Cyber News Roundup for April 4, 2025

In this week’s roundup, we cover a series of significant cybersecurity incidents and developments from around the globe. Europol’s takedown of a major child exploitation platform, Kidflix, underscores the real-world consequences of cybercrime, while concerns over AI misuse and data leaks continue to grow. Meanwhile, a joint advisory warns of the escalating threat posed by fast flux tactics, and new vulnerabilities highlight ongoing risks for cloud services and enterprise systems.

As organizations continue to face evolving threats, RedSeal’s proactive exposure management helps identify and mitigate risks across complex networks, ensuring a more secure defense against emerging cyber threats. From high-profile cyberattacks to critical system breaches, this roundup highlights the increasing need for vigilance and robust cybersecurity measures across industries.

 

Europol shuts down a major international CSAM platform  

Europol announced the takedown of Kidflix, a major dark web child sexual abuse material (CSAM) platform, calling it the largest child exploitation operation in its history. The multi-year effort led to 79 arrests so far, with 1,393 suspects identified and 39 children rescued. Over 39 countries participated in the investigation. Offenders used cryptocurrency to access the site, which hosted up to 91,000 videos—many previously unknown to law enforcement. German and Dutch authorities seized servers containing 72,000 videos. Users could earn access tokens by tagging content. Europol emphasized the real-world harm behind the platform’s operations, rejecting attempts to frame the case as a purely cyber issue. The platform had 1.8 million users, with around 3.5 new videos uploaded every hour. The investigation remains ongoing.

Elsewhere, a major data leak at GenNomis, an AI image-generation platform by South Korea’s AI-NOMIS, exposed 47.8GB of sensitive data, including 93,000+ images—some appearing to depict underage individuals in explicit content. Discovered by researcher Jeremiah Fowler, the unsecured database also contained deepfakes of celebrities as children and user command logs. The platform, now offline, allowed face-swapping and nude image generation. The incident raises alarm over AI misuse in creating non-consensual, explicit content, especially involving minors, prompting urgent calls for stricter safeguards and developer accountability. (The Record)

 

A joint advisory labels Fast Flux a national security threat  

Fast flux is a technique used by cybercriminals and nation-state actors to evade detection by rapidly rotating DNS records and IP addresses linked to malicious domains. This tactic supports resilient command-and-control (C2) infrastructure and enables persistent malicious activity, such as ransomware, phishing, and botnets. Variants include single flux (rotating IPs) and double flux (changing DNS servers too), often supported by bulletproof hosting services.

A joint advisory from the NSA, CISA, FBI, and international partners warns of fast flux as a national security threat and urges ISPs and cybersecurity providers—especially Protective DNS (PDNS) services—to develop detection and mitigation capabilities. Recommended strategies include DNS analysis, anomaly detection, IP blocking, sinkholing, and threat intelligence sharing. Distinguishing malicious fast flux from legitimate services like CDNs remains a challenge. Organizations are encouraged to verify PDNS protections, train staff on phishing, and participate in collaborative defense efforts to reduce exposure to fast flux-enabled cyber threats.

Meanwhile, House cybersecurity leaders criticized Trump-era cuts to CISA, urging expanded responsibilities instead. Rep. Andrew Garbarino wants CISA central to U.S. cyber efforts, including reauthorizing the 2015 cyber info-sharing law and extending a key grant program. He criticized cuts that harmed operations and signaled support for nominee Sean Plankey. Rep. Eric Swalwell slammed chaotic firings as inefficient and backs legislation to formalize the Joint Cyber Defense Collaborative. Both aim to shield CISA from political attacks and ensure strong congressional support moving forward. (CISA)

 

Google patches Quick Share vulnerability  

The app, formerly known as Nearby Share, is “a peer-to-peer file-sharing utility similar to Apple AirDrop that allows users to transfer files, photos, videos, and other documents between Android devices, Chromebooks, and Windows desktops and laptops in close physical proximity.” Researchers at SafeBreach Labs disclosed details of this new vulnerability that “could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target’s device without their approval,” in other words a zero-click. The vulnerability was one of 10 that the researchers discovered last August. (The Hacker News)

 

Juniper Networks and Palo Alto Networks devices in mystery scanning event  

The Register is reporting that scanning of login portals for devices made by both companies has increased substantially in recent weeks. “On Wednesday, SANS Institute’s Johannes Ullrich said he noticed a surge in scans for the username “t128,” which, when accompanied by the password “128tRoutes,” is a well-known default account for Juniper’s Session Smart Networking products.” Internet scanning security firm GreyNoise has also spotted mass probing, in this case directed at the login portals of Palo Alto Networks’ PAN-OS GlobalProtect remote access products. They believe “anonymous scanners are searching for exposed or vulnerable product and noted almost 24,000 unique IP addresses attempting to login over the past 30 days.” (The Register)

 

Russian state railway suffers cyber disruption  

The state-owned railway, RZD, has reported a cyberattack that temporarily disrupted its website and mobile application. This is the second incident this week for Russia’s transit systems, following a Monday attack and disruption on the app and website for Moscow’s subway system. This RZD attack is being confirmed by RZD officials as a DDoS attack, which meant that ticket sales remained operational at physical offices across stations and terminals. No group has yet claimed responsibility for this attack. (The Record)

 

Google Cloud patches a vulnerability affecting its Cloud Run platform  

Google Cloud has patched a vulnerability called ImageRunner, which affected its Cloud Run platform. Discovered by Tenable, the flaw allowed users with certain permissions to modify Cloud Run services and potentially access private container images. In the worst case, attackers could extract secrets and exfiltrate sensitive data. Google says they alerted customers in November 2024 and fully deployed a fix by January 28, 2025. The update now enforces stricter IAM checks during deployments to prevent unauthorized image access.

