Cyber News Roundup for May 16, 2025
This week has been a whirlwind in cyber news, showcasing both the persistent threats and the innovative defenses emerging in our digital landscape. Our wrap-up dives into the concerning breach at cryptocurrency giant Coinbase, where social engineering tactics led to the compromise of sensitive user data and a hefty ransom demand. We’ll also cover the FBI’s warning about the escalating use of AI-powered voice deepfakes targeting US officials, highlighting the growing sophistication of social engineering attacks.
Beyond these critical incidents, we’ll explore the latest activities of nation-state actors, including the Fancy Bear campaign targeting Ukrainian entities and a Russian APT exploiting webmail servers. We’ll also touch upon significant vulnerability disclosures, including those affecting Chrome, Node.js, and even Intel CPUs, alongside the discovery of novel malware like HTTPBot and TransferLoader. Stay tuned as we unpack these stories and more, providing insights into the evolving threat landscape and offering key takeaways for bolstering your own cybersecurity posture.
Google issues an emergency patch for a high-severity Chrome browser flaw
Google has issued an emergency patch for a high-severity Chrome browser flaw (CVE-2025-4664) that could allow full account takeovers. Discovered by Solidlab researcher Vsevolod Kokorin, the bug stems from weak policy enforcement in Chrome’s Loader component, letting attackers leak sensitive cross-origin data via malicious HTML. This can expose OAuth tokens through manipulated referrer policies—especially dangerous in authentication flows. Google confirmed a public exploit exists, implying possible active use. The fix is rolling out in Chrome version 136.0.7103.113/114 across platforms. Users should update manually or let Chrome auto-update on restart. This follows a March patch for another critical Chrome zero-day (CVE-2025-2783) used in espionage attacks targeting Russian entities, which exploited Chrome sandbox bypasses to deliver malware.
(Bleeping Computer)
Researchers bypass BitLocker encryption in minutes
A newly revealed flaw in Microsoft BitLocker (CVE-2023-21563) allows attackers to bypass encryption in under five minutes using a software-only method called “Bitpixie.” The exploit targets systems without pre-boot authentication and has a public proof-of-concept available. Unlike hardware-based hacks, Bitpixie extracts BitLocker’s Volume Master Key (VMK) entirely through software by exploiting a flaw in the Windows bootloader during PXE soft reboots. Two attack versions—Linux and Windows PE—allow access using signed components, with no need for physical tampering or a full disk image. The attack is stealthy and effective on unattended or stolen devices. Experts strongly advise enabling pre-boot authentication (PIN, USB key, etc.) to block access to the VMK and prevent such breaches.
(Cyber Security News)Google warns that Scattered Spider is now targeting U.S. retail companies
Google warns that hackers tied to the Scattered Spider group, known for crippling UK retailers like M&S, are now targeting U.S. retail companies. These attackers are skilled at bypassing strong cybersecurity defenses and tend to focus on one industry at a time. Scattered Spider has also been linked to past breaches of MGM Resorts and Caesars Entertainment. U.S. retail security groups are actively monitoring the threat, with Google helping coordinate briefings to prepare major companies like Costco, McDonald’s, and Lowe’s.
(Reuters)
The largest steelmaker in the U.S. shut down operations following a cybersecurity incident
Nucor, the largest U.S. steelmaker, temporarily shut down some operations following a cybersecurity incident involving unauthorized access to its IT systems. The company activated its incident response plan, took affected systems offline, and is working to restore operations. While Nucor didn’t specify which facilities were impacted, it emphasized the shutdown was precautionary. With 300 sites and 25,000 employees, Nucor is a major global player.
(The Record)
New picks for US Cyber Command coming soon
Multiple military, civilian, and congressional sources told The Record that the Trump administration will name a candidate for the vacant role of National Security Agency deputy director before Memorial Day. US Cyber Command and NSA head General Timothy Haugh and deputy NSA chief Wendy Noble were dismissed last month. This comes as the administration investigates whether to end the so-called “dual-hat” leadership of the NSA and US Cyber Command. Restructuring the leadership requires sign-off from both the Secretary of Defense and the Joint Chiefs chairman that the move won’t hinder Cyber Command.
