Happy Friday Security Gang,

This week was filled with key developments in cybersecurity. Find everything you need to know from this week below.

Weekend Cyber-Roundup (May 19 – 23, 2025)

Insider & Data Breaches

Story Deep-Dive

Coinbase “inside job” Attackers bribed a handful of third-party support reps in Manila, using Telegram to negotiate a $20 million payoff. They lifted identity data on 69,461 customers (names, DOB, email, masked bank digits, partial SSNs) but never touched wallets or keys. Coinbase let the extortion clock run out, then went public, offering credit monitoring and pointing out that U.S. law still calls this a “breach”—even though most of the fields can be scraped from voter rolls.

UK Legal Aid Agency hack The MoJ confirmed the breach spans every legal-aid applicant since 2010—roughly 2 million people. Data include sealed conviction details and financial disclosures. The service is offline while NCSC & NCA investigate. Critics say ten-year-old data had no business sitting in live SQL servers.

Malware, Post-Exploitation & Deepfakes

• SkitNet goes mainstream – Rust loaders + DNS reverse shells now feature in BlackBasta and Cactus playbooks, giving them AnyDesk installs and AV-evasion in one drop.

• FBI PSA on deepfake vishing – Since April, cloned voices of senior U.S. officials plus spoofed SMS are luring retired diplomats to malware-laced Signal chats.

• Lumma Stealer takedown – Microsoft, Europol and Japan’s JC3 seized 2,300+ C2 domains, redirecting traffic for intel. 394 k hosts were infected in just eight weeks.

Law & Policy Shifts

• Japan’s Active Cyber-Defense Law – Ministries can now hack “imminent threat” servers pre-emptively; court warrants still required but can be issued in minutes.

• Netherlands criminalises cyber-espionage – Up to 12 years for leaking “sensitive but unclassified” data; first EU statute to cover influence ops as well.

Zero-Days, Patches & Research

• Chrome CVE-2025-4664 RCE bug already in exploit kits targeting ad-tech networks; CISA put it on the KEV list with a June 3 patch-by date.

• Pwn2Own Berlin 29 zero-days, $1.08 million awarded. A SharePoint auth-bypass ➜ deserialization chain netted $100 k; ESXi integer overflow earned $150 k. Vendors have 90 days to patch.

• Ivanti EPMM (CVE-2025-4427/4428) Auth bypass + OGNL injection ⇒ full device takeover. Exploits seen dropping Cobalt Strike beacons.

• Versa SD-WAN (CVE-2025-34027) Traefik mis-configuration lets unauthenticated attackers run root commands via cron. PoC on GitHub.

• OpenPGP.js (CVE-2025-47934) Inline-signature spoofing breaks trust for Proton-style mail clients; fixed in 5.11.3/6.1.1.

• Cisco ISE & UIC RADIUS DoS (8.6 CVSS) and privilege-escalation bugs; patches released May 21.

• GitLab & Atlassian May bulletins GitLab DoS (CVE-2025-9093) and masked-variable leak; Atlassian fixes eight high-severity flaws across Confluence, Jira, Bamboo.

Critical-Infrastructure & Supply Chain Hits

• Peter Green Chilled – Ransomware knocked order-processing for Tesco & Aldi; drivers kept rolling but trucks had no manifests.

• Arla Foods – German dairy plant halted filling lines; facility back to 80 % after 72 h.

• NHS 2023 autopsies – FOIA shows two patients suffered “severe harm” after Synnovis pathology outage.

• Cellcom outage – Five-day voice/SMS blackout across Wisconsin and Upper Michigan traced to unknown cyber incident.

• SK Telecom – Malware sat undetected from June 2022 to April 2025, leaking USIM data of 27 million customers. Logging? Nil.

• Marks & Spencer – Scattered Spider pivoted through an outsourced help-desk account; projected hit £300 m and service recovery not expected until July.

Share

Nation-State & Hybrid Warfare

• APT28 logistics dragnet – Joint CISA/EU advisory details exploitation of Outlook NTLM, WinRAR & Roundcube to track weapon shipments.

