watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) potentially leading to full system takeover…

watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) potentially leading to full system takeover and session hijacking. Learn about affected models, available patches, and CISA’s urgent warning.

Cybersecurity researchers at watchTowr have spotted malicious threat actors actively leveraging known security vulnerabilities in SonicWall’s widely used SMA 100 (Secure Mobile Access) appliances.

This discovery, documented in their latest blog post shared with Hackread.com, reveals how attackers are combining two specific vulnerabilities to potentially gain complete administrative control over these devices.

Evidence suggests these techniques are already being employed in real-world attacks, making immediate awareness and action critical for affected businesses. The investigation started after clients reported unusual activity on the SonicWall system, leading to the discovery of a vulnerability in the Apache web server software tracked as CVE-2024-38475, discovered by Orange Tsai. The flaw allows unauthorized file reading, and its presence in the SonicWall configuration makes the appliance vulnerable.

The second critical vulnerability, CVE-2023-44221, is a command injection flaw discovered by Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd. This weakness allows an attacker who has already gained some level of access to execute their own commands on the affected system.

The combination of these two vulnerabilities is particularly concerning. The file read vulnerability (CVE-2024-38475) can be used to extract sensitive information, such as administrator session tokens, effectively bypassing the need for login credentials. Once this initial foothold is established, the command injection vulnerability (CVE-2023-44221) can be exploited to execute arbitrary commands, potentially leading to session hijacking and full system compromise.

The vulnerabilities affect the SMA 100 series appliances, including models SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. The blog post reveals the technical steps involved, including exploiting the Apache “Filename Confusion” and “DocumentRoot Confusion,” and accessing sensitive files like the session database.

Researchers even demonstrated how to overcome challenges in reliably extracting this data by using techniques like requesting the file in chunks to exploit the command injection flaw, and even bypass initial attempts at security measures implemented in the SonicWall software.

In their report, watchTowr researchers note that these vulnerabilities could be chained together to achieve a complete system takeover. Reportedly, CVE-2023-44221 was patched in December 2023 (firmware version 10.2.1.10-62sv and higher), and CVE-2024-38475 was patched in December 2024 (firmware version 10.2.1.14-75sv and higher).

WatchTowr has also developed a tool (Detection Artefact Generator) to detect and exploit vulnerabilities. This tool can help organizations assess their risk, implement necessary patches, and secure measures

The fact that CISA added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue on May 1, 2025, and mandated federal agencies to apply the patches by May 22, 2025, highlights the urgency of the situation. That’s why it is crucial to promptly address them in critical edge devices like the SonicWall SMA100.

watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices

Fake Qantas emails in a sophisticated phishing scam steal credit card and personal info from Australians, bypassing major…

Fake Qantas emails in a sophisticated phishing scam steal credit card and personal info from Australians, bypassing major email security filters.

Australian airline Qantas is being targeted by criminals with fake emails claiming to be from the airline. Security experts at Cofense Intelligence, who discovered this attack, found that these convincing emails trick users into giving away their credit card information and personal information like phone numbers and addresses.

These fake Qantas emails mimic real marketing emails, using the same colours, and layout as real ones and “with appropriate branding and functional links.” One clever trick the criminals used was to include an “unsubscribe” link in the emails, just like real marketing emails do.

However, the links in the fake emails didn’t go to Qantas’s official website. Instead, they went to other websites. Experts believe the criminals might have used these fake unsubscribe links to see which email addresses were real and active.

Interestingly, according to Cofense’s report, the fake emails mentioned that Qantas was celebrating its 103rd anniversary. However, Qantas’s 103rd anniversary was actually in 2023, two years ago. This was one of the few mistakes in the otherwise very convincing emails.

Source: Cofense Intelligence

The emails tricked people into clicking on links to fake websites, often containing the phrase “auth/auhs1” followed by random words related to Qantas or coupons. These websites generally disappeared within a day and asked for personal information in a multi-step process, including name, phone number, email address, and home address. This collected contact information, along with the date of birth, could be used for targeted scams or password guessing.

These fake websites allegedly attempted to set up multi-factor authentication after a user entered their credit card information, but this failed. Experts believe that this extra step was added to deceive victims into believing there was a problem with their end rather than the website.

Researchers observed that cybercriminals behind this campaign seemed to be particularly targeting people in Australia. Even though some people in the United States also received these emails, the offers were in Australian dollars, and Qantas is based in Australia.