Exposing North Korean IT workers at scale
Wired shared a report from DTEX Systems that includes a list of over 1,000 email addresses identified as linked to North Korean IT worker activity. Their report profiles two members of a group of North Korean developers now based out of Russia, using the personas “Naoki Murano” and “Jenson Collins.” This group of developers generally worked for cryptocurrency companies, including Coinbase, creating fake job applications and searching for accomplices. These fake IT workers are generally required to hit specific income quotas, with evidence of military personnel directly monitoring communications so they don’t become defectors.
(Wired)
Investigators discover undocumented communications devices inside Chinese-made power inverters
U.S. energy officials are investigating Chinese-made inverters and batteries after discovering undocumented communication devices inside them, Reuters reports. These components—used widely in solar panels, batteries, and EV chargers—could bypass firewalls and pose risks to the power grid. Experts warn they could enable remote disruptions or even destruction of infrastructure. While such devices are built for remote maintenance, some found had hidden capabilities not listed in manuals. The U.S. Department of Energy is working to tighten transparency and supply chain security. As tensions with China grow, utilities and lawmakers are pushing to limit reliance on Chinese technology in critical infrastructure. Some nations, like Lithuania and Estonia, are already taking steps to ban or restrict Chinese inverters to protect energy systems from foreign control.
(Reuters)
Steel producer disrupted by cyberattack
Nucor Corporation, the largest steel producer in the US, disclosed in an 8-K filing with the US Securities and Exchange Commission that it suffered a cyberattack “involving unauthorized third-party access to certain information technology systems.” No other information on date, threat actor, or the type of attack was disclosed. The attack halted production at several locations, although the company began slowly restarting operations. No threat group has taken credit for the attack so far.
CISA pares back website security alerts
CISA announced a major change in how it shares cybersecurity updates: only urgent alerts about emerging threats or major cyber activity will now appear on its website. Routine guidance, vulnerability notices, and product warnings will be distributed via email, RSS, and X (formerly Twitter). This shift, possibly tied to budget cuts and staff reductions under a Trump-aligned cost-cutting initiative, has raised concerns among experts. Critics, including former CISA director Jen Easterly, warn that reducing visibility for routine security updates undermines national cybersecurity. The policy reflects a broader trend of federal agencies moving communications to X, despite its limitations. Agencies like the NTSB and Social Security Administration have also begun phasing out traditional press releases and email updates. Observers worry this change favors Elon Musk’s platform and limits accessibility to critical public information. CISA urges users to subscribe to its email notifications to stay informed.
Europe’s cybersecurity agency launches the European Vulnerability Database
Europe’s cybersecurity agency, ENISA, has officially launched the European Vulnerability Database (EUVD), a centralized platform for tracking cybersecurity flaws. Developed under the NIS2 directive, the EUVD mirrors the U.S. National Vulnerability Database and aims to enhance risk management and transparency across the EU. It gathers data from sources like CSIRTs, vendors, and databases such as MITRE’s CVE and CISA’s KEV Catalog. Users can access three dashboards highlighting critical, exploited, and EU-coordinated vulnerabilities. Each entry includes details like affected products, severity, and mitigation steps. Concerns over the future of the U.S.-based CVE program have increased interest in the EUVD as a stable, independent resource. ENISA says the tool is vital for public users, companies, and authorities to better manage threats and respond effectively to known vulnerabilities.
A major security flaw has been found in ASUS mainboards’ automatic update system
A major security flaw has been found in ASUS mainboards’ automatic update system, affecting Armoury Crate and DriverHub tools on AMD and Intel platforms. Two vulnerabilities (CVE-2025-3463 and CVE-2025-3462) allow remote attackers to alter system behavior or access features via crafted HTTP requests. The root issue lies in software auto-installed from the UEFI BIOS using Windows Platform Binary Table. ASUS has released updates to fix these issues. Users should update immediately and scan BIOS files for threats using VirusTotal.
Global Crossing Airlines Group confirms cyberattack
According to a filing with the US Securities and Exchange Commission, the airline, also known as GlobalX, suffered a cyberattack on May 5, 2025. The attackers accessed “systems supporting portions of its business applications.” Over the weekend, the attackers contacted 404 Media, allegedly offering information about Global Crossing’s ICE deportation flights, including flight records and passenger lists. The airline said the attack did not disrupt operations and would not create a material effect on its finances.
