May 18, 2025

Cybersec Feeds Overview, May 12 - May 18, 2025

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics

  • Numerous advisories from CISA detailed multiple vulnerabilities across a wide range of Siemens Industrial Control Systems (ICS) products, including SIMATIC, SCALANCE, RUGGEDCOM, SIPROTEC, and others. These flaws pose risks such as remote code execution, authentication bypass, and denial of service, highlighting ongoing security challenges in operational technology environments. Organizations using these products are urged to review advisories and apply mitigations promptly.
  • Several vulnerabilities were reported as actively exploited and subsequently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by specified deadlines. Notable examples include CVE-2025-4664 (Google Chrome), CVE-2025-32756 (Fortinet), CVE-2025-4427/4428 (Ivanti EPMM), and multiple Microsoft zero-days (CVE-2025-30397, CVE-2025-32701, CVE-2025-32706, CVE-2025-30400, CVE-2025-32709). All organizations are strongly urged to prioritize remediation of these KEVs.
  • Microsoft’s May 2025 Patch Tuesday addressed 77 CVEs, including five actively exploited zero-days: CVE-2025-30397 (Scripting Engine RCE), CVE-2025-32701 & CVE-2025-32706 (CLFS EoP), CVE-2025-30400 (DWM Core Library EoP), and CVE-2025-32709 (AFD for WinSock EoP). The patches covered a wide range of products, emphasizing the need for prompt updates to mitigate significant risks.
  • Ransomware remains a significant threat with groups like LockBit (whose internal database was recently leaked), VanHelsing, Akira, DragonForce, and Qilin actively targeting organizations. Reports highlighted evolving tactics, including the Ransomware-as-a-Service (RaaS) model, targeting of Small and Medium-sized Businesses (SMBs), and specific industry focus. The leaked LockBit data provided insights into affiliate operations, victim communications, and ransom payment statistics.
  • The role of Artificial Intelligence in cybersecurity was a prominent theme, covering its use by attackers for creating sophisticated phishing, deepfakes (e.g., Storm-1516), and malware, as well as its application in defense for threat detection and response. Discussions also touched on securing AI models, ethical considerations, policy developments like the Singapore Consensus for trustworthy AI, and challenges related to AI-generated content and data privacy (e.g., Meta’s AI training).
  • Multiple campaigns highlight the continued prevalence of phishing and social engineering. These include spear-phishing by APT groups like Konni, email distribution of malware such as DBatLoader and Horabot, sophisticated phishing kits like Tycoon 2FA, and credential theft. Attackers also impersonate legitimate services and leverage disinformation to manipulate targets, emphasizing the need for robust email security and user awareness.
  • Vulnerabilities in Industrial Control Systems (ICS) and Operational Technology (OT) continue to be a major concern, with numerous advisories detailing flaws in Siemens products. The broader ICS threat landscape shows persistent risks, with specific sectors like biometrics being targeted. These vulnerabilities can lead to severe consequences, including operational disruption and safety hazards if exploited.