• Unsolicited Booker / MarsSnake – Three-year dwell-time in Saudi org; backdoor hides C2 beacons in HTTP 302 responses.

• Kremlin DDoS blowback – Russian tax portal and secure docs network down for 18 h after “foreign attack,” per FSB.

• EU hybrid-threat sanctions – 21 individuals & 6 entities hit for GPS jamming and cable sabotage support to GRU.

• PRC LinkedIn trap – Fake consulting firms harvesting CV/resume metadata from laid-off U.S. feds; FDD ties infra to Tencent ASN.

Financial & Crypto Crime

• $263 M laundering ring – 12 new indictments; gang used spoofed Gemini/Google support lines + SIM-swaps; FBI recovered 54 BTC.

• Nomad Bridge arrest – Dual U.S.–Israeli citizen Alexander Gervich nabbed at Ben-Gurion; extradition in motion.

• SEC-X hijacker sentenced – Eric “Ronan” Council gets 14 months and forfeits $50 k for ETF pump-and-dump.

Legal & Vendor Fallout

• Delta v CrowdStrike – Georgia judge lets negligence claim proceed over 2023 update that grounded 7 k flights; fraud tossed.

• Teen extortionist – 19-year-old Matthew D. Lane to plead guilty after lifting 60 M student records from PowerSchool and demanding $2.85 M BTC.

Healthcare & Ransomware

• Kettering Health – Interlock ransomware (Nefarious Mantis) shut down EHRs; scammers now spoofing staff phone numbers to steal card data.

Cloud & Developer Ecosystem Threats

• HazyHawk DNS hijacks – Dangling CNAMEs on CDC.gov and Deloitte domains now serve porn ads and malware via S3/Azure repos.

• Procolored printers – Official USB drivers shipped CoinStealer wallet-swapper and Dolphin RAT for 6 months; at least 9.3 BTC confirmed stolen.

• Malicious PyPI checker packages – checker-sagaf, stein-lurks, center-core validated stolen emails against TikTok/Instagram APIs; >600 k downloads before takedown. (thehackernews.com)

🔑 Action List (expanded)

1. Patch Chrome, Ivanti, Versa, Cisco, GitLab, Atlassian – All have live exploits or public PoCs.

2. Enable egress DNS logging – Spot SkitNet-style tunnels before ransomware hits.

3. Audit third-party support desks – Coinbase and M&S show help-desks are your soft underbelly.

4. Classify legacy PII – Decide whether a leaked street address in 2025 is truly “sensitive” or just noise.

5. Cold-store decade-old records – The MoJ breach is a museum heist—don’t be the next exhibit.

6. Run deepfake tabletop – Include voice-clone phishing and SMS spoofing in executive drills.

7. Separate OT/IT billing – Colonial & Peter Green déjà vu: if the invoices die, so does the product.

8. Threat-hunt Outlook/WinRAR artefacts – Especially if your supply chain touches Ukraine.

9. Scrub dormant DNS & cloud buckets – HazyHawk monetises your trash; take it out yourself.

10. Review vendor liability clauses – Delta’s lawsuit signals the end of “blameless” security software contracts.

Stay cyber safe, security gang!

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

✅ Other Videos You Might Be Interested in Watching:

👉 The Unstoppable Rise of AI and the Never-Ending Hype

https://youtube.com/shorts/DNPrsK8GNgM?feature=share

👉 China’s Salt Typhoon Targets US ISPs with Massive Cyber attack

👉 The Latest on the MGM Resorts Ransomware Attack & its impact on Vegas and Cybersecurity overall

👉 What Does Omer Adam & Tel Aviv have to do with Cybersecurity? Find out on CISO Talk

👉 James’s hotlist of the most promising 2024 Cybersecurity startups

https://youtube.com/live/JnAdR6FeKPg?feature=share

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.

For Collaboration and Business inquiries, please use the contact information below:

📩 Email: info@cyberhubpodcast.com