Researchers uncover two major cybersecurity threats targeting IT admins and cloud systems
Varonis has uncovered two major cybersecurity threats targeting IT admins and cloud systems. First, attackers are using SEO poisoning to trick admins into downloading malware disguised as legitimate tools. These fake downloads can install backdoors like SMOKEDHAM or monitoring software, enabling credential theft and data exfiltration. In one case, nearly a terabyte of data was stolen, followed by a ransomware attack. Separately, Varonis found a critical root access flaw in Azure’s AZNFS-mount utility, used in HPC and AI workloads. The bug, present in versions up to 2.0.10, lets unprivileged users escalate to root by exploiting environment variables. Though Microsoft rated it low severity, the risk of full cloud compromise is significant. Varonis urges immediate patching to version 2.0.11 and recommends a Defense in Depth strategy to reduce exposure.
(Hackread)
A new tool disables Microsoft Defender by tricking Windows into thinking a legitimate antivirus is installed
A new tool called Defendnot disables Microsoft Defender by exploiting the Windows Security Center (WSC) API, tricking Windows into thinking a legitimate antivirus is installed. Created by GitHub developer “es3n1n,” Defendnot registers a fake antivirus product using reverse-engineered interactions with the undocumented WSC API, bypassing Microsoft’s integrity checks by injecting its code into trusted processes like Task Manager. Once registered, Windows automatically disables Defender to avoid conflicts. While the tool requires admin privileges and persistent installation to survive reboots, it poses a risk if abused by malware developers. Security experts warn that although Defendnot showcases impressive technical skill, it highlights a significant security gap in how Windows handles AV product registration. The tool builds on the developer’s earlier project, no-defender, and underscores the need for better safeguards in WSC’s architecture.
The FBI warns that threat actors are exploiting outdated, unsupported routers
The FBI has warned that threat actors are exploiting outdated, unsupported routers—likely from brands like Cisco’s Linksys and Ericsson’s Cradlepoint—using unpatched vulnerabilities and remote management software. Hackers bypassed authentication to gain shell access, installed malware, and turned the devices into part of a botnet. These compromised routers were then used as proxies via the Anyproxy and 5Socks networks, helping criminals hide their activities. Malware communications included a two-way handshake with a command-and-control server. While no specific group was named, the FBI noted that Chinese cyber actors have exploited similar vulnerabilities in the past. Users are urged to replace old routers or disable remote access. This alert follows the release of OpenEoX, a proposed standard to better manage end-of-life disclosures for tech products.
An Indiana health system reports a data breach affecting nearly 263,000 individuals
Union Health System in Indiana has reported a data breach affecting nearly 263,000 individuals, linked to a January cyberattack on legacy Cerner servers during a migration to Oracle’s cloud. The compromised data includes sensitive patient information such as Social Security numbers, medical records, and insurance details. The breach, confirmed by Oracle Health/Cerner in March, did not impact Union Health’s live systems. Lawsuits allege negligence by both Union Health and Oracle, and claim a threat actor named “Andrew” is extorting affected hospitals. Oracle denies a breach of its Cloud Infrastructure but acknowledged unauthorized access to outdated servers. While Oracle will cover credit monitoring costs, it won’t notify individuals directly. Union Health is offering free credit protection and is facing mounting legal pressure over its handling of the incident.
A sophisticated email attack campaign uses malicious PDF invoices to deliver a cross-platform RAT
Fortinet researchers have uncovered a sophisticated email attack campaign using malicious PDF invoices to deliver a cross-platform Remote Access Trojan (RAT) called RATty. While primarily targeting Windows, the malware also affects Linux and macOS systems running Java. The attack starts with deceptive emails that pass SPF validation using the serviciodecorreo.es service, luring victims into clicking buttons in the PDF that launch a multi-stage infection. The process uses Dropbox and MediaFire to host files, Ngrok tunneling, and geofencing to evade detection. Victims in Italy receive a Java-based JAR file, while others see harmless documents, fooling email scanners. Once active, RATty enables attackers to execute commands, log keystrokes, and access webcams and files. This campaign highlights how attackers combine social engineering and advanced evasion to bypass security and maintain persistent access.
