Featured image of post Cybersecurity Week in Review: May 13 – 19, 2025
NEWS

Cybersecurity Week in Review: May 13 – 19, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

Major Data Breaches and Leaks

  • Marks & Spencer (UK): Retailer M&S confirmed customer data was stolen in a late-April cyberattack. The stolen information included customer names, dates of birth, home/email addresses, phone numbers, household details and order histories. (A crime gang dubbed “DragonForce” claimed responsibility and is also linked to recent breaches at the Co‑op and Harrods.)
  • Nova Scotia Power (Canada): The utility announced that in a breach dating back to March 19, hackers exfiltrated personal data for its ~500,000 customers. Exposed fields included full names, contact info (phone, email, addresses), billing and payment history, DOBs, SINs, driver’s license numbers, and (for some) bank account numbers. The company says no misuse has been detected to date and is offering credit monitoring for affected users.
  • House of Dior (France): On May 7, luxury brand Dior’s online customer database was hacked, affecting its Fashion & Accessories business in South Korea and China. Leaked data (for an unspecified number of customers) comprised personal contact and purchase details – full name, gender, phone, email, postal address and purchase history. Dior said no passwords or payment card data were exposed (those were stored separately) and is notifying regulators and customers.
  • Coinbase (USA): Cryptocurrency exchange Coinbase disclosed a breach affecting ~69,461 retail customers. Rogue support personnel (bribed by attackers) illegally accessed customer records. Stolen data included names, birthdates, masked bank account/ACH numbers, partial SSNs, email, phone, addresses, and images of identity documents. Attackers have demanded extortion payments, and Coinbase plans to reimburse any losses.
  • Western Sydney University (Australia): WSU revealed two security incidents, including a January–February compromise of its single sign-on system. Around 10,000 current/former students had their personal and enrollment information (demographics, course records) exposed. The university said the breach has been contained and notified those affected.
  • Australian Human Rights Commission: The AHRC admitted that about 670 documents (complaint form attachments) were inadvertently exposed between late April and early May. These contained sensitive personal data of human rights complainants (names, contact details, health and religious information, photos, etc.). The incidents are under investigation, and regulators have been notified.

Significant Cyberattacks and Incidents

  • Cellcom Outage (USA): Wisconsin telecom Cellcom confirmed that a cyberattack (suspected ransomware) caused its four-day service outage (voice/data disruptions) beginning May 12. CEO Brighid Riordan said services are gradually being restored and emphasized there is “no evidence that personal information [of customers]… is impacted”.
  • Nucor Corp. (USA): Steelmaker Nucor announced on May 14 that an unauthorized third party infiltrated its networks, forcing it to take multiple systems offline. This disruption halted production at several U.S. steel mills for days. The company reported no customer or supplier impact but has notified investors (SEC Form 8-K) of the prolonged outage.
  • Arla Foods (Germany): Danish dairy co‑op Arla confirmed a cyberattack on its German operations. The breach (disclosed May 19) disrupted production at its Upahl plant, causing immediate shutdown of processing and distribution lines. No ransom note has surfaced, and Arla says it is working to restore operations – some products may be delayed to market.
  • SAP NetWeaver Exploitation: Ransomware groups RansomEXX and BianLian were seen exploiting a zero-day in SAP’s NetWeaver Visual Composer (CVE-2025-31324) to gain remote code execution on corporate servers. SAP had issued an out-of-band patch April 24 after ReliaQuest flagged the flaw in-the-wild. Although intruders reportedly deployed malware modules (e.g. PipeMagic backdoor, Windows CVE-2025-29824), no full ransomware encryptions have been confirmed yet. Organizations using affected SAP systems are urged to apply the emergency patches immediately.
  • Record DDoS Test: On May 12, security journalist Brian Krebs’s site withstood a brief (~45‑second) distributed denial-of-service attack peaking at 6.3 terabits/sec. Analysts believe this enormous burst was a demonstration by the new Aisuru/Airashi IoT botnet, likely intended to showcase power to prospective buyers. (Krebs’ site saw no lasting damage thanks to robust DDoS defences.)
  • Other Incidents: In the healthcare sector, no new large-scale ransomware hits were announced this week, but hospitals remain on alert after multiple recent attacks. (The HHS Cybersecurity Task Force’s weekly newsletter noted ongoing threat focus on medical records and network access by extortion gangs.)

