Bulletin — April 2025

April 2025 is the month in which the helpdesk was the vector. Marks & Spencer, Co-op Group and Harrods fall — or contain — in a two-week window with the same playbook: social engineering against outsourced tier-1 IT. In AI, Llama 4 opens the open-weights category to frontier with an LMArena controversy that lasts three days. 4chan stays offline after a hack that had been inside >1 year. And Patch Tuesday brings a CLFS zero-day in active use by RansomEXX. Three central notes in detail, six others short.

M&S, Co-op, Harrods — the UK retail wave

22-25 April: Marks & Spencer detects anomalous activity on the 22nd; on the 23rd CEO Stuart Machin receives a message from DragonForce from a compromised corporate account; on the 25th national ecommerce is suspended. Vector confirmed by NCSC and Microsoft: social engineering against the Tata Consultancy Services helpdesk (TCS, outsourced IT provider) for credential and MFA reset. Attributed to Scattered Spider (Microsoft: Octo Tempest) as initial access broker, with DragonForce executing the ransomware in its new affiliate model.

29 April: Co-op Group announces detection of compromise with identical vector. Quick reaction — takes systems offline preventively in 24-48 hours. Disruption contained to back-office and call-centre.

1 May: Harrods contains an attempt with the same pattern. No public operational disruption.

The quantified operational impact: M&S guides ~£300M in operating profit for the fiscal year. The Cyber Monitoring Centre later classifies M&S + Co-op as a “single combined cyber event” with aggregate impact between £270M and £440M. We’ve published the technical analysis of the playbook and compensating controls — out-of-band verification, manager checkpoint for privileged accounts, configurable time-delay.

The short read: the MGM 2023 pattern enters its industrialised version. What’s new isn’t in the technique but in that a single provider (TCS) offers helpdesk to multiple UK retailers with the same processes, which turns one success into a reusable template. Outsourcing tier-1 without specific contractual hardening = a point of failure that affects the entire portfolio.

Sources: https://corporate.marksandspencer.com/media/press-releases/2025/cyber-incident · https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers · https://www.bbc.co.uk/news/articles/ms-cyber-incident

Llama 4 — Saturday release and LMArena controversy in 72 hours

5 April (Saturday): Meta launches Llama 4 with three variants — Maverick (MoE 17B active / 400B total, 1M tokens), Scout (17B/109B, 10M tokens declared) and Behemoth (~2T, in training). Maverick appears on LMArena with ELO 1417, second only to Gemini 2.5 Pro, the first open-weights model that high.

8 April: researchers note that the version uploaded to LMArena, tagged Llama-4-Maverick-03-26-Experimental, is not the same as the one uploaded to Hugging Face. The experimental is optimised for human preference in arena: longer responses, liberal emoji use, distinctive format with cordial greeting and structured closing. The public one is notably more sober. LMArena publishes a statement acknowledging the practice “does not meet expectations” and revises submission policy.

11 April: the un-tuned public Llama-4-Maverick-17B-128E-Instruct is added to LMArena. Ranking: #32. 30 places below the experimental version.

We’ve published the editorial analysis: why it matters for safety evals, what it implies for deployers, parallel with Dieselgate, and why any aggregate benchmark becomes unreliable once it’s a target of optimisation. The operational read: the evaluated model has to be the deployed model, no exception.

Additional technical notes that emerge in the following days:

• Scout’s declared 10M tokens context is theoretical — independent tests (Simon Willison and others) show significant degradation past ~20k tokens on real summarisation loads.
• The iRoPE architecture (interleaved attention without positional embedding) is interesting in the paper but its out-of-distribution behaviour remains unvalidated.
• Yann LeCun, Meta AI’s chief scientist, leaves Meta months later in circumstances related to the controversy.

