Cyber News Roundup for May 9, 2025
In this week’s cyber news, we dive into a mix of dramatic events and critical cybersecurity updates that reveal the growing complexities of modern threats. From a dramatic lawsuit involving a Deutsche Bank IT breach to nations seeking independence from U.S. cloud providers, it’s clear that the global digital landscape is shifting. We also explore the latest in DDoS-for-hire takedowns, critical infrastructure attacks, and new vulnerabilities that demand immediate attention. As always, RedSeal remains committed to helping organizations proactively manage their attack surface, stay ahead of evolving threats, and maintain resilience in an increasingly unpredictable cyber world.
Server room shenanigans, with romance, retaliation, and root access
A former IT manager is suing Deutsche Bank and its contractor Computacenter, alleging they let a security breach slide right under their noses… and into their server rooms. According to James Papa, a fellow IT worker brought his girlfriend—an unauthorized Chinese national with tech skills—into Deutsche Bank’s most sensitive tech areas multiple times. “Jenny,” as she’s called, allegedly accessed secure systems with a contractor laptop, all while Papa was offsite. When he reported it, rather than earning a promotion, Papa got the boot. No action was taken against the lovebirds, who later vacationed in China. Now Papa is suing for $20 million, claiming whistleblower retaliation and a good old-fashioned cover-up. As for Deutsche Bank and Computacenter? Mum’s the word. Because nothing says ‘robust cybersecurity’ like bring-your-girlfriend-to-work day in the server room. (GB Hackers)
Nations look for alternatives to U.S. cloud providers
All of this instability and uncertainty in the U.S. has triggered global demand for alternatives to U.S. cloud dominance. Europe is seeking digital sovereignty through a strategy that moves beyond simply replicating Amazon, Google, or Microsoft. The goal is to build a viable European cloud ecosystem that’s not only technically credible, but politically and economically independent. This means reducing dependency on proprietary U.S. services, investing in open-source software tailored for cloud infrastructure, and supporting European service providers. Governments play a critical role by funding development, shaping procurement policies, and enforcing privacy laws like GDPR to prioritize local solutions. While Europe already has strong hosting and networking players, transitioning them into full-service cloud providers requires new business models and technical capabilities. The plan resembles building digital “railroads”—laying the foundation for others to innovate upon. This initiative, echoed by concerns in Canada, Australia, and New Zealand, represents a broader global desire to break free from U.S. tech hegemony and establish trusted, local control over critical infrastructure. (Bert Hubert)
Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks
Europol shut down six DDoS-for-hire services—cfxapi, cfxsecurity, neostress, jetstress, quickdown, and zapcut—linked to global attacks on schools, businesses, and government sites. Polish authorities arrested four suspects, and the U.S. seized nine related domains. These platforms let users launch attacks for as little as €10 via sleek interfaces. QuickDown, one of the services, combined botnets and dedicated servers to scale operations. (The Hacker News)
NIST loses key cyber experts in standards and research
The National Institute of Standards and Technology (NIST) is experiencing significant staffing losses, with over 20% of its Computer Security Division’s federal employees departing due to early retirement offers and buyouts. Notably, Matthew Scholl, the division chief, and other key leaders have left, raising concerns about the continuity of NIST’s critical cybersecurity initiatives. These departures threaten to disrupt NIST’s efforts in standardizing post-quantum cryptographic algorithms, essential for safeguarding data against future quantum computing threats. Experts warn that the loss of institutional knowledge could impede NIST’s ability to provide timely and effective cybersecurity guidance to industry and government partners. The agency’s capacity to address emerging challenges in quantum computing and artificial intelligence may be compromised, necessitating new leadership to sustain its pivotal role in national cybersecurity.
