Cyber News Roundup for May 23, 2025
Resecurity and Starlink Announce Strategic Cybersecurity Partnership
Resecurity, a global cybersecurity leader, has partnered with Starlink to expand advanced threat intelligence and cybersecurity solutions across the Middle East and Africa. The collaboration aims to enhance regional cybersecurity capabilities by providing cutting-edge technologies and expertise. This strategic alliance reflects a growing emphasis on international cooperation to address evolving cyber threats.
Ransomware attack on food distributor spells more pain for UK supermarkets
UK food distributor Peter Green Chilled says it was hit by a ransomware attack on May 14th, disrupting operations and deliveries to major supermarkets. New orders were paused, potentially causing significant losses for small suppliers. Experts warn of increasing cyber threats targeting the UK retail supply chain’s operational systems.
South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware
The SideWinder APT group has launched a targeted cyber-espionage campaign against government institutions in Sri Lanka, Bangladesh, and Pakistan. Using spear-phishing emails and geofenced malware payloads, attackers exploited outdated Microsoft Office vulnerabilities to deliver the StealerBot malware. This .NET-based tool captures sensitive data like keystrokes, passwords, and screenshots, with a high degree of precision and selectivity in targeting, reflecting SideWinder’s ongoing and methodical activity in the region.
SK Telecom says malware breach lasted 3 years, impacted 27 million numbers
South Korea’s SK Telecom reported a nearly three-year-long undetected malware breach, beginning June 2022, which compromised sensitive SIM data of nearly 27 million customers, including authentication keys and contact information, elevating SIM-swapping risks. The company is replacing SIMs, blocking unauthorized device changes, and accepting responsibility for resulting damages. Investigations identified 25 malware types on 23 servers, but the full scope of data loss is uncertain due to limited early logging.
Researchers from CISA and NIST promote a new metric to better predict actively exploited software flaws
Researchers from CISA and NIST have introduced a new metric called Likely Exploited Vulnerabilities (LEV) to better predict which software flaws are being actively exploited. Developed by Peter Mell (NIST) and Jonathan Spring (CISA), LEV uses equations that combine data from the Exploit Prediction Scoring System (EPSS), Known Exploited Vulnerabilities (KEV) lists, and key dates tied to each vulnerability. The goal is to improve patch prioritization by estimating the probability that a flaw has been exploited. Unlike KEV or EPSS alone—which can be incomplete or inaccurate—LEV helps fill gaps by identifying high-risk vulnerabilities that might be overlooked. It can also gauge how comprehensive KEV lists really are. NIST is now seeking industry partners to test and refine LEV with real-world data.
KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS
KrebsOnSecurity reports it was hit by a 6.3 Tbps DDoS attack on May 12th, likely a test of the Aisuru Internet of Things botnet. The attack lasted less than a minute but was clocked as the largest ever mitigated by Google’s Project Shield. Aisuru has been linked to a known figure named “Forky,” compromising hijacked IoT devices using zero-day exploits. Forky denies involvement in the attack, now claiming to focus on his hosting business, Botshield.
Mobile carrier Cellcom confirms cyberattack behind extended outages
Cellcom, a Wisconsin-based mobile carrier, confirmed a cyberattack was behind the widespread outages that began on May 14, 2025, disrupting voice and SMS services across Wisconsin and Upper Michigan. The company initially described it as a technical issue but later acknowledged the cyber incident, stating sensitive customer data wasn’t impacted. Cellcom is working with the FBI and cybersecurity experts to restore service, which it aims to complete by the end of the week.
Chinese Hackers Deploy ‘MarsSnake’ Backdoor in Saudi Arabia
The threat actor “UnsolicitedBooker,” linked to China, used a novel backdoor named MarsSnake in a multi-year espionage campaign targeting a Saudi organization. The malware remained undetected for years. Threat hunters have exposed the tactics of this China-aligned threat actor, which targeted an unnamed international organization in Saudi Arabia. The MarsSnake backdoor allows for persistent access and data exfiltration. The campaign highlights the sophistication and stealth of state-sponsored cyber espionage operations. Security experts recommend organizations enhance their threat detection capabilities to identify such advanced persistent threats.