This suggests the attackers preferred Australian victims. Moreover, they highlighted that the campaign successfully bypassed multiple Secure Email Gateways (SEGs), including Microsoft APT, Proofpoint, and Mimecast, indicating a sophisticated approach by the attackers.

This campaign started around February 2025 but seemed to slow down in mid-March 2025. It shows how criminals are constantly trying new and sophisticated ways to trick people online, making it important for everyone to be very careful about the emails they receive and the websites they visit.

Phishing Emails Impersonating Qantas Target Credit Card Info

Plus: France blames Russia for a series of cyberattacks, the US is taking steps to crack down on a gray market allegedly used by scammers, and Microsoft pushes the password one step closer to death.

Researchers unveiled a cluster of vulnerabilities in Apple’s wireless media streaming platform AirPlay this week that leave millions of third-party devices like speakers and TVs vulnerable to takeover if an attacker is on the same Wi-Fi network as the victim gadget. These “AirBorne” vulnerabilities have all been patched—including some that potentially impacted Apple’s Mac computers—but, in practice, third-party devices may not all get fixes, and even if they do, patch adoption could be low.

Records reviewed by WIRED show that utilizing car subscription features can substantially raise your risk of being subjected to government surveillance, because such services generate troves of data that are valuable to law enforcement. WIRED also did a deep dive on North Korea’s yearslong campaign to place IT workers inside companies in North American, the United Kingdom, and Europe. The schemes are more effective than ever as scammers incorporate AI into their workflows.

WhatsApp designed a special cloud processing platform called Private Processing to allow new AI tools to work in the secure messenger without compromising its end-to-end encryption. Experts warn, though, that it could create enticing targets for hackers. And we have a guide for navigating the privacy risks of using ChatGPT’s new image generator to do seemingly fun and innocuous projects like making an action figure version of yourself.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Three British Retailers Hacked in Spate of Cyberattacks**

Three separate retailers in the UK—including the supermarket Co-op and thedepartment stores Marks & Spencer and Harrods—have all revealed they have recently been subject to cyberattacks, with the intrusions and widespread impact seemingly ongoing. Toward the end of April, Marks & Spencer revealed it had been the victim of a “cyber incident.” Over the following two weeks, it has been forced to pause online orders within its apps, some food has been missing from its shelves, and it has paused recruitment and other “normal processes.” Staff at Co-op have been told to keep webcams turned on during remote meetings and check who is attending calls, after shutting down parts of its IT systems in response to its own hack. Harrods, meanwhile, told customers to “not do anything differently at this point.”

At the time of writing, none of the retailers have detailed the specific nature of the cyberattacks or the full scale of the impacts. It is also unclear if the attacks are linked. Bloomberg has reported a ransomware cartel dubbed DragonForce has claimed it and its partners were behind the attacks. The so-called cartel provides “infrastructure and tools” to hackers but “doesn't require affiliates to deploy its ransomware,” according to research from security firm Secureworks. The hacked companies did not respond to Bloomberg about the claims.

Bleeping Computer originally reported that the threat actors known as Scattered Spider were allegedly behind the attack on Marks & Spencer. The publication reported that the company’s servers were encrypted by ransomware, with the intrusion beginning as early as February. The attribution to Scattered Spider has not been confirmed by Marks & Spencer.

Over the past two years, Scattered Spider has emerged as one of the most prolific and dangerous sets of hackers currently operating. The threat actors are not a well-defined group of hackers. Instead, they’re more a loose collective that uses social engineering—such as phishing and voice calls—to gain initial access into company networks. Scattered Spider members are often English-speaking, teenaged, and can be members of the heinous criminal group the Com. The hackers have been active since June 2022 and have targeted more than 100 companies—including the high-profile hacks on Caesar's Entertainment and MGM Resorts in 2023.

**France (Finally) Names Russian Hackers for the First Time**

French authorities have condemned Russia’s military intelligence agency, accusing it of orchestrating a series of high-profile cyberattacks—including the hacking of Emmanuel Macron’s 2017 presidential campaign, a brazen 2015 assault on the TV channel TV5 Monde, and recent intrusion attempts targeting organizations involved in preparing the 2024 Paris Olympic Games.

French authorities have also disclosed the name and location of a GRU unit tied to the notorious hacking group APT28—information that had never before been officially released. Unit 20728 is based in the southern Russian city of Rostov-on-Don and operates out of the "166th Information Research Center."

This marks the first time French officials have publicly assigned blame to a foreign intelligence service following an internal attribution process. The timing is significant, coming as Paris positions itself at the forefront of Europe’s support for Ukraine.

