By the CyberWire staff
At a glance.
- British retailers hit by cyberattacks.
- Spain and Portugal rule out cyberattack as cause of power outage.
- Canadian power company hit by cyberattack.
- Apple patches zero-click RCE flaws affecting AirPlay.
- SAP patches maximum-severity zero-day flaw.
- Hundreds of Fortune 500 companies have unknowingly hired North Korean operatives.
- DHS Secretary calls for reauthorization of Cybersecurity Information Sharing Act.
British retailers hit by cyberattacks.
BleepingComputer reports that a disruptive cyberattack against British retailer Marks & Spencer (M&S) last Saturday was a ransomware attack launched by the Scattered Spider criminal group. BleepingComputer cites sources as saying the threat actors gained access after stealing M&S's Windows NTDS.dit file, which contains hashed passwords for Windows accounts. These hashes were then cracked, and the credentials were used to spread throughout the Windows domain. According to BleepingComputer's sources, the threat actors finally "deployed the DragonForce encryptor to VMware ESXi hosts on April 24th to encrypt virtual machines."
M&S hasn't shared details on the nature of the incident. Sky News reported that around 200 agency staff workers at the retailer's main distribution center have been told to stay home as M&S deals with the incident.
Separately, British supermarket chain Co-op has shut down parts of its IT network in response to an attempted attack, according to the BBC. The company said it took "proactive measures" against the attack, causing a "small impact" on its call center and back office.
Additionally, London luxury department store Harrods has "restricted internet access" at its locations following an attempted cyberattack, the BBC reports. The company says its flagship store remains open, and customers can still shop online.
The UK's National Cyber Security Centre (NCSC) chief executive Dr. Richard Horne said in a statement, "The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public. The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture." Horne added, "These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively."
Control what runs in your environment. Reduce your attack surface.
ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.
Spain and Portugal rule out cyberattack as cause of power outage.
Authorities in Spain and Portugal have ruled out a cyberattack as the cause of a massive power outage that hit the Iberian Peninsula earlier this week, the BBC reports. The exact cause of the outage is still under investigation, but preliminary reports suggest transmission issues originating within Spain's power grid.
Canadian power company hit by cyberattack.
Halifax-based electric utility Nova Scotia Power and its parent company Emera have shut down parts of their IT networks while responding to a cyberattack, SecurityWeek reports. The attack disrupted the utility's customer care phone line and online portal, but did not affect physical operations.
The companies stated, "There remains no disruption to any of our Canadian physical operations, including at Nova Scotia Power’s generation, transmission, and distribution facilities, the Maritime Link or the Brunswick Pipeline, and the incident has not impacted the utility’s ability to safely and reliably serve customers in Nova Scotia. There has been no impact to Emera’s US or Caribbean utilities."
CBC News reports that the utility is only responding to emergencies and outages, leaving some new customers unable to turn their power on.
Only the Right Users, Only the Right Access—Is Your Security Strong Enough?
Secure Access is crucial for U.S. Public Sector missions, ensuring that only authorized users can access certain systems, networks, or data - are your defenses ready? Cisco's Security Service Edge delivers comprehensive protection for your network and users. Experience the power of zero trust and secure your workforce, wherever they are. Elevate your security strategy by visiting: cisco.com/go/sse.
Apple patches zero-click RCE flaws affecting AirPlay.
Researchers at Oligo have discovered a set of zero-click remote code execution vulnerabilities affecting Apple’s AirPlay Protocol and the AirPlay Software Development Kit (SDK). The vulnerabilities, dubbed "AirBorne," can be chained together "to potentially take control of devices that support AirPlay – including both Apple devices and third-party devices that leverage the AirPlay SDK." Apple fixed the flaws in a March 31st update, so users should ensure their devices are up-to-date.
Oligo notes that the vulnerabilities "can enable a variety of possible attack vectors, including Remote Code Execution (RCE), Access Control List (ACL) and user interaction bypass, Local Arbitrary File Read, Sensitive Information Disclosure, Man-in-the-Middle (MITM) attacks, and Denial of Service (DoS) attacks."
SAP patches maximum-severity zero-day flaw.
SAP has issued an out-of-band emergency patch for a maximum-severity RCE flaw (CVE-2025-31324) affecting its NetWeaver platform, BleepingComputer reports. ReliaQuest and Onapsis have both observed exploitation of the vulnerability. Onapsis states, "Exploitation happens via a POST request to the vulnerable component. Upon successful exploitation, threat actors are able to upload arbitrary files. Threat actors have been observed uploading web shells to vulnerable systems. These webshells allow the threat actor to execute arbitrary commands in system context, with the privileges of the <sid>adm Operating System user, giving them full access to all SAP Resources."
Hundreds of Fortune 500 companies have unknowingly hired North Korean operatives.
WIRED has published a report on North Korea's efforts to obtain remote IT positions at foreign companies, noting that these fraudulent workers are now using AI tools to cheat on coding tests and technical interviews. The threat actors are also using deepfake technology to bypass ID checks. The primary goal of these workers is to earn a salary for Pyongyang, though they also occasionally use their access to conduct espionage or launch financially motivated attacks.
Researchers at Mandiant and Google Cloud covered this same topic in a media briefing at RSAC 2025, CyberScoop reports. Mandiant Consulting CTO Charles Carmakal stated, "There are hundreds of Fortune 500 organizations that have hired these North Korean IT workers." Carmakal added, "Literally every Fortune 500 company has at least dozens, if not hundreds, of applications for North Korean IT workers. Nearly every CISO that I’ve spoken to about the North Korean IT worker problem has admitted they’ve hired at least one North Korean IT worker, if not a dozen or a few dozen."
DHS Secretary Noem calls for reauthorization of Cybersecurity Information Sharing Act.
In a keynote speech at the RSA Conference, US Secretary of Homeland Security Kristi Noem called on Congress to pass the Cybersecurity Information Sharing Extension Act, the Record reports. The bill was introduced last week by US Senators Gary Peters (Democrat of Michigan) and Mike Rounds (Republican of South Dakota), and would extend provisions signed into law through the 2015 Cybersecurity Information Sharing Act. The law offers protection from legal and regulatory punishment in order to encourage businesses to share information about cyber threats with the Federal government.
