Weekend Catch-Up: What Mattered in Cybersecurity This Week

From Power Grids to Push Notifications—This Week’s Cyber Chaos and the Moves You Need to Make Before Monday

May 30, 2025

Happy Friday Security Gang,

I’m kicking off this weekend with a double-shot espresso in one hand and a stack of breach reports in the other—because apparently the threat actors didn’t get the memo about taking Fridays off. From ransom-locking power companies to banks begging the SEC for mercy, this week’s cyber circus had more plot twists than a daytime soap. So grab your caffeine of choice, settle in, and let’s slice through the hype and hit the brass-tacks lessons you need before Monday rolls around.

🔥 Major Breaches & Ransomware

Nova Scotia Power — the ransomware that wouldn’t quit
A March intrusion snowballed into one of the ugliest utility breaches Canada has seen: 280 k customer records grabbed, including SINs and ACH banking data. Even though grid operations stayed online (IT/OT segregation did its job), poor internal segmentation let crooks pivot through billing, HR, and call-center systems. Fallout is hitting the real world: one Halifax couple just lost CA $30 k after scammers impersonated them at Manulife using breach data. Lesson: “names and addresses” are table stakes—treat the financial meta-data like plutonium.

City of Sheboygan, WI
Forensics finally wrapped on the October 31, 2024 Cohort hit: 67 947 residents’ SSNs, plate numbers, and state IDs walked out the door. One year of credit monitoring doesn’t feel like justice, but that’s what the city is offering.

MathWorks’ MATLAB meltdown
Ransomware encrypted backend servers on May 18, wrecking Cloud Center, License Center and more for millions of engineers. Most services are limping back, but MathWorks hasn’t named the gang or said whether data was stolen—never reassuring for an IP-heavy company.

Victoria’s Secret goes black
The lingerie giant yanked its entire U.S. web storefront and some in-store services after a “security incident.” Stock slid 7 %. Early chatter points to the DragonForce cartel (which just torched Dior and Harrods) but VS isn’t talking. Taking a revenue engine completely offline tells you the hit landed squarely on transactional systems.

DragonForce ride-along via SimpleHelp
Sophos found the gang popping an MSP’s SimpleHelp RMM (three CVEs from January) and mass-pushing lockers to downstream clients—classic supply-chain ransomware. Translation: patch your providers, or their tools will patch you.

💰 Crypto & Cyber-crime

CETOS Protocol’s $223 M vaporization
A single vulnerable dependency let attackers hoover 57 billion-volume DEX liquidity in minutes. CETOS dangled a $5 M bounty but so far the coins are washing through mixers. DeFi remains a bug bounty with no disclosure program.

Operation Endgame
Europol, FBI and friends carpet-bombed initial-access malware: 300 servers, 650 domains, 20 arrest warrants, $3.5 M seized, DanaBot crew gutted. The long game is to choke the reseller ecosystem that ransomware relies on.

Operation RapTor
Another global punch-up: 270 arrests, 144 kg of fentanyl off the streets, $184 M seized. Dark-web vendors learned—again—that Tor isn’t a magic cloak when the feds own exit nodes and shipping labels.

🐉 Nation-State & Espionage

China’s UAT-6382 hits Trimble Cityworks (CVE-2025-0994)
Since January the crew has been chaining a deserialization bug to drop AntSword/Behinder shells on U.S. municipal IIS servers—perfect staging for water-utility sabotage. Patch 15.8.9/23.10 or enjoy Beijing on your SCADA.

APT31 in Prague
Czech intelligence publicly outed Judgment Panda for a two-year crawl inside the Foreign Ministry’s unclassified net. Diplomatic fallout: ambassador summoned, NATO briefed, China shrugs. The EU is watching who follows Prague’s lead on attribution.

Killnet’s back, claims Ukrainian rail hack — still unverified, but a reminder that hacktivist fronts resurface whenever Moscow needs leverage.

⚖️ Regulation & Industry Moves

Wall Street v. the SEC
Five big-bank lobbies petitioned to scrap Item 1.05—arguing the four-day disclosure clock aids ransomware and muddies national-security gag orders. Expect legal slug-fest and maybe a congressional tweak instead of full repeal.

Oregon & Texas tighten kid-data screws
Oregon bans sale of precise geolocation outright (especially for <16), and Texas now forces app stores to age-verify and seek parental OK. Federal KOSA is still stuck, but states are sprinting ahead.

Apple’s fraud scorecard
Cupertino blocked $2 B in bogus App Store transactions last year, bringing the five-year total to $9 B; 1.9 M risky apps rejected in 2024 alone. Apple is basically an anti-fraud fintech that also sells phones.

Platform consolidation
Check Point is buying exposure-management outfit Veriti, and Zscaler is swallowing Red Canary to bolt MDR onto its zero-trust cloud. Vendors are racing to sell “prevention-first, AI-driven everything” before CFOs knife the 14th point product.

60 malicious npm packages funneling host names and IP details to Discord—typosquatting dev favorites. Clean your package.json like you clean your coffee mug (that is, actually clean it).
OneDrive OAuth over-permissive: third-party apps asking to upload one file get read rights to your entire drive. Disable unknown integrations and demand narrower scopes from Microsoft.
Bumblebee loader masquerades as ZenMap/WinMTR via SEO-poisoned domains—because admins will install malware if the installer has a nice logo.
9 000 + ASUS routers in ‘AyySSHush’ botnet — persistent SSH keys survive firmware flashes; looks nation-state-ish. Remote-worker policies need SOHO router patch baselines, yesterday.

☎️ Social-Engineering Front

Silent Ransom Group (Chatty Spider) is cold-calling law firms, posing as internal IT, then walking them through “overnight maintenance” that exfiltrates docs. Callback phishing + vishing = ugly.
3AM ransomware revival abuses Windows Quick Assist and email bombing; drops Q-Door via throw-away VMs to dodge EDR. Train staff that Microsoft Support doesn’t phone you first.

🛡️ Patch & Defend Quick Hits

Firefox 139 fixes a critical libVPX double-free (CVE-2025-5262).
Chrome 137 closes 11 bugs, two high-severity RCEs. Update or browse at your own risk.

✅ Weekend Action List

Re-architect data lakes—separate billing, identity, and grid telemetry like your uptime depends on it (because it does).
Block typosquatted domains for common IT tools; audit allowed download sites.
Patch Cityworks (CVE-2025-0994) and SimpleHelp CVEs 2024-57726/27/28.
Align incident-response disclosure timelines with both SEC rules and law-enforcement hold-back needs.
Scrub your npm and VS Code dependencies; institute package-signing gates.
Lock down Quick Assist and require secondary identity checks for any remote-support call.
Review OneDrive and OAuth scopes—least privilege isn’t optional.
Push router-firmware updates to remote staff and validate no alien SSH keys exist.
Track state privacy laws; if you serve minors, assume age-verification is coming to your state.