**US Moves to Crack Down on ‘Largest Illicit Marketplace’**

The Trump administration has taken the first step toward blacklisting a Cambodian financial conglomerate at the center of a global money laundering network. On Thursday, the Treasury Department designated Huione Group as a money-laundering operation, alleging that the company and its affiliates have laundered more than $4 billion for criminals, including North Korean hackers and online scammers.

These scammers—who defraud victims through bogus investments and other schemes—rely on Huione and its affiliates to move funds abroad to evade both law enforcement and anti-money-laundering systems. The proposed action represents the most significant effort yet to crack down on Huione, which is tied to what experts believe to be the “largest illicit marketplace”: Huione Guarantee. According to WIRED’s January report, the marketplace has likely facilitated over $24 billion in gray-market transactions. Experts believe the platform operates as a one-stop shop for scammers, offering everything from victim contact lists and deepfake tools to fake investment websites and other illicit services.

**New Microsoft Accounts Won’t Need Passwords Anymore**

Slowly but surely, the password is dying. Over the past two years, passkeys—a stronger method of authentication that doesn’t require you to remember or use a password—have become more common. The rollout of the technology has been piecemeal, but big tech companies have worked for years to create the alternative, which is more secure than passwords. This week, Microsoft announced that people setting up new accounts with the company won’t have to create passwords at all. “New Microsoft accounts will now be ‘passwordless by default,’” the company wrote in a blog post. Microsoft is also pushing people further away from passwords and will “detect” the best way for people to lo in to their accounts if they have set up alternatives to passwords.

Hacking Spree Hits UK Retail Giants

In the obfstr crate before 0.4.4 for Rust, the obfstr! argument type is not restricted to string slices, leading to invalid UTF-8 conversion that produces an invalid value.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-v2p5-q653-9j99: obfstr Type Confusion vulnerability

Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.

GHSA-h3vp-qwmx-5j25: Grokability Snipe-IT has incorrect authorization for accessing asset information

A photo taken this week showed Mike Waltz using an app that looks like—but is not—Signal to communicate with top officials. "I don't even know where to start with this," says one expert.

On ThursdaY, Reuters published a photo depicting then-United States national security adviser Mike Waltz checking his phone during a cabinet meeting held by President Trump in the White House. If you enlarge the portion of the image that captures Waltz’s screen, it seems to show him using the end-to-end encrypted messaging app Signal. But if you look more closely, a notification on the screen refers to the app as “TM SGNL.” During a White House cabinet meeting on Wednesday, then, Waltz was apparently using an Israeli-made app called TeleMessage Signal to message with people who appear to be top US officials, including JD Vance, Marco Rubio, and Tulsi Gabbard.

After senior Trump administration cabinet members used vanishing Signal messages to coordinate March military strikes in Yemen—and accidentally included the editor in chief of The Atlantic in the group chat—the “SignalGate” scandal highlighted concerning breaches of traditional government “operational security” protocol as well as compliance issues with federal records-retention laws. At the center of the debacle was Waltz, who was ousted by Trump as US national security adviser on Thursday. Waltz created the “Houthi PC Small Group” chat and was the member who added top Atlantic editor Jeffrey Goldberg. "I take full responsibility. I built the group," Waltz told Fox News in late March. "We've got the best technical minds looking at how this happened," he added at the time.

SignalGate had nothing to do with Signal. The app was functioning normally and was simply being used at an inappropriate time for an incredibly sensitive discussion that should have been carried out on special-purpose, hardened federal devices and software platforms. If you're going to flout the protocols, though, Signal is (relatively speaking) a good place to do it, because the app is designed so only the senders and receivers of messages in a group chat can read them. And the app is built to collect as little information as possible about its users and their associates. This means that if US government officials were chatting on the app, spies or malicious hackers could only access their communications by directly compromising participants' devices—a challenge that is potentially surmountable but at least limits possible access points. Using an app like TeleMessage Signal, though, presumably in an attempt to comply with data retention requirements, opens up numerous other paths for adversaries to access messages.

"I don't even know where to start with this," says Jake Williams, a former NSA hacker and vice president of research and development at Hunter Strategy. “It's mind-blowing that the federal government is using Israeli tech to route extremely sensitive data for archival purposes. You just know that someone is grabbing a copy of that data. Even if TeleMessage isn't willingly giving it up, they have just become one of the biggest nation-state targets out there.”

TeleMessage was founded in Israel in 1999 by former Israel Defense Forces technologists and run out of the country until it was acquired last year by the US-based digital communications archiving company Smarsh. The service creates duplicates of communication apps that are outfitted with a “mobile archiver” tool to record and store messages sent through the app.