Critical Vulnerabilities

  • Google Chrome versions prior to 136.0.7103.113/.114 (Windows/Mac) and 136.0.7103.113 (Linux) contain vulnerabilities CVE-2025-4664 (insufficient policy enforcement in Loader) and CVE-2025-4609 (incorrect handle in Mojo), which could allow arbitrary code execution. CVE-2025-4664 is actively exploited and has been added to CISA’s KEV catalog. Successful exploitation could allow an attacker to install programs, modify data, or create new accounts with full user rights. Users are urged to update immediately.
  • Ivanti Endpoint Manager Mobile (EPMM) is affected by an actively exploited vulnerability chain involving CVE-2025-4427 (authentication bypass, CVSS 5.3) and CVE-2025-4428 (authenticated RCE, CVSS 7.2). Successful unauthenticated RCE can be achieved by chaining these flaws. Affected versions include 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior. Ivanti has released patches and these CVEs are on CISA’s KEV list.
  • Fortinet products, including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera, are affected by CVE-2025-32756 (CVSS 9.6), an unauthenticated stack-based buffer overflow allowing remote code execution. Fortinet has confirmed active exploitation of this vulnerability in FortiVoice appliances. Patches are available, and CISA has added this to its KEV catalog. Organizations should update affected products immediately.
  • Microsoft’s May 2025 Patch Tuesday addressed 77 vulnerabilities, including five actively exploited zero-days: CVE-2025-30397 (Scripting Engine RCE), CVE-2025-32701 & CVE-2025-32706 (Common Log File System Driver EoP), CVE-2025-30400 (DWM Core Library EoP), and CVE-2025-32709 (Ancillary Function Driver for WinSock EoP). These affect various Windows versions and components; immediate patching is critical.
  • Multiple Adobe products, including ColdFusion (CVE-2025-43559, CVE-2025-43560, CVE-2025-43561, etc.), Photoshop, Lightroom, Dreamweaver, Connect, InDesign, Animate, Illustrator, Bridge, and various Substance 3D tools, received patches for critical vulnerabilities. The most severe could lead to arbitrary code execution. Adobe ColdFusion vulnerabilities are rated Priority 1 for patching, although no active attacks were noted at release.
  • Siemens released advisories for numerous Industrial Control Systems (ICS) products. For instance, SIMATIC IPC RS-828A (CVE-2024-54085) has a critical authentication bypass (CVSS 10.0). SCALANCE LPE9403 faces multiple vulnerabilities including command injection and path traversal. RUGGEDCOM ROX II devices (CVE-2025-32469, CVE-2025-33024) have command injection flaws. These vulnerabilities could lead to RCE, unauthorized access, or DoS.
  • Google Android OS is affected by multiple vulnerabilities, with the most severe (CVE-2025-27363 in System) allowing remote code execution without additional privileges. Numerous elevation of privilege flaws exist in Framework and System components (e.g., CVE-2025-0077, CVE-2025-26420). Patches also address issues in Google Play system updates and components from Arm, Imagination Technologies, MediaTek, and Qualcomm.

Major Incidents

  • Ascension, a major US healthcare provider, confirmed a data breach affecting approximately 437,329 patients. Exposed data includes names, Social Security numbers, dates of birth, diagnostic codes, and billing information. The breach is potentially linked to the Clop ransomware group exploiting a vulnerability in third-party software (Cleo) used by a business partner of Ascension.
  • Cryptocurrency exchange Coinbase reported a security incident where attackers bribed international support staff to access and steal customer Personally Identifiable Information (PII) and other sensitive data, affecting less than 1% of its monthly users. The attackers attempted to extort Coinbase for $20 million. Coinbase refused to pay and instead offered a $20 million bounty for information leading to the arrest and conviction of the perpetrators.
  • The LockBit ransomware group’s infrastructure was compromised, leading to the leak of an internal database from April 2025. This breach exposed extensive details about their Ransomware-as-a-Service (RaaS) operations, including 75 affiliate accounts, 246 victim organization chat logs, nearly 600 potential targets, ransom payment records, and cryptocurrency wallet addresses. The leak provides significant intelligence on the group’s inner workings.
  • Several UK organizations reported cyberattacks. The UK’s Legal Aid Agency suffered an incident potentially exposing financial information of legal aid providers. Education company Pearson disclosed a January 2025 breach exposing legacy customer data, attributed to an exposed GitLab token. Retailer Marks & Spencer confirmed customer data was stolen in a cyberattack, necessitating password resets for affected users.
  • Multiple entities faced operational disruptions due to cyber incidents. Medical device manufacturer Masimo was hit by a cyberattack in April, affecting its ability to process, manufacture, and ship orders. South African Airways experienced a cyberattack that disrupted its website, mobile app, and some internal systems. Coweta County’s school district in Georgia also reported a cyberattack causing disruptions to some functionalities.
  • Alleged hacktivist activity targeted Indian and Pakistani entities. The hacker group ‘Pakistan Cyber Force’ claimed responsibility for hacking and defacing several Indian defense websites, potentially exposing sensitive data. Separately, Karachi Port Trust in Pakistan claimed its X (formerly Twitter) account was hacked after a post regarding an Indian Navy strike, amidst heightened tensions between the two countries.