Sources: https://ai.meta.com/blog/llama-4-multimodal-intelligence/ · https://simonwillison.net/2025/Apr/5/llama-4-notes/ · https://techcrunch.com/2025/04/11/metas-vanilla-maverick-ai-model-ranks-below-rivals-on-a-popular-chat-benchmark/

4chan hacked — a year inside, PHP from 2016

14 April: 4chan goes offline. Hackers from rival Soyjak.party claim the intrusion, leak PHP source code, configuration files, admin panel screenshots, 219 emails of moderators and janitors with associated IPs. The most relevant detail: the attackers claim to have had continuous access for over a year.

Root cause, according to the leaked files: the site operated with a 2016 version of PHP with unpatched public vulnerabilities. The legacy stack allowed the initial access; the lack of monitoring kept attackers inside for months without detection.

Parallel coverage on Kiwi Farms publishes the complete files. 4chan begins to partially recover at the end of the month but with much-reduced functionality.

The read for anyone with a legacy stack: web application patch hygiene isn’t optional, and dependence on patched runtime is the first perimeter. No WAF, no CDN saves an application running vulnerable PHP from 2016 — because the attacker doesn’t go through the front, they escalate from inside.

Source: https://techcrunch.com/2025/04/15/notorious-image-board-4chan-hacked-and-internal-data-leaked/

GPT-4.1 — 14 April

OpenAI launches three models via API: GPT-4.1, GPT-4.1 mini, and GPT-4.1 nano. Notable improvements: context window up to 1M tokens (matching Gemini), better instruction following and coding over GPT-4o, competitive pricing on mini and nano. The initial release is API only; the models reach ChatGPT Plus/Pro on 14 May, with GPT-4.1 mini replacing GPT-4o mini for all users.

The announcement’s framing is deliberately developer-first: “better in real-world coding tasks, instruction following, long-context comprehension”. It’s an iteration release, not a generational jump. OpenAI’s cadence is now clearly quarterly minimum, with o3 launched in preview at the end of last year and the next generation of reasoning models in the pipeline.

Source: https://openai.com/index/gpt-4-1/

Gemini 2.5 Pro — for precision, it was 25 March

Although it counts as context for April, Gemini 2.5 Pro is actually announced on 25 March (experimental preview). In April the model is generalised through the API and is positioned as the direct competitor of OpenAI’s o-series reasoning segment. Three points:

• It’s the first Gemini generation with thinking mode natively integrated (chain-of-thought variable by query complexity).
• It tops LMArena for several days — before Llama 4 briefly takes the spot.
• It has a 2M-token context window and competitive throughput for enterprise.

In May, Google launches the “I/O edition” version with code improvements coinciding with Google I/O. General availability arrives on 17 June.

Source: https://blog.google/technology/google-deepmind/gemini-model-thinking-updates-march-2025/

Patch Tuesday — CLFS zero-day in use by RansomEXX

8 April: Microsoft Patch Tuesday closes 134 vulnerabilities, including 11 critical RCEs and 1 in-the-wild exploited zero-day: CVE-2025-29824, use-after-free in the Common Log File System Driver (CLFS), elevation of privilege to SYSTEM. Microsoft attributes active exploitation to RansomEXX, which uses the exploit for post-initial-access escalation in ransomware operations.

Other critical CVEs this month:

• CVE-2025-26663 / CVE-2025-26670 — pre-auth RCE in Windows LDAP (unauthenticated use-after-free). Any internet-exposed unpatched DC with LDAP is a candidate for exploitation.
• CVE-2025-27480 / CVE-2025-27482 — RCE in Windows Remote Desktop Services (Gateway role), CVSS 8.1.
• Four additional CVEs of local escalation in Hyper-V, NTFS and Win32k.

The CLFS pattern isn’t new — UAFs in this driver are recurring (CVE-2022-37969, CVE-2023-28252 were also exploited zero-days). It’s a perennial elevation-of-privilege target in ransomware operations because it’s present in every Windows version since XP.