“Capture, archive and monitor mobile communication: SMS, MMS, Voice Calls, WhatsApp, WeChat, Telegram & Signal,” TeleMessage says on its website. For Signal it adds, “Record and capture Signal calls, texts, multimedia and files on corporate-issued and employee BYOD phones.” (BYOD stands for bring your own device.) In other words, there are TeleMessage versions of Signal for essentially any mainstream consumer device. The company says that using TeleMessage Signal, users can “Maintain all Signal app features and functionality as well as the Signal encryption,” adding that the app provides “End-to-End encryption from the mobile phone through to the corporate archive.” The existence of “the corporate archive,” though, undermines the privacy and security of the end-to-end encryption scheme.

TeleMessage apps are not approved for use under the US government's Federal Risk and Authorization Management Program or FedRAMP. TeleMessage and Smarsh did not immediately return requests for comment about whether their products are used by the US federal government and in what capacity.

"As we have said many times, Signal is an approved app for government use and is loaded on government phones,” White House press secretary Anna Kelly tells WIRED. She did not answer questions about whether the White House approves of federal officials using TeleMessage Signal—which is a different app from Signal—or whether other officials aside from Waltz have used the app or currently use it.

The Cybersecurity and Infrastructure Security Agency does not create policy around federal technology use but does release public guidance. When asked about Waltz’s apparent use of TeleMessage Signal, CISA simply referred WIRED to its best-practices guide for mobile communications. The document specifically advises, “When selecting an end-to-end encrypted messaging app, evaluate the extent to which the app and associated services collect and store metadata.”

It is not clear when Waltz started using TeleMessage Signal and whether he was already using it during SignalGate or started using it afterward in response to criticisms that turning on Signal's disappearing messages feature is in conflict with federal data-retention laws.

“I have no doubt the leadership of the US national security apparatus ran this software through a full information-assurance process to ensure there was no information leakage to foreign nations,” says Johns Hopkins cryptographer Matt Green. “Because if they didn’t, we are screwed.”

Mike Waltz Has Somehow Gotten Even Worse at Using Signal

Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

GHSA-f9ch-h8j7-8jwg: Hashicorp Vault Community vulnerable to Incorrect Authorization

A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.812.0 is able to address this issue. The name of the patch is 3d12ac8dc2282369296c3386815c00a06c6a92fe. It is recommended to upgrade the affected component.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-8w8f-h4cm-c4pg: Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor

German police seized the dark web shop Pygmalion, gaining access to customer data linked to over 7,000 drug…

German police seized the dark web shop Pygmalion, gaining access to customer data linked to over 7,000 drug orders in a major investigation.

A major dark web drug operation and marketplace operating under the name “Pygmalion” has been disrupted by German law enforcement, with its infrastructure dismantled and several individuals arrested following a months-long investigation.

The Bavarian State Criminal Police Office (BLKA), working with the Central Office for the Prosecution of Cybercrime (ZCB) and backed by the Federal Criminal Police Office (BKA), seized multiple servers and onion domains used by the vendor.

The seized dark web domains now display a takedown notice from authorities, informing visitors that the content has been confiscated. _“_This criminal content has been seized by the Federal Criminal Police Office (BKA) on behalf of the Bavarian Central Office for the Prosecution of Cybercrime (ZCB),_“_ the seizure notice states.

Seizure notice displayed on all domains previously used by the Pygmalion shop

****Over 7,000 Orders Tracked****

According to a press release from the BLKA published on 24 April 2025, investigators found a detailed trove of records, including customer data and order histories dating back to April 2024. Initial forensic analysis revealed that the operators maintained precise logs covering at least 7,250 individual transactions.

The scale of the operation came to light through data collected during prior investigations by the Thuringia State Criminal Police Office. Once connections were established between activity in Bavaria, Thuringia, and North Rhine-Westphalia, authorities were able to map out an internal structure that included packers, shippers, and coordinators.

****Arrests and Massive Drug Seizure****

On February 7, 2025, police arrested four individuals, three men and one woman, aged from 24 to 56. All are suspected of being part of a group responsible for packaging and shipping narcotics to buyers around the globe. The arrests took place in the Eichstätt district and the town of Neuburg an der Donau.

During coordinated raids at five properties, officers seized over 53 kilograms of illicit substances including methamphetamine, heroin, and cocaine. Also recovered were roughly 150,000 tablets regulated under Germany’s Medicines Act.