Emerging Threats

  • The Türkiye-affiliated espionage actor Marbled Dust (also tracked as Sea Turtle/UNC1326) exploited a zero-day directory traversal vulnerability (CVE-2025-27920) in the Output Messenger chat application. This campaign targeted Kurdish military entities in Iraq to exfiltrate user data. This attack indicates an increase in the technical sophistication of Marbled Dust, known for targeting government institutions and critical sectors in Europe and the Middle East.
  • China-nexus nation-state Advanced Persistent Threats (APTs) including UNC5221, UNC5174, and CL-STA-0048, have been exploiting CVE-2025-31324, an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. This allows for Remote Code Execution (RCE) and has been used in high-tempo campaigns against critical infrastructure networks globally. Attackers were observed conducting mass scanning and deploying web shells.
  • North Korean APT groups continue active campaigns. The Lazarus group conducted ‘Operation SyncHole,’ a watering hole attack exploiting vulnerabilities in South Korean software (Innorix Agent, Cross EX) to breach at least six industrial organizations, using malware like ThreatNeedle and SIGNBT. The Konni group impersonated South Korean government agencies in spear-phishing attacks against NGOs, using LNK files and AutoIT scripts.
  • The Russia-aligned Sednit group (APT28/Fancy Bear) conducted ‘Operation RoundPress,’ targeting webmail software used by governmental organizations in Ukraine and defense contractors in the EU. The operation abused Cross-Site Scripting (XSS) vulnerabilities to steal email account credentials and other sensitive information, aiming to gain long-term access to victims’ mailboxes.
  • New malware variants and sophisticated distribution techniques are emerging. DBatLoader (ModiLoader) is being distributed via emails impersonating Turkish banks to deploy SnakeKeylogger. DarkCloud Stealer campaigns are leveraging AutoIt obfuscation and file-sharing servers. The Chaos ransomware family, known for its destructive capabilities, is evolving with new variants targeting Windows and Linux systems across critical sectors.
  • Threat actors are employing advanced C2 evasion techniques. The Fast Flux technique, which rapidly changes IP addresses mapped to a domain, is used to hide C2 infrastructure. Another emerging method is Etherhide, which utilizes blockchain smart contracts (e.g., on Ethereum) as a resilient and anonymous C2 channel, making it difficult to track and block using traditional methods.
  • The pro-Kremlin disinformation group Storm-1516 allegedly amplified a fabricated story on X (formerly Twitter), falsely claiming European leaders used drugs while traveling to Kyiv for peace talks. This operation, aimed at undermining European support for Ukraine, reportedly utilized AI-generated or manipulated media. The incident highlights the growing use of AI in disinformation campaigns targeting political figures and international relations.

Regulatory and Policy Updates

  • Consensus is forming in the U.S. Congress to reauthorize the Cybersecurity Information Sharing Act (CISA) of 2015 before its September expiration. Lawmakers and industry stakeholders advocate for a ‘clean’ reauthorization to maintain legal protections for voluntary cyber threat information sharing between private entities and the government. Any potential updates or amendments to the law are expected to be discussed after its reauthorization to avoid a lapse.
  • NIST continues to develop and refine cybersecurity guidelines for Internet of Things (IoT) devices, driven by the IoT Cybersecurity Improvement Act of 2020. These efforts include foundational documents like NIST IR 8259, which outlines recommended cybersecurity activities for IoT device manufacturers. The goal is to manage and secure the increasing number of internet-connected physical devices effectively, particularly those used by the federal government.
  • The U.S. Consumer Financial Protection Bureau (CFPB) has withdrawn a proposed 2024 rule aimed at limiting the sale of Americans’ sensitive personal and financial information by data brokers. The agency stated that legislative rulemaking is not currently necessary. This decision has drawn criticism from consumer advocacy groups concerned about ongoing risks from data broker practices, such as the sale of PII for potential misuse.
  • The U.S. Federal Trade Commission (FTC) is seeking additional resources, including specialized software, personnel, and secure infrastructure, to enforce the newly passed Take It Down Act. This law targets nonconsensual deepfake pornography, requiring platforms to remove such content within 48 hours of notification. The FTC highlighted challenges in dealing with explicit material and international offenders.
  • Privacy advocacy group NOYB has issued a cease and desist letter to Meta concerning its plans to use European users’ data for training its AI models. NOYB argues that Meta’s reliance on ’legitimate interests’ instead of explicit opt-in consent violates GDPR. Concerns include the inability to enforce data subject rights like erasure once AI models are trained and the difficulty in differentiating data usage for users who opt-out versus those who do not.
  • The UK’s National Cyber Security Centre (NCSC) published research on incentivizing secure-by-design technology. Concurrently, the Department for Science, Innovation and Technology (DSIT) released a policy paper promoting CHERI (Capability Hardware Enhanced RISC Instructions) technology to enhance cybersecurity, supported by innovation funding contracts. These initiatives aim to improve the baseline security of technology products.
  • CISA announced an intended change to its communication strategy, planning to use social media and email for cybersecurity updates and new guidance, reserving its Cybersecurity Alerts & Advisories webpage for urgent emerging threats. However, CISA paused these immediate changes after receiving community feedback and is reassessing the best approach to share information with stakeholders.