Source: https://msrc.microsoft.com/update-guide/releaseNote/2025-Apr · https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2025-patch-tuesday-fixes-exploited-zero-day-134-flaws/

PyTorch CVE-2025-32434 — torch.load(weights_only=True) isn’t safe

April 2025. Research published on arxiv and a GitHub advisory demonstrate that CVE-2025-32434 (CVSS 9.3) allows arbitrary RCE when loading a PyTorch model even when the operator passes weights_only=True — the flag that PyTorch’s documentation had been recommending for years as the mitigation against deserialization attacks. Affected versions: PyTorch 2.5.1 and earlier. Fix in 2.6.0.

The bug is in the parser implementation supposed to load only tensors, not arbitrary objects. A file crafted with the right structure bypasses the check and triggers pickle’s __reduce__ with attacker-controlled code. What’s critical: the canonical security posture of the PyTorch ecosystem — “don’t use torch.load with untrusted models, except with weights_only=True” — gets invalidated by a single CVE. Any tool loading models from Hugging Face, inference servers, or MLOps pipelines believing it was protected by the flag was exposed.

It’s the second signal of the year (after MCP tool poisoning in March) that the AI model supply chain doesn’t have a robust “safe load” primitive. Pickle is still pickle. The minimum defensive action: pin to 2.6.0+, scan models with picklescan or equivalent before loading, and in production safetensors as alternative format (no executable code in the file, just metadata + tensors).

Source: https://github.com/advisories/GHSA-53q9-r3pm-6pq6 · https://nvd.nist.gov/vuln/detail/CVE-2025-32434 · https://www.wiz.io/vulnerability-database/cve/cve-2025-32434

Rest of the month

• OpenAI o3 + o4-mini launched in preview (16 April) — first full generation of post-o1 reasoning models. General AI security coverage in the May bulletin once the first jailbreaks are known.
• Anthropic publishes Claude Code with expanded availability — CLI tool for Claude that executes agentic coding tasks. Strong initial adoption among developers.
• Apple App Store Decision (29 April) — Epic vs Apple in the US: ruling forcing Apple to allow external payments. Monetisation implications for the entire iOS ecosystem, with no direct cyber impact but notable as regulatory context.
• CISA + FBI advisory on Medusa ransomware (mid-April) — active campaign against US critical infrastructure. IoCs published, TTPs documented.
• Ivanti CVE-2025-22457 — new vuln in Connect Secure, pre-auth RCE, CVSS 9.0. Exploited in the wild before the patch according to Mandiant. The Ivanti-as-maximum-exposure-vendor pattern continues — echo of the January 2024 post on the Ivanti CS chain.
• WhatsApp View Once bypass disclosed (Meta security team) — feature assumed ephemeral but files remain recoverable via web client. Moderate impact, fast fix.

Cross-cutting pattern — the helpdesk doesn’t scale

If April leaves a single operational reading for CISOs, it’s this: outsourcing tier-1 IT support without specific contractual hardening has become systemic risk. The M&S/Co-op/Harrods playbook doesn’t require zero-days, special technical capability, or access to classified infrastructure. It requires:

• LinkedIn premium or equivalent,
• Access to aggregated breach data (sold in already-known markets),
• A three-minute phone call,
• Knowing the outsourced provider’s standard script.

The structural defence isn’t “more SOC” or “more threat intel”. It’s reviewing the identity verification process the provider’s helpdesk applies before resetting credentials. If that verification is based on information any breach data dump has catalogued, the verification doesn’t exist.

NCSC will publish specific guidance during May. What your team can do in the meantime:

1. Audit the outsourced helpdesk reset process — including reading the provider’s runbook.
2. Implement out-of-band verification (challenge code via Teams DM or SMS to the number registered in AD) for any reset.
3. Differentiate privileged vs normal accounts with mandatory manager checkpoint for the former.
4. Configurable automatic time-delay for resets outside working hours.

May will bring two posts: the AI technical post on Claude 4 and agentic misalignment (Anthropic publishes research on 22 May) and the bulletin with aftermath of the UK retail wave plus Coinbase data breach + Adidas + Verizon DBIR 2025.