Many of the drugs were already portioned into thousands of vacuum-sealed bags, ready for distribution. Officials estimate the retail value of the confiscated narcotics to be in the low seven-figure euro range.

Seized drugs (Image credit: © Bavarian State Criminal Police Office

****Vendor Statement: “Lay Low”****

In the aftermath of the takedown, a Pastebin message attributed to the vendor circulated via a redirect from the now-defunct Pygmalion darknet shop. It reads:

> “You’ve already heard from the BKA: Our shop has been seized. Normally, this wouldn’t be possible, since we’re behind Tor—but Pygmalion had access to the server. This means it’s safe to assume that customer data is now in the hands of the authorities.
> 
> To all who have ordered since approximately April 2024:
> 
> *   Clean your house as soon as possible.
> *   Keep your feet still.
> 
> We don’t plan on stopping, even though this was a huge blow for all of us.”

The message appears to confirm that the operational security of the marketplace was compromised internally, and it suggests that customers may be at risk of identification.

Law enforcement has outlined that online drug purchases, whether on the clear web or via dark web services, are subject to criminal prosecution. Contrary to the beliefs held by many users of such platforms, investigators frequently recover data logs, and the assumption of anonymity often proves false.

Officials emphasised that online traces left by orders can be used to identify buyers long after transactions occur. The scale of the seized data provides further opportunities for ongoing investigations.

The takedown and identification of buyers is similar to the Hansa dark web marketplace shutdown in 2018, when authorities not only dismantled one of the largest known cybercrime markets at the time but also publicly released information on identified, active, and arrested Hansa vendors and buyers.

Additionally, Pygmalion’s takedown came a month after German police seized the popular dark web marketplace Nemesis Market. The platform facilitated the sale of illegal drugs, stolen data, and cybercrime services, including ransomware. The shutdown was announced by German police on 21 March 2025.

Nevertheless, those arrested over their activities on Pygmalion face charges related to organized trafficking of large quantities of controlled substances. Convictions under such offences could carry sentences of five to fifteen years in prison, depending on the severity and level of involvement.

The seized onion addresses include:

http://pygmaliop3prfrktd6a6ezi3oqehu5ysja37vudycvkqngzncnvgw5qd.onion

http://pygmaliooo4dwxt4xdvrglqsgvdjnj3ymjtaffsavnufb6e2vz726wid.onion

Police Seize Dark Web Shop Pygmalion, Access User Data from 7K Orders

Luxury retailer Harrods confirms a cyber attack attempt, restricting internet access but keeping its online store running. Learn…

Luxury retailer Harrods confirms a cyber attack attempt, restricting internet access but keeping its online store running. Learn about the growing wave of cyber threats also impacting M&S and Co-op.

Following disruptions at British retail giants Marks & Spencer and Co-op, the esteemed department store Harrods also, reportedly, has been targeted by malicious threat actors attempting to infiltrate their online infrastructure.

This incident, occurring just this week, prompted Harrods to implement protective measures, including restricting internet access across their physical locations. It’s worth noting that while Harrods confirmed the cyber attack attempt and the resulting restrictions on internet access at their sites, they did emphasize that their online store was operating normally on Thursday evening, May 1st, 2025.

“We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result, we have restricted internet access at our sites today,” Harrods’ official statement read.

While the immediate impact led to operational adjustments behind the scenes, the luxury retailer assured its clientele that their flagship store in Knightsbridge, along with its H Beauty and airport outlets remained open for business.

More importantly, there was no immediate indication that customer data had been compromised. This proactive response highlights the growing awareness and preparedness of major organizations in the face of persistent cybersecurity threats.

****Scattered Spider****

Considering these events collectively, a pattern of aggressive cyber activity against the retail sector in the UK has emerged. The recent attack on Marks & Spencer, which has been attributed to a sophisticated hacking group Scattered Spider, has had a far more severe impact. Their online operations remain crippled, causing a halt to online orders and even leading to empty shelves in some physical stores due to the disruption of inventory management systems, and a significant drop in its market value.

Simultaneously, Co-op has recently been a victim of cyber attacks, leading to the implementation of stringent internal security protocols, including mandatory camera usage during online meetings as a means of verifying attendees.

The fact that these attacks have occurred in close succession raises questions about potential links, whether through shared vulnerabilities in commonly used software like SAP’s enterprise resource planning systems, or perhaps even a coordinated campaign.

The National Cyber Security Centre (NCSC) is actively involved, working with the affected organizations to understand the nature and potential connections between these incidents.

“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture,” Richard Horne, NCSC’s chief executive stated.

Tag

#auth