Elsewhere, Google has launched a beta feature allowing enterprise users to send end-to-end encrypted (E2EE) emails within their organization, with plans to expand it to all Gmail inboxes by year’s end. Unlike S/MIME, Google’s approach doesn’t require certificate management or key sharing, simplifying secure communication. Organizations retain control of encryption keys, keeping messages secure and compliant with regulations. External recipients can access messages via a restricted Gmail interface or S/MIME if supported. Additional Gmail security features, including data loss prevention and AI threat protection, are also now available. (SecurityWeek)

 

North Korean IT worker army expands operations in Europe  

Security researchers with the Google Threat Intelligence Group found that North Korean IT workers are infiltrating European companies using fake identities to secure remote jobs, generating revenue for the DPRK regime…operating through platforms like Upwork and Telegram, with payments processed through cryptocurrency to evade detection. Authorities in the U.S. and UK have issued sanctions and warnings, as some workers have also engaged in extortion using insider knowledge. (Bleeping Computer)

 

Latest Ivanti bug, paired with malware, earns an alert from CISA  

CISA has issued an alert about a powerful malware called Resurge, used by alleged Chinese hackers to exploit a vulnerability in Ivanti security tools. The malware can manipulate system integrity, harvest credentials, and create backdoors, allowing persistent access even after updates. Google-owned Mandiant confirmed that the malware is linked to China-based espionage actors, who have targeted government, defense, and finance sectors since 2020. Ivanti’s Integrity Checker Tool (ICT) was also compromised, making detection harder. CISA urges administrators to reset credentials and factory reset affected Ivanti devices to mitigate risks. (The Record)

 

GitHub expands security tools after 39 million secrets leaked in 2024  

GitHub has expanded its security tools after detecting over 39 million leaked secrets in repositories in 2024, including API keys and credentials. Despite measures like “Push Protection,” leaks persist due to developer habits and accidental exposure. To combat this, GitHub now offers standalone security products, free organization-wide secret risk assessments, enhanced push protection with bypass controls, AI-powered secret detection via Copilot, and improved detection through cloud provider partnerships. Users are advised to enable push protection, avoid hardcoded secrets, and use secure storage methods. (Bleeping Computer)

 

A covert Chinese-linked network targets recently laid-off U.S. government workers  

A covert Chinese-linked network is allegedly targeting recently laid-off U.S. government workers with fake job ads, aiming to gather sensitive information. Researcher Max Lesser found the campaign uses bogus consulting firms with overlapping websites and fake contact details. One firm, RiverMerge Strategies, posted ads for roles requiring government experience, with connections traced to a Chinese tech company. Some ads ran on LinkedIn and Craigslist but were later deleted. Reuters couldn’t confirm if any hires occurred or direct ties to the Chinese government. U.S. officials warn these tactics mirror past Chinese espionage operations. The FBI confirmed that foreign intelligence often uses fake recruiters to exploit former federal workers’ financial vulnerability. The firms’ activity raises concerns about national security, especially amid recent federal workforce layoffs. (Reuters)

 

Global phishing threat targets 88 countries  

A phishing-as-a-service platform called Lucid is targeting 169 entities across 88 countries, using iMessage and RCS to bypass spam filters and deliver large-scale phishing campaigns. Run by the Chinese cybercriminal group XinXin, Lucid offers over 1,000 phishing domains, auto-generated phishing sites, and pro-grade spamming tools to its subscribers. Victims clicking the links are redirected to fake landing pages impersonating companies like USPS, Amazon, and major banks, where their personal and financial data is stolen. (Bleeping Computer)

 

Samsung data breach tied to old stolen credentials  

Credentials compromised in a 2021 Racoon infostealer infection and never changed led to the leak of 270,000 customer records from Samsung Germany’s ticketing system. The threat actor ‘GHNA’ exploited these stolen Spectos GmbH credentials, which remained unchanged for four years, to access Samsung’s system and expose sensitive customer data, including names, addresses, emails, and transaction details. (Security Week)

 

North Korea’s fake worker schemes getting worse  

North Korean operatives aren’t just freelancing—they’re securing full-time IT and engineering roles, gaining deep access to enterprise networks under legitimate employment. DTEX’s investigation found these insiders operating in Fortune 2000 companies, with privileged access to systems, remote tools, and the ability to pivot into supply chain partners. The workers, often teams posing as one high-performing individual, are funneling salaries back to Pyongyang, but experts warn financial motives could shift to espionage or sabotage. Forcing job candidates to be on camera and show government-issued ID is also not proving to be enough – researchers suggest watching for social red flags, such as candidates looking away for prompts during interviews or avoiding casual conversation about personal interests. (CyberScoop)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.