Critical Vulnerabilities and Patches

  • Microsoft Patch Tuesday (May 14): Microsoft released fixes for 72 CVEs (5 rated Critical) in its May 2025 security update. Notably, five of these were zero-days that had been exploited in the wild. Patched flaws include remote-code execution bugs and local privilege escalations. (For example, several use-after-free bugs in Office applications – e.g. CVE-2025-30377 and CVE-2025-32704 – were rated CVSS 8.4.) Administrators should apply the update immediately, especially on Internet-facing systems.
  • Apple Security Updates (May 13): Apple’s latest iOS/iPadOS 18.5 and macOS Sequoia/Monterey updates fixed 30+ vulnerabilities across devices. Key fixes include an iPhone baseband flaw (CVE-2025-31214) in the new C1 modem that could allow network traffic interception. Other patched bugs (in AppleJPEG, CoreMedia, WebKit, etc.) addressed out-of-bounds reads and memory corruption that attackers could exploit to gain kernel or root privileges. Users should update their Apple devices to close these security holes.
  • Fortinet RCE (May 13): Fortinet disclosed a critical remote code execution bug (CVE-2025-32756, CVSS 9.6) affecting multiple products (FortiVoice, FortiRecorder, FortiNDR, FortiMail, FortiCamera). A threat actor is already exploiting this unauthenticated stack-overflow to hack FortiVoice appliances. Patches for supported firmware versions were released on May 13, and Fortinet has urged customers to upgrade immediately. This CVE was added to CISA’s Known Exploited Vulnerabilities catalog on May 14.
  • Cisco IOS XE (May 7): Cisco’s May IOS/XE advisory bundle (released May 7) included a critical flaw, CVE-2025-20188, in the wireless controller’s out-of-band download service. This bug (CVSS 10.0) allows an unauthenticated attacker to upload arbitrary files to the system. Users of Cisco enterprise routers and controllers should apply the Cisco-provided updates without delay. (UK’s NHS Digital and other agencies highlighted this patch due to its extreme severity.)
  • Adobe and Others: Adobe fixed critical RCE flaws this week as well, including Apache ColdFusion vulnerabilities (CVE-2025-43559, -43560 with CVSS 9.1). These could allow code execution on web servers if exploited. In addition, dozens of lower-severity bugs were patched in products from Red Hat (OpenSSL), Apache, and others. (CISA’s weekly bulletin SB25-139 on May 19 catalogued dozens of new CVEs, mostly high/medium severity.) Organisations should review the CISA summary and vendor advisories to ensure all relevant systems are patched.

Government and Industry Cyber Responses

  • U.S. Congressional Hearing: On May 14, a House Energy & Commerce subcommittee held a hearing on cyber resilience in energy, water and healthcare. DOE and HHS officials described new public–private initiatives: DOE is piloting an “Energy Threat Analysis Center” to aggregate and analyze threat intelligence from industry and government, and HHS is coordinating a Healthcare Sector Coordinating Council of 15 federal agencies and ~300 private-sector partners to strengthen hospital cyber defenses. These efforts support the recent National Cybersecurity Strategy’s goal of whole-of-nation infrastructure protection.
  • CISA Bulletins: On May 19, CISA released its weekly vulnerability summary (SB25-139) listing dozens of newly catalogued CVEs from the prior week (highlights noted above). This bulletin helps defenders prioritize patching of newly disclosed flaws. CISA continues to urge critical infrastructure operators to act on “Known Exploited Vulnerabilities” (such as the Fortinet RCE and Cisco IOS flaws noted above).
  • ICS/OT Advisories: On May 20, CISA and partner agencies released a series of 13 industrial-control systems (ICS) advisories covering vulnerabilities in SCADA and IoT products (Schneider Electric, Siemens, Vertiv, etc.). These alerts provide technical details and mitigation guidance for operators in critical industries. (For example, Siemens republished advisory SSA-614723 on May 15, and NHS Digital similarly flagged Cisco’s bundle advisory on May 8.)
  • Regulatory Actions: No major new cyber regulations were enacted this week, but agencies continued enforcement and guidance. Notably, UK’s Information Commissioner’s Office fined two healthcare providers over past breaches (decisions published May 2025). Australian Cyber Security Centre (ACSC) updated advisories on common threats. Industry bodies (ISACs, FS-ISAC) also circulated bulletins on current ransomware TTPs.

