Daily Brief

Wisconsin-based mobile provider Cellcom experienced a significant service disruption starting May 14, 2025, due to a cyberattack. The incident primarily affected voice and SMS communications across Wisconsin and Upper Michigan, rendering many customers unable to call or text. Initially reported as a technical issue, Cellcom CEO Brighid Riordan later confirmed the nature of the disruption as a cyberattack. Despite the attack, critical data services such as iMessage, RCS messaging, and 911 emergency functions remained operational. The cyberattack was isolated to parts of the network that do not store sensitive customer information; no personal data breaches have been reported. Cellcom has engaged external cybersecurity experts, informed law enforcement, and is taking steps to restore services fully by the week's end. The company provided troubleshooting tips for subscribers struggling to regain services, including toggling airplane mode or restarting phones. Progress updates and additional recovery strategies are being communicated through Cellcom’s service update page and CEO video messages.

A critical privilege escalation vulnerability identified in the Motors WordPress theme, enabling unauthorized admin account control. Motors, developed by StylemixThemes, is heavily utilized in the automotive industry with over 22,300 sales on the Envato market. The vulnerability, tracked as CVE-2025-4322, allows attackers to modify user passwords without authentication. This flaw leads to potential risks such as malware injection, data theft, and redirecting visitors to malicious websites. StylemixThemes has released an update, version 5.6.68, to address this security issue. Users are urged to immediately upgrade their Motors theme through various supported methods to secure their sites. Despite its focused impact on a single theme, the severity of the vulnerability poses a serious security threat to affected websites.

VanHelsing ransomware-as-a-service operation's source code for various components leaked on a cybercrime forum. Old developer attempted to sell the source code for $10,000; includes the affiliate panel, data leak site, and Windows encryptor builder. Following the attempted sale, VanHelsing operators preemptively released part of the source code, aiming to undermine the developer's effort while announcing an upcoming updated version. The source code release by VanHelsing lacks the Linux builder and databases, making it less useful for law enforcement and security analysis. The leaked files contain functional codes for creating ransomware encryptors but are reported to be messy and require additional setup to use effectively. Leak includes potential tools for a new type of ransomware that manipulates the master boot record (MBR), possibly pointing to future attack methods by VanHelsing or others using its code. Past incidents of ransomware source code leaks, such as Babuk and Conti, have led to widespread adoption and usage by other criminals.

The VanHelsing ransomware-as-a-service (RaaS) operation experienced a data breach leading to the leak of its source code and affiliate panel on the RAMP cybercrime forum. A former developer, using the alias 'th30c0der', initially attempted to sell the ransomware builder for $10,000 before the operators themselves released it to preempt the sale. The leaked source included the builders for Windows encryptors and affiliate panel code but lacked the Linux builder and complete databases, which limits its utility for law enforcement and researchers. BleepingComputer confirmed the authenticity of the leak, which contains the operational builder for the Windows encryptor and other critical components required for launching ransomware attacks. The leakage of this source code could potentially enable other cybercriminals to develop their own versions or enhance existing ransomware tools, thereby posing increased risks globally. VanHelsing announced their intention to release an updated version of their ransomware, dubbed VanHelsing 2.0, in response to the source code leak. Similar incidents in the past, like the leaks of Babuk, Conti, and LockBit ransomware builders, have led to widespread use of these codes in subsequent cyberattacks.

SK Telecom, South Korea’s largest telecom operator, disclosed a malware breach impacting USIM data for 27 million subscribers, first detected on its network on April 19, 2025. The initial infection dates back to June 15, 2022, indicating that the malware remained undetected for nearly three years. Attackers gained access to sensitive information including IMSI numbers, USIM authentication keys, network usage data, and stored SMS/contacts, raising concerns for potential SIM-swapping attacks. In response to the breach, SK Telecom has committed to issuing SIM card replacements for all affected subscribers and has beefed up security measures to prevent unauthorized number porting. A recent government-led investigation revealed that 23 servers were compromised, exposing 25 different data types and identifying 25 distinct malware types within the impacted systems. Despite SK Telecom's denial, investigators found personal customer data including 291,831 IMEI numbers on 15 of the infected servers. SK Telecom has halted new subscriber intakes to manage the breach’s fallout and promises to assume full responsibility for any ensuing damages despite their preventive efforts.