Delta Air Lines Lawsuit Against CrowdStrike Proceeds
A Georgia judge ruled that Delta Air Lines can proceed with its lawsuit against CrowdStrike over a July 2024 outage that led to 7,000 flight cancellations. Delta alleges gross negligence due to a defective software update. The outage was allegedly caused by a defective update to CrowdStrike’s Falcon software, which crashed over 8 million Microsoft Windows-based computers globally. Delta estimates the outage resulted in $550 million in losses, with only $50 million recouped through fuel savings. The judge also allowed Delta to pursue claims of computer trespass and a narrowed fraud claim relating to unauthorized software access. CrowdStrike expressed confidence that the case lacks merit or would result in minimal damages under Georgia law. Delta filed the lawsuit three months after the incident.
(Reuters)
Researchers track increased malicious targeting of iOS devices
A new report from Zimperium warns that iOS devices, often seen as secure, are increasingly targeted through sideloaded and unvetted apps. Attackers exploit flaws in iOS using tools like TrollStore, SeaShell, and vulnerabilities such as MacDirtyCow and KFD to bypass Apple’s protections. These apps may appear benign but can exfiltrate data or compromise devices without detection. Zimperium found over 40,000 apps using private entitlements and 800+ using private APIs, posing serious risks. Organizations—especially in regulated sectors—must adopt stricter app vetting, monitor permissions, and detect sideloaded apps. Zimperium urges proactive defenses to counter these threats. The takeaway: just because an app runs on iOS doesn’t mean it’s safe—its behavior and origin matter more than its appearance.
(Hackread)
A popular printer brand serves up malware
If you’ve bought a UV inkjet printer from the brand Procolored recently, you might want to scan your system for malware. YouTuber Cameron Coward, known for his DIY tech reviews, first raised the alarm while reviewing a $6,000 printer. His antivirus flagged threats on the included USB—specifically a worm and Floxif, a file infector. When Procolored dismissed this as a false positive, Coward turned to Reddit, catching the attention of cybersecurity firm G Data. Their investigation found malware, including a backdoor and a crypto-stealing Trojan called SnipVex, in official Procolored software downloads. G Data traced around $100,000 in stolen Bitcoin linked to SnipVex. Procolored later admitted malware might have been introduced via USB and has since cleaned up its downloads. Experts now urge users to scan their systems and consider full reinstallation if infected.
(Neowin)
NATO hosts the world’s largest cyber defense exercise
Earlier this week, the NATO Cooperative Cyber Defence Centre of Excellence hosted Locked Shields 2025, the world’s largest cyber defense exercise, in Tallinn, Estonia. Around 4,000 experts from 41 countries participated remotely, simulating the defense of over 8,000 systems against thousands of cyberattacks. The event, which began in 2010 with just four nations, now features advanced challenges, including AI-driven narratives and quantum computing scenarios. Teams also tackled legal, strategic, and disinformation challenges. While Germany-Singapore, Poland-France, and Italy-Slovenia-U.S. teams scored highest, organizers stressed scores don’t reflect overall national readiness. The exercise, planned by 450 experts and 25 industry partners, highlights growing global focus on cyber resilience. Looking ahead, 2026 will expand cloud infrastructure and introduce Critical Special Systems to further bolster national defense capabilities.
(SecurityWeek)
Hackers use a new fileless technique to deploy Remcos RAT
Hackers are using a new fileless technique to deploy Remcos RAT malware through a PowerShell-based loader, bypassing Windows Defender. The attack begins with a malicious ZIP file containing a spoofed LNK shortcut. When opened, it triggers an obfuscated script that alters registry settings for persistence and injects multiple payloads, including Remcos V6.0.0 Pro. This updated version adds idle-time tracking and infected host management. Researchers stress monitoring for LNK files, PowerShell misuse, and registry changes to detect and prevent such threats.
(SC Media)
Ransomware groups target the undefended space between IT and OT
In an interview with The Register, Timothy Conway, the technical director at the SANS Institute’s industrial control systems (ICS) programs, says the gangs focus on activities in organizations and systems that exist in between classic IT systems that run core business applications, and operational tech (OT) that drives heavy industrial infrastructure. As an example, Conway suggests what might happen if jet fuel was diverted to a home heating oil pipeline. He added, “all businesses have these middle systems, and encrypting them isn’t as difficult as developing ransomware to target OT.” The victims, he says, are more likely to pay the extortion demands. SANS stands for SysAdmin, Audit, Network, and Security. It is a training, research and certification organization.
