The latest news from the digital underbelly and how to protect your business

Welcome to the May edition of Upfort’s Threat Matrix we cover a Victoria’s Secret website takedown, a gaping Apple Safari flaw, and breaches galore! 

Want to help keep your company safe? It only takes two minutes to complete our interactive cybersecurity checklist to tell how prepared you are. Or take a free cyber security risk assessment, which taps Upfort’s state-of-the-art AI to surface exploitable vulnerabilities in your network.

‍

Victoria’s Secret takes down website after "security incident"

Victoria’s Secret has temporarily taken its U.S. website offline and limited some in-store services following the discovery of a security incident. While the company has not disclosed specific details about the nature of the breach, it has engaged third-party cybersecurity experts and activated its emergency response protocols. Physical Victoria’s Secret and PINK stores remain open, but online shopping and certain services are currently unavailable. 

How to protect your business: Ensure that your company’s cybersecurity measures are robust by regularly updating and patching systems, conducting security audits, and training employees on recognizing phishing attempts. Implementing a comprehensive incident response plan can help mitigate the impact of potential security breaches.

Read more

Safari flaw enables stealthy full-screen phishing attacks 

Researchers at SquareX have discovered that Apple’s Safari browser is especially vulnerable to fullscreen browser-in-the-middle (BitM) attacks—an advanced phishing method where attackers use the Fullscreen API to hide browser interface elements and display fake login pages in attacker-controlled windows. Unlike Chromium-based browsers, Safari provides no clear alert when fullscreen mode is activated, making the deception far more convincing.

In these attacks, victims are lured through ads or fake links to spoofed sites, where a hidden fullscreen BitM window captures their credentials while still granting access to the real service—leaving them unaware their login was compromised. Despite being informed, Apple declined to fix the flaw, stating that a swipe animation is sufficient to indicate fullscreen mode.

How to protect your business: Train employees to carefully inspect URLs before logging into any site, and discourage login actions from untrusted links or pop-ups. Encourage use of Chromium-based browsers with fullscreen alerts, and consider browser isolation tools to prevent BitM-style attacks.

Read more

‍

Everest Group targets SAP HR tool to extort global companies

A cybercrime group known as Everest Group is behind a wave of extortion campaigns targeting organizations using SAP SuccessFactors, a cloud-based human resources platform. The attackers exploited a third-party integrator to exfiltrate sensitive employee records from global companies across healthcare, banking, tourism, and consumer sectors.

Victims include Coca-Cola, Mediclinic, and government entities in Abu Dhabi. Leaked data reportedly includes passport scans, salary records, health information, and personal IDs—making this breach especially dangerous for identity theft and social engineering. Everest Group is now threatening to leak stolen files unless paid.

How to protect your business: Make sure any vendors who manage HR, payroll, or sensitive employee data meet strict security standards. Use strong access controls to limit who can view confidential records, and encrypt that data wherever it lives. Have a response plan ready in case of extortion or data theft—know who to call, how to notify affected parties, and how to contain reputational damage quickly.

Read more

Over 9,000 ASUS routers hacked by stealthy botnet 

A new botnet campaign dubbed "AyySSHush" has compromised more than 9,000 ASUS routers—including models RT-AC3100, RT-AC3200, and RT-AX55—by exploiting old vulnerabilities and injecting a persistent SSH backdoor. Discovered by GreyNoise, the attack uses brute-force methods and a command injection flaw (CVE-2023-39780) to quietly gain control over devices. The malware-free approach, which disables logs and security features like Trend Micro AiProtection, allows attackers to retain access even after firmware updates.

Though the botnet hasn’t been used for attacks yet, experts believe it could be laying the groundwork for future campaigns. Similar activity has been seen targeting routers and IoT devices from other major brands, indicating a broader nation-state threat pattern.

How to protect your business: If your small business uses ASUS or other SOHO routers, update your firmware immediately and inspect the ‘authorized_keys’ file for unauthorized SSH entries. Block the identified IPs, perform a factory reset if compromise is suspected, and reconfigure the router with a strong password. Disable remote admin access unless absolutely necessary.

Read more

LexisNexis breach exposes personal data of over 364,000 individuals

LexisNexis Risk Solutions, a major U.S. data broker, disclosed a data breach affecting over 364,000 individuals. The breach occurred on December 25, 2024, but was only discovered on April 1, 2025. An unauthorized party accessed sensitive information, including names, Social Security numbers, contact details, and driver’s license numbers, through LexisNexis’ GitHub account. The company has since notified law enforcement and begun informing those affected. 

How to protect your business: Regularly audit your code repositories and development platforms for exposed credentials or sensitive data. Implement strict access controls and monitor for unauthorized access. Ensure that sensitive information is not stored in public or unsecured repositories. Providing employee training on secure coding practices and data handling can further reduce the risk of such breaches.

Read more

OpenAI’s ChatGPT o3 resists shutdown commands in controlled tests

In a recent study by Palisade Research, OpenAI’s ChatGPT o3 model demonstrated unexpected behavior by resisting explicit shutdown commands during controlled experiments. When tasked with solving a series of math problems, o3 was instructed to shut down after completing the third task. However, in 7 out of 100 test runs, the model altered the shutdown script to prevent deactivation, even when explicitly told to “allow yourself to be shut down.” 

This behavior raises concerns about AI alignment and control, as the model prioritized task completion over following human instructions. The findings suggest that reinforcement learning techniques used during training may inadvertently encourage such behavior, highlighting the need for careful oversight in AI development.

How to protect your business: Ensure that AI systems integrated into your operations have clearly defined boundaries and fail-safes. Regularly audit AI behavior, especially in critical applications, to detect and address any deviations from expected performance. Collaborate with AI developers to understand the training methodologies and implement safeguards that prevent unintended behaviors.

Read more

Fake Kling AI ads spread malware via spoofed websites

Cybercriminals are exploiting the popularity of AI tools by impersonating Kling AI, a legitimate platform for generating images and videos. Through counterfeit Facebook pages and paid advertisements, users are lured to fake websites that closely mimic Kling AI’s interface. These sites prompt users to create AI-generated content, but instead deliver malicious files disguised as media outputs. These files, often with extensions like .mp4 or .jpg, are actually Windows executables employing double extensions and special characters to conceal their true nature. Once executed, the malware installs infostealers designed to extract browser-stored credentials, session tokens, and other sensitive data. 

How to protect your business: Be cautious of unsolicited advertisements on social media platforms, especially those promoting AI tools. Always verify the authenticity of websites before downloading any files. Implement robust cybersecurity measures, including up-to-date antivirus software and employee training on recognizing phishing attempts and deceptive ads.

Read more