes, PCMag, Cyber Security News

A team of security researchers at TU Wien and the University of Bayreuth developed a novel tapjacking technique they call TapTrap that can exploit user interface animations to bypass Android's permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device.

Unlike traditional, overlay-based tapjacking, TapTrap attacks work even with zero-permission apps to launch a harmless transparent activity on top of a malicious one, a behavior that remains unmitigated in Android 15 and 16.

TapTrap abuses the way Android handles activity transitions with custom animations to create a visual mismatch between what the user sees and what the device registers.

A malicious app installed on the target device launches a sensitive system screen (permission prompt, system setting, etc.) from another app using ‘startActivity()’ with a custom low-opacity animation.

“The key to TapTrap is using an animation that renders the target activity nearly invisible,” the researchers say on a website that explains the attack.

“This can be achieved by defining a custom animation with both the starting and ending opacity (alpha) set to a low value, such as 0.01,” thus making the malicious or risky activity almost completely transparent.

“Optionally, a scale animation can be applied to zoom into a specific UI element (e.g., a permission button), making it occupy the full screen and increasing the chance the user will tap it.”

The researchers will be presenting their work next month at the USENIX Security Symposium. (Bill Toulas / Bleeping Computer)

Related: TapTrap, TapTrap

IBM announced a new line of data center chips and servers that it says will be more power-efficient than rivals and will simplify the process of rolling out artificial intelligence in business operations and improve security and reliability.

IBM introduced its new Power11 chips, marking its first major update to its "Power" line of chips since 2020.

Tom McPherson, general manager of Power Systems at IBM, said the company used a tight coupling of chips and software to focus on reliability and security.

The Power11 systems, available from July 25, will not need any planned downtime for software updates, and their unplanned downtime each year averages just over 30 seconds. They are also designed to detect and respond within a minute to a ransomware attack. (Stephen Nellis / Reuters)

Related:  IBM, CRN, Proactive, Benzinga, Yahoo Finance, Phoronix, Wall Street Pit, HPCwire, Fierce Network, StorageReview.com, Help Net Security

Government employees working for the county of Gloucester in Virginia had Social Security numbers and other sensitive data stolen during a ransomware attack in April.

The county sent 3,527 current and former employees notices warning that their personal information was accessed by hackers who breached county systems on April 22.

In addition to Social Security numbers, names, driver’s license numbers, bank account information, health insurance numbers, and medical information were also stolen during the incident.

Carol Steele, the county’s administrator, said they hired cybersecurity experts to help with the recovery and notified the FBI’s Cyber Crimes Division as well as the Cyber Fusion Center of the Virginia State Police. 

The county published warnings on April 22 and April 23 that it was experiencing network disruptions, but never provided an update after that. Steele said they are “continuing to monitor the impact of a recent cybersecurity incident.”

The letters confirm that the county dealt with a ransomware attack but do not name the group behind the incident. The BlackSuit ransomware gang said it was behind the attack on May 15, writing in a dark web post that the county refused to negotiate a ransom. (Jonathan Greig / The Record)

Related: Gloucester County, SC Media, GovTech

Best Thing of the Day: Mothers, Don't Let Your Children Grow Up to Become Phone Addicts

Teachers in Monmouthshire in the UK are urging parents not to give their children smartphones until they're at least 14 amid fears some were using devices for eight hours a day.

Worst Thing of the Day: Meta Has Some Explaining to Do

Instagram users are reporting the "extreme stress" of having their accounts banned after being wrongly accused by the platform of breaching its rules on child sexual exploitation.

Bonus Worst Thing of the Day: We Love It When the Inevitable Happens

The AI chatbot Grok, which Elon Musk’s xAI produces, wrote numerous antisemitic social media posts yesterday after the artificial intelligence company released a revamped version of it over the weekend that steered it toward more right-wing answers.

Closing Thought