(Cybersecurity Dive)
Masimo says cyberattack has impacted its ability to fulfill orders
Masimo, maker of patient monitoring devices, is investigating an April cyberattack that disrupted its manufacturing systems and ability to fulfill orders. The company says its on-premises systems were affected, but there’s no evidence the attack reached its cloud infrastructure. Masimo says it’s working with law enforcement and third-party experts and does not expect the incident to impact its 2025 earnings guidance. (Cybersecurity Dive)
CISA warns of hackers targeting critical oil infrastructure
CISA, alongside the FBI, EPA, and Department of Energy, has issued a joint advisory warning that unsophisticated cyber actors are actively targeting industrial control systems (ICS) and SCADA systems in the U.S. oil and gas sector. These attackers—likely hacktivists—exploit poor cyber hygiene using basic tools like default credentials, brute force attacks, and misconfigured remote access. Despite their simplicity, such intrusions can lead to serious consequences including system shutdowns or physical damage. CISA urges asset owners to immediately remove OT systems from the public internet, enforce strong passwords and phishing-resistant MFA, secure remote access, segment networks, and prepare for manual operations. The alert also stresses reviewing third-party access and system configurations. This follows recent warnings about critical vulnerabilities in ICS devices from major manufacturers. (Bleeping Computer)
Texas school district breach impacts over 47,000 people
Alvin Independent School District (AISD) confirmed they suffered a breach in June of 2024 that compromised sensitive information belonging to 47,606 individuals. The district began notifying affected people over the weekend that the incident exposed names, Social Security numbers, state-issued IDs, credit card and financial account details, as well as medical and health insurance info.The Fog ransomware gang published the district’s name on its data leak site but it remains unclear whether the district paid a ransom. Since then, Fog has claimed responsibility for 20 confirmed ransomware attacks, 12 of them on educational institutions, and an additional 157 unconfirmed incidents. However, the group appears to have suddenly gone dark last month. (Infosecurity Magazine)
‘Easily Exploitable’ Langflow flaw requires immediate patching
CISA has added a critical authentication flaw found in the open source Langflow platform (CVE-2025-3248) to its Known Exploited Vulnerabilities (KEV) catalog. Langflow is a Python-based Web application that allows users to build AI-driven agents and workflows. The issue allows remote code injection and affects Langflow versions prior to 1.3.0. Horizon3.ai, who discovered the flaw and said it is “easily exploitable” and that the available patch fails to fully address the issue. The researchers encouraged users to update to the latest Langflow version to fully mitigate the risk of exploitation. (Bleeping Computer and Dark Reading)
Hackers exploit IoT devices to deploy Mirai Botnet
Threat actors have been observed actively exploiting security flaws in two different Internet of Things (IoT) devices to corral them into the Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. The first device is an end-of-life GeoVision surveillance device which can be exploited via two critical severity operating system command injection flaws (CVE-2024-6047 and CVE-2024-11120). These issues could be used by threat actors to execute arbitrary system commands. That disclosure comes as researchers warned of active exploitation of a path traversal flaw in Samsung MagicINFO 9 digital signage server (CVE-2024-7399) that could enable an attacker to write arbitrary files as system authority. While Samsung addressed the issue back in August 2024, it has since been weaponized by attackers following the release of a proof-of-concept (PoC) exploit on April 30, 2025. (The Hacker News)
Magento backdoor hid for six years before activation
It took six years for a backdoor hidden in widely used Magento online store extensions to finally reveal itself. On April 20, the malware finally began affecting hundreds of digital storefronts. Security firm Sansec uncovered 21 modules published between 2019 and 2022, which share identical malicious logic hidden in PHP files. Once activated, the backdoor runs a remote payload, enabling attackers to deploy Magecart-style skimming scripts in customer browsers. Sansec estimates that between 500 to 1,000 stores are running the backdoored software, “including a $40 billion multinational.” The researchers said, “It is rare that a backdoor remains undetected for six years, but is even stranger that actual abuse has only started now.” (Data Breach Today)
Threat brokers advertise a new SS7 zero-day exploit on cybercrime forums