A new vulnerability in OpenPGP.js allows for the spoofing of both signed and encrypted messages, jeopardizing the integrity of secure communications. Identified as CVE-2025-47934 with a severity rating of 8.7 (high), the flaw affects versions from 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0 of the OpenPGP.js library. Researchers from Codean Labs discovered the issue, which arises from specific functions in the library that fail to correctly verify message authenticity. Users are urged to update to the latest patched versions, 5.11.3 or 6.1.1, to mitigate the risk posed by this vulnerability. The detailed explanation of the exploit will be disclosed soon, following a common practice to delay proof of concept to allow time for updates. Daniel Huigens, head maintainer at Proton, the primary user of OpenPGP.js, recommends verifying all received messages scrupulously until patches are applied. The issue underscores the vulnerability of email services relying on OpenPGP, impacting potentially over 100 million Proton Mail accounts and other services using the standard.

Hazy Hawk has exploited abandoned cloud resources and misconfigured DNS records to hijack domains of reputable organizations for malware distribution. High-profile victims include the U.S. CDC, global government agencies, and major firms such as Deloitte and PwC, starting from December 2023. The threat actor utilizes these domains to redirect users to scams and malware through traffic distribution systems, effectively concealing malicious activities. Hijacked domains enhance credibility in search results, assisting in the evasion of security detection mechanisms. Attack strategies involve cloning legitimate site content and using redirection to deliver advertisements, scams, and fake applications. Techniques include employing browser notifications to perpetuate the cycle of scam and scareware exposure to victims. To mitigate such threats, domain owners are urged to remove DNS CNAME records promptly after a resource is discontinued and users are advised to reject notification requests from unfamiliar sources.

'Hazy Hawk' cyber gang hijacks subdomains of prominent organizations through DNS misconfigurations. Targets include governments, universities, and Fortune 500 companies, using abandoned CNAME records of cloud services. The threat actor creates malicious sites that appear legitimate by inheriting the trust score of the hijacked domain. Hijacked domains are used for various scams, distributing fake apps, and serving malicious advertisements. Victims redirected to these sites are subjected to profiling and targeted with tech support scams, false security alerts, and phishing operations. Persistent browser push notifications are used to continue scamming victims even when they leave the initial site. The exploitation relies heavily on organizations not removing outdated DNS records, making it easy for attackers to take control. Increased awareness of the vulnerability of CNAME records is suggested to help defend against such attacks.

Researchers uncovered over 100 fake Chrome browser extensions involved in data theft and session hijacking. The malicious extensions masqueraded as useful utilities, including ad blockers and VPN services, but facilitated credential theft, ad injections, and phishing. The threat actor lured potential victims to download these extensions through websites that impersonated legitimate services and manipulated search results. The extensions were granted excessive browser permissions, allowing them to interact with all sites visited, execute arbitrary code, and perform malicious redirects. Malicious activity included fetching scripts from attacker-controlled domains and setting up proxy connections via WebSocket. Victims' routes to these deceptive sites remain unclear but may involve phishing and social media strategies. DomainTools highlighted that even ratings and feedback might be manipulated, casting doubts on the reliability of Chrome Store reviews. Google has since removed the identified malicious extensions from the Chrome Web Store.

RVTools' official website was compromised to distribute a DLL hosting Bumblebee malware, impacting users downloading the tool. The malware was first identified by ZeroDay Labs, noting discrepancies in file hash and size, suggesting a supply chain attack. After discovery, the RVTools website was temporarily taken down and later restored with the correct version of the software. Bumblebee malware is known for downloading additional harmful payloads such as Cobalt Strike beacons, information stealers, and ransomware. The malware's ties to the now-defunct Conti ransomware operation and its derivatives indicate a high threat level and potential wide impact. Arctic Wolf reported spotting trojanized RVTools installers spreading via typosquatted domains, indicating further spread of the threat. RVTools, essential for VMware vSphere management, was advised only to be downloaded from official sites to prevent malware risks. Executives are urged to verify the integrity of downloaded software files using hashes and to maintain awareness of phishing or malvertisement schemes.

