Featured image of post Cybersecurity Week in Review: May 27 – June 2, 2025
NEWS

Cybersecurity Week in Review: May 27 – June 2, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

1. Major Data Breaches and Leaks

  • Adidas (May 27, 2025): German apparel firm Adidas disclosed that a hacker accessed customer help-desk records via a breached third-party service provider. The exposed data comprised contact information (names, emails, phone numbers) of customers who had reached out to Adidas support. Adidas said no passwords, credit card or financial data were stolen, and it is notifying affected consumers and regulators while investigating with outside experts.
  • LexisNexis Risk Solutions (May 28): Data broker LexisNexis confirmed that personal data for 364,000+ individuals was inadvertently exposed on a public GitHub repository. The leak (originally dated April 1, 2025) involved files used in software development; it included names, contact details, Social Security numbers, driver’s license numbers and birthdates. LexisNexis says no systems were breached (data was simply uploaded incorrectly), and it reported the incident to authorities and is reviewing internal processes.
  • City of Sheboygan, Wisconsin (May 27): Local government officials warned ~67,000 residents that a ransomware attack on Oct. 31, 2024 exposed their personal records. The city’s breach notices (filed May 23) indicate Social Security numbers, state IDs and license-plate numbers were stolen during the attack by the “Chort” gang. Sheboygan confirmed an investigation (completed May 14) and is offering credit monitoring. This incident highlights the long tail of ransomware: even though the intrusion happened last year, its impact became public this week.
  • Arvest Bank (May 30): Arkansas-based Arvest Bank disclosed that a software update glitch on April 24 briefly let some online banking customers view other people’s account details. The bank says 7,537 customers had data exposure (names, account numbers, balances and recent activity). Arvest detected and fixed the issue within hours (by disabling online access) and notified all affected customers on May 9. This “disclosure glitch” underscores that even non-malicious bugs can trigger data breaches under breach notification laws.

2. Significant Cyberattacks and Incidents

  • MSP Supply-Chain Ransomware (DragonForce via SimpleHelp, May 27): Sophos and others reported that the DragonForce (UNC3944) ransomware group exploited multiple known flaws in the SimpleHelp remote-management tool (CVE-2024-57727/28/26) on May 27. Attackers breached an MSP’s SimpleHelp server, then pushed DragonForce encryptors to numerous downstream client systems while exfiltrating sensitive files (double-extortion). This supply-chain attack forced victims to restore from backups and patch their RMM systems. (Sophos notes DragonForce affiliates, including former RansomHub/Scattered Spider members, are increasingly targeting large networks.)
  • ConnectWise/ScreenConnect Breach (May 28): ConnectWise (maker of ScreenConnect RMM software) revealed a suspected nation-state cyberattack that compromised its internal network and affected a “very small number” of ScreenConnect customers. The company detected “suspicious activity” on May 27 and on May 28 publicly confirmed the breach. It hired Mandiant for forensic analysis and has patched its ScreenConnect servers. ConnectWise says it has notified affected customers and law enforcement. The incident highlights third-party risk: ScreenConnect is used by many organizations for remote IT management.
  • Victoria’s Secret Outage (May 29): Lingerie retailer Victoria’s Secret took its U.S. e-commerce site and some in-store services offline after detecting a security incident. The site displayed a “working to restore operations” message, and customer care functions were paused. Victoria’s Secret has engaged outside cybersecurity experts and activated its incident response plan. No details (e.g. malware or data theft) have been released, but the shutdown underscores how even unknown incidents can severely disrupt retail operations.
  • MathWorks Ransomware (late May): Matlab developer MathWorks confirmed that a ransomware attack in late May disrupted parts of its IT environment. The company (which provides engineering software globally) said customer-facing applications and some internal services were affected. MathWorks posted status updates indicating it is working to restore systems. This shows that even major software firms can fall victim to ransomware, impacting both employees and users.
  • Cork Protocol Crypto Heist (May 28): A DeFi platform called Cork Protocol lost >$12 million in cryptocurrency on May 28 due to a smart-contract exploit. Attackers drained multiple digital wallets via a flaw in the platform’s code. In response, Cork Protocol paused all contracts and trading while auditors analyze the breach. The episode highlights continuing risks in decentralized finance and smart-contract security.
  • Russian ISP DDoS (May 30): Russian telecom firm ASVT (serving Moscow/region) suffered a massive DDoS attack on May 30, knocking out internet for tens of thousands of customers. The outage affected remote work and payment systems. Although unclaimed, the pro-Ukraine hacktivist group “IT Army” is suspected. ASVT called it “one of the most severe [DDoS attacks] of the year”, illustrating how geopolitical conflicts continue to spill into cyber disruptions.

3. Critical Vulnerabilities and Patches

  • Google Chrome/Chromium (May 2025): Google released fixes for two high-severity browser bugs on May 31. CVE-2025-5063 is a use-after-free flaw in the Compositing component, and CVE-2025-5280 is an out-of-bounds write in the V8 JavaScript engine. Both were rated high severity but not yet known to be exploited in the wild. Google restricted details until most users update, emphasizing the need to apply the new Chrome release promptly.
  • WordPress Plugins: Security firm Sucuri’s May roundup flagged critical bugs in popular WordPress plugins, including a privilege-escalation flaw in “OttoKit” and an unauthenticated SQL injection in the “Popup and Slider Builder” plugin (used by 100K+ sites). Wordfence also reported over 160 vulnerabilities in 108 plugins/themes (XSS, SQLi, etc.) in the past week. These findings reinforce that web administrators must swiftly patch or remove vulnerable plugins to prevent automated exploit campaigns.
  • CISA Known Exploited Vulnerabilities (KEV) Additions: On June 2, CISA added five CVEs to its KEV catalog (based on active attacks). Among them are CVE-2025-3935 (an improper authentication bug in ConnectWise ScreenConnect) and CVE-