Security Operations

  • Google is enhancing Android security with an ‘Advanced Protection’ mode in Android 16, aimed at high-risk users. This mode activates robust security features like enhanced app scanning and network threat protection. Additionally, new in-call scam protections will warn users and block risky actions like disabling Google Play Protect or sideloading apps during calls with non-contacts, with a pilot program for banking apps in the UK.
  • Microsoft’s Secure Future Initiative (SFI) is heavily focused on implementing Zero Trust principles across its products and services. The initiative aims to revolutionize design, building, testing, and operation processes to meet high security standards. This provides a practical example for organizations adopting Zero Trust, emphasizing continuous verification, least privilege, and assuming breach.
  • Tenable introduced new Tenable One connectors, enabling its exposure management platform to ingest data from a wide range of third-party security tools. This aims to provide a unified view of assets and exposures across an organization’s attack surface. Coupled with customized risk dashboards, these enhancements are designed to improve risk prioritization and streamline decision-making for security teams.
  • Sysdig announced general availability of its Serverless Agent for Google Cloud Run and Azure Container Apps, extending runtime security capabilities to these serverless platforms. Additionally, Sysdig introduced Advanced Network Exposure, a graph-powered feature to analyze and identify multi-path network exposures in cloud environments, enhancing risk assessment accuracy.
  • Cloudflare, as a CVE Numbering Authority (CNA) and signatory to CISA’s Secure by Design pledge, detailed its vulnerability disclosure process. The company issues CVEs for vulnerabilities in its open-source software and distributed closed-source products, emphasizing transparency, real-world exploitability, and impact assessment. This contributes to broader industry understanding and proactive security practices.
  • The European Union Agency for Cybersecurity (ENISA) published a “Handbook for Cyber Stress Tests.” This guide defines cyber stress tests as targeted assessments of organizational resilience against significant cybersecurity incidents, focusing on the ability to withstand and recover critical services. The handbook provides methodologies for testing preparedness and recovery measures using resilience metrics.
  • Security tool updates include Frida 17, a dynamic instrumentation toolkit, and the parity release of Volatility 3, a memory forensics framework. Additionally, xorsearch.py, a tool for finding XOR-encoded text in files, has been updated with Python function support for filtering. These tools are valuable for malware analysis, reverse engineering, and incident response.

Wins

  • The Pwn2Own Berlin 2025 competition resulted in the successful demonstration and disclosure of 28 unique zero-day vulnerabilities. Contestants targeted various platforms, including AI systems (NVIDIA Triton Inference Server, Chroma, Redis), enterprise software (Microsoft SharePoint, VMware ESXi), operating systems (Windows 11, Red Hat Linux), and web browsers. STAR Labs SG was crowned Master of Pwn, and total payouts reached $1,078,750.
  • Cybersecurity firm Proofpoint announced its definitive agreement to acquire Hornetsecurity Group, a German provider of Microsoft 365 security services. The deal, reportedly valued at over $1 billion, aims to enhance Proofpoint’s offerings for small and mid-sized businesses (SMBs) and managed service providers (MSPs) globally, particularly strengthening its European presence. This acquisition is Proofpoint’s largest to date.
  • A U.S. jury ordered Israeli spyware firm NSO Group to pay $167 million in punitive damages to WhatsApp, owned by Meta. The lawsuit stemmed from NSO Group’s exploitation of a WhatsApp vulnerability to deploy its Pegasus spyware, hijacking thousands of user accounts. This verdict represents a significant legal victory against commercial spyware vendors.
  • Four hackers were arrested in connection with a global botnet operation that infected older wireless internet routers. The cybercriminals used Anyproxy and 5socks malware to reconfigure these routers without the owners’ knowledge, subsequently selling access to the compromised devices and generating millions in illicit revenue. The arrests mark a step in dismantling such large-scale botnet infrastructures.
  • The State of Texas secured a $1.375 billion settlement from Google in lawsuits related to consumer data privacy. The lawsuits alleged that Google improperly collected users’ geolocation data even when settings were disabled and was not transparent about data collection in Incognito mode. This settlement is one of the largest against a Big Tech company concerning privacy violations.
  • A Florida legislative bill that proposed requiring encryption backdoors for social media accounts failed to pass. This development is considered a positive outcome by privacy advocates and supporters of strong encryption, as it prevents a mandate that could have weakened overall digital security and user privacy.

Disclaimer

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created by BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.