CyberSecurity Newsletter 19th May, 2025
In this week’s news: Twelve more suspects were charged in the theft of over $230 million in cryptocurrency, Google warns that the cybercrime group Scattered Spider is now targeting U.S. companies, FBI issued a warning of AI used to mimic the voices of high-ranking United States officials, Chinese “kill switches” found in power inverters in US solar farm equipment, Ransomware gang members increasingly use a new malware called Skitnet, A new tool called 'Defendnot' can disable Microsoft Defender on Windows devices.
Twelve more suspects were charged in a RICO conspiracy for their alleged involvement in the theft of over $230 million in cryptocurrency and laundering the funds using crypto exchanges and mixing services. Two other suspects linked to this conspiracy, 20-year-old Malone Lam (aka "Greavys," "Anne Hathaway," and "$$$") and 21-year-old Jeandiel Serrano (aka "Box," "VersaceGod," and "@SkidStar"), were arrested and charged in September 2024.
https://www.bleepingcomputer.com/news/security/us-charges-12-more-suspects-linked-to-230-million-crypto-theft/
Cyber-attacks targeting healthcare have “noticeably increased” in intensity, with the sector suffering more incidents than other key industries in 2024, according to new data from Darktrace. The cybersecurity vendor revealed it responded to 45 cybersecurity incidents impacting healthcare organizations last year.
https://www.infosecurity-magazine.com/news/healthcare-cyber-attacks-intensify/
Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting U.S. companies, shifting their focus across the Atlantic. The financially motivated group UNC3944 (also known as Scattered Spider, 0ktapus) is known for social engineering and extortion. The cybercrime group is suspected of hacking into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.
https://securityaffairs.com/177974/cyber-crime/shields-up-us-retailers-scattered-spider-threat-actors.html
The Federal Bureau of Investigation (FBI) has issued a warning regarding a growing threat where malicious individuals are using artificial intelligence (AI) to mimic the voices of high-ranking United States officials. These AI-generated voice memos, combined with deceptive text messages, are being used in attempts to target current/former government officials, and individuals in their contact lists.
https://hackread.com/fbi-warn-ai-voice-scams-impersonate-us-govt-officials/
Chinese “kill switches” found in Chinese-made power inverters in US solar farm equipment that could let Beijing remotely disable power grids in a conflict. The Times reported that experts found rogue devices, including hidden cellular radios, in Chinese-made power inverters used worldwide, including the UK. These devices could be remotely activated to shut off inverters, potentially causing widespread power disruptions. The discovery raises fears China may have installed covert malware in critical energy infrastructure across the US and Europe, enabling remote attacks during conflicts.
https://securityaffairs.com/178005/hacking/rogue-devices-in-chinese-made-power-inverters-used-worldwide.html
ReversingLabs discovers dbgpkg, a fake Python debugger that secretly backdoors systems to steal data. Researchers suspect a pro-Ukraine hacktivist group is behind the attack on the PyPI repository especially those used by Russian developers.
https://hackread.com/ukraine-group-russian-developers-python-backdoor/
During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox. The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit.
https://www.bleepingcomputer.com/news/security/hackers-exploit-vmware-esxi-microsoft-sharepoint-zero-days-at-pwn2own/
For at least half a year, the official software supplied with Procolored printers included malware in the form of a remote access trojan and a cryptocurrency stealer. Procolored is a digital printing solutions provider making Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers. It is particularly known for affordable and efficient fabric printing solutions
https://www.bleepingcomputer.com/news/security/printer-maker-procolored-offered-malware-laced-drivers-for-months/
Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025.
https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingly-use-skitnet-post-exploitation-malware/
Newly emergent malware loader TransferLoader features several components that facilitate arbitrary command execution on targeted systems, with the loader having been leveraged to distribute the Morpheus ransomware in an attack against a U.S. law firm, reports GBHackers News.
https://www.scworld.com/brief/novel-transferloader-malware-examined
Google released emergency security updates to address a Chrome browser vulnerability, tracked as CVE-2025-4664, that could lead to full account takeover. The security researcher Vsevolod Kokorin (@slonser_) discovered the vulnerability, which stems from an insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113. A remote attacker could trigger the flaw to leak cross-origin data via a crafted HTML page.
https://securityaffairs.com/177899/security/google-fixed-a-chrome-vulnerability-that-could-lead-to-full-account-takeover.html
The notorious LockBit ransomware group, infamous for its Ransomware-as-a-Service (RaaS) model, has suffered a significant and embarrassing setback: its dark web affiliate panels were hacked, resulting in a massive data breach that exposed sensitive internal operations.
https://pupuweb.com/has-lockbits-dark-web-empire-collapsed-shocking-data-leak-exposes-ransomware-secrets/
ESET has reported a cyber espionage campaign called RoundPress, conducted by the Russian group Fancy Bear (Sednit) against organizations related to Ukraine via webmail services. This campaign uses the SpyPress malware to spy on communications. The article does not mention specific technical details or the real impacts of this attack.
https://www.cyberhub.blog/article/6263-eset-reports-on-fancy-bears-roundpress-cyber-espionage-campaign-against-ukraine
Computer scientists from universities in Germany, Hong Kong, and the United Kingdom have proposed a way to provide verifiable claims about location data without surrendering privacy.
https://www.theregister.com/2025/05/17/privacy_preserving_location_sharing/
The Coinbase Data Breach: A Breakdown of What Went Wrong
https://securityboulevard.com/2025/05/the-coinbase-data-breach-a-breakdown-of-what-went-wrong/
A new tool called 'Defendnot' can disable Microsoft Defender on Windows devices by registering a fake antivirus product, even when no real AV is installed. The trick utilizes an undocumented Windows Security Center (WSC) API that antivirus software uses to tell Windows it is installed and is now managing the real-time protection for the device.
https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/