Cybercriminals target service desks through social engineering, tricking agents into providing sensitive information. Recent incidents involved the DragonForce ransomware affecting major British retailers, initiated via compromised service desk operations. Attackers often impersonate executives or trusted vendors to manipulate service desk employees, leveraging empathy and urgency. The Verizon Data Breach Investigation Report highlights that stolen credentials feature in 44.7% of data breaches. Implementing strict verification processes and training could thwart social engineering efforts. Enforcing least privilege and segmenting critical systems can limit the potential damage from compromised service desk agents. Tools like Specops Secure Service Desk enhance security by integrating multi-factor verification and customizable challenge flows. Regular training and phishing simulations are recommended to keep service desk teams vigilant against potential security threats.

High-level government entities in Sri Lanka, Bangladesh, and Pakistan have been targeted by the SideWinder APT group. SideWinder used spear-phishing emails with geofenced payloads, ensuring only intended victims in specific countries received the malicious content. The attacks exploited outdated Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to deploy the StealerBot malware. Targeted organizations include Bangladesh’s Telecommunication Regulatory Commission and Ministries of Defence and Finance, among others in the region. StealerBot is capable of dropping additional malware, launching reverse shells, and extracting sensitive data like keystrokes, passwords, and files. The campaign utilizes DLL side-loading methods for persistence and employs controlled delivery tactics to manage the scope of the attack. SideWinder’s operations show a pattern of consistent activity and strategic execution, highlighting their sustained threat presence in the geopolitical landscape.

Cybersecurity experts identified security vulnerabilities in AWS default IAM roles, impacting services like SageMaker, Glue, and EMR. Default IAM roles grant overly broad permissions which could be exploited for lateral movement and privilege escalation within AWS accounts. Researchers explained that attackers could utilize these roles to modify AWS resources like CloudFormation templates and SageMaker resources, facilitating across-account movements. A similar security flaw was found in an open-source framework, Ray, which confers full access to S3 resources upon IAM roles, broadening potential attack vectors. AWS has responded by revising the AmazonS3FullAccess policy to tighten default service roles' scope and urged organizations to audit and update roles to minimize risks. A related vulnerability in Azure's AZNFS-mount utility could allow unprivileged users to escalate privileges to root, impacting Azure AI and HPC workloads. These findings underscore the need for strict access controls and vigilance in cloud environments to prevent unauthorized access and potential data breaches.

Ransomware attack on Peter Green Chilled occurred on May 14, impacting major UK supermarket chains. The company informed customers of the attack and ceased processing new orders on May 15, while continuing its transport operations. Communication channels such as phone and email were disrupted, with the company's website not accepting external messages. The attack affected not only Peter Green Chilled but also its clients, including The Black Farmer, which faced potential losses of around £100,000 due to immobilized stock. The broader impact on the supply chain highlights the dire consequences for small businesses and the potential wastage of fresh goods. M&S, another affected entity, is preparing a substantial cyber insurance claim to cover the financial fallout from the attack. Experts emphasize the shift in ransomware tactics from data theft to operational disruption to compel quicker payments and increase pressure on the victims. The incident underlines the need for enhanced operational resilience and security measures within the retail sector to mitigate the risks and impacts of such cyberattacks.

Pentera's 2025 State of Pentesting Report surveyed 500 CISOs globally to gain insight into current cybersecurity practices and challenges. Despite the adoption of more security tools—average of 75 per organization—67% of U.S. enterprises faced a breach within the last 24 months. Larger security stacks contribute to a significant increase in alert volumes, with some enterprises managing over 2000 alerts per week, necessitating better prioritization to combat alert fatigue. Software-based pentesting is on the rise, with 50% of CISOs adopting these tools as their primary security testing method due to increased trust and the need for scalable solutions. Cyber insurance providers are increasingly influencing cybersecurity strategies, with 59% of CISOs implementing solutions based on their recommendations. Confidence in government cybersecurity support is low among CISOs, with only 14% satisfied with the help provided, while a majority find it insufficient or unreliable. The report highlights a need for continuous, scalable, and effective security practices to address the increasing complexity of threats and tool management.