Miscellaneous

  • Evolving Phishing Techniques: Researchers described a sophisticated “focused phishing” campaign targeting specific executives. Attackers abused legitimate web infrastructure (including real CAPTCHA challenges) and performed server-side email validation to ensure only high-value targets saw the phishing page. In one case an employee visiting a compromised but trusted e-commerce domain was served a malicious login form only after clicking a link. This highlights the need for browser-based anti-phishing tools and zero-trust email defenses.
  • Industry Forums: Cybersecurity professional conferences continued (e.g. CyberSecurity Summits in Nashville, TN on May 15 and Austin, TX on May 22) where leaders discussed risk management and the latest threat intelligence. (Key themes included supply-chain security and AI-enhanced attacks.) These events stress the importance of cross-sector collaboration and user awareness in staying ahead of emerging threats.

Conclusion

This week’s headlines underscore that no sector is immune from cyber threats. Breaches hit retail, utilities, finance, and education simultaneously, while critical infrastructure and supply chains faced targeted attacks. The key lessons for organizations are clear: patch urgently (especially for high-severity CVEs like CVE-2025-20188 and CVE-2025-32756), monitor for unusual activity, and validate the security of third-party partners (as seen in the M&S and Adidas incidents). Employees should be trained to recognize advanced phishing lures and verify unsolicited tech support contacts. Finally, leveraging threat intelligence (such as CISA advisories and industry ISAC alerts) and participating in public-private information-sharing initiatives (DOE’s Energy Threat Center, Healthcare Sector Council, etc.) can greatly improve resilience. Vigilance and proactive defense remain the most effective safeguards for the coming months.

Sources

  • TechCrunch – “Marks & Spencer confirms customers’ personal data was stolen in hack,” May 13, 2025 techcrunch.com.
  • BleepingComputer – “Nova Scotia Power confirms hackers stole customer data in cyberattack,” May 15, 2025 bleepingcomputer.com.
  • BleepingComputer – “Fashion giant Dior discloses cyberattack, warns of data breach,” May 14, 2025 bleepingcomputer.com.
  • BleepingComputer – “Coinbase says recent data breach impacts 69,461 customers,” May 19, 2025 bleepingcomputer.com.
  • BleepingComputer – “Western Sydney University discloses security breaches, data leak,” May 2025 bleepingcomputer.com.
  • DarkReading – “Australian Human Rights Commission confirms data breach,” May 16, 2025.
  • BleepingComputer – “Mobile carrier Cellcom confirms cyberattack behind extended outages,” May 14, 2025 bleepingcomputer.com.
  • BleepingComputer – “Steel giant Nucor Corporation facing disruptions after cyberattack,” May 14, 2025 bleepingcomputer.com.
  • BleepingComputer – “Arla Foods confirms cyberattack disrupts Upahl (Germany) production,” May 19, 2025 bleepingcomputer.com.
  • BleepingComputer – “Ransomware gangs join ongoing SAP NetWeaver attacks,” May 14, 2025 bleepingcomputer.com.
  • KrebsOnSecurity – “Hit With Near-Record 6.3 Tbps DDoS,” May 15, 2025 krebsonsecurity.com.
  • CrowdStrike – “May 2025 Patch Tuesday: Five Zero-Days and Five Critical Vulnerabilities,” May 14, 2025 crowdstrike.com.
  • CyberScoop – “Apple patches dozens of vulnerabilities (iOS 18.5, macOS Sequoia),” May 13, 2025 cyberscoop.com.
  • Rapid7 – “CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products,” May 14, 2025 rapid7.com.
  • NHS Digital – “Cisco Releases May 2025 IOS XE Software Security Advisory Bundled Publication,” May 8, 2025 digital.nhs.uk.
  • CISA – “Vulnerability Summary for the Week of May 12, 2025,” released May 19, 2025 cisa.gov.
  • Cybersecurity Dive – “House hearing details cyber resilience efforts for energy, water and healthcare,” May 14, 2025 cybersecuritydive.com.
  • BleepingComputer – “Focused Phishing: Attack Targets Victims With Trusted Sites and Live Validation,” May 14, 2025 bleepingcomputer.com.
© 2025 Senthorus Blog