A newly advertised SS7 zero-day exploit on cybercrime forums is raising alarms about global mobile network security. Priced at $5,000, the kit allows attackers to intercept SMS messages, track phones in real time, and potentially eavesdrop on calls or bypass two-factor authentication. The exploit targets vulnerabilities in the Mobile Application Part (MAP) of the SS7 protocol, spoofing legitimate network nodes to manipulate routing and location data. Despite SS7’s outdated design, it still underpins many 2G and 3G telecom systems worldwide—used by around 30% of mobile connections. While newer networks offer stronger security, legacy systems remain vulnerable. Experts urge telecom providers to adopt SS7 firewalls and stricter controls, and recommend users move away from SMS-based authentication. This incident highlights the ongoing risks from legacy telecom infrastructure, even decades after SS7’s known flaws were first exposed. (Cyber Security News)
FortiGuard uncovers a cyber-espionage campaign targeting critical national infrastructure in the Middle East
FortiGuard’s Incident Response Team has uncovered a prolonged cyber-espionage campaign targeting critical national infrastructure in the Middle East, attributed to an Iranian state-sponsored group. The intrusion spanned from May 2023 to early 2025, with activity possibly dating back to 2021. Attackers used stolen VPN credentials to access the network, deploying custom malware like HanifNet, HXLibrary, and NeoExpressRAT, and evaded segmentation using proxy tools. They also attempted to regain access post-containment via web app vulnerabilities and phishing attacks. The campaign showed a high level of sophistication, with an emphasis on persistence and stealth. No operational disruptions were confirmed, but the attackers demonstrated strong interest in OT systems. The report urges better credential hygiene, stronger segmentation, and proactive monitoring to defend against such advanced threats. (Fortinet)
EU fines TikTok for violating GDPR with China data transfer
The European Union has fined TikTok €530 million ($600 million) for violating the General Data Protection Regulation (GDPR) by inadequately safeguarding European users’ data accessed by staff in China. Ireland’s Data Protection Commission found that TikTok failed to ensure EU-equivalent protections and lacked transparency about data transfers. The investigation also revealed that TikTok provided inaccurate information, initially denying storage of EU user data on Chinese servers, only to later admit some data had been stored there. TikTok plans to appeal, asserting that the issues predate its “Project Clover,” which aims to localize data within Europe through new data centers. (AP News)
Canadian power company hit by cyberattack
Halifax-based electric utility Nova Scotia Power and its parent company Emera have shut down parts of their IT networks while responding to a cyberattack, SecurityWeek reports. The attack disrupted the utility’s customer care phone line and online portal, but did not affect physical operations.
The companies stated, “There remains no disruption to any of our Canadian physical operations, including at Nova Scotia Power’s generation, transmission, and distribution facilities, the Maritime Link or the Brunswick Pipeline, and the incident has not impacted the utility’s ability to safely and reliably serve customers in Nova Scotia. There has been no impact to Emera’s US or Caribbean utilities. CBC News reports that the utility is only responding to emergencies and outages, leaving some new customers unable to get their power turned on. (SecurityWeek)
Ascension Health discloses another breach
US health system Ascension is informing some patients that their medical data was breached after hackers compromised a third-party vendor in December 2024, the Register reports. The breached data involved personal information, including Social Security numbers, as well as medical information. The medical data included “[i]nformation related to inpatient visits, such as the place of service; physician name, admission and discharge dates; diagnosis and billing codes; medical record number; and insurance company name. Ascension sustained a separate breach in May 2024 after it was hit by the Black Basta ransomware gang. (The Register)
Ransomware attacks on food and agriculture industry have increased this year
Speaking at RSA, Jonathan Braley, director of the Food and Agriculture-Information Sharing and Analysis Center, (Food and Ag-ISAC), said that paired with the increase in ransomware attacks is the fact that many go unreported, preventing visibility into the full scope of the problem. The increase in attacks seems to stem from activities by the Clop ransomware gang, specifically its exploitation of MOVEit, GoAnywhere and Accellion, as well as activity from the groups RansomHub and Akira. The industry saw 84 attacks from January to March, more than double the number seen in Q1 2024. A report from Food and Ag-ISAC says that industries in food, agriculture, and manufacturing typically face ransomware attacks because they tend to have more legacy equipment and industrial control systems, making them easier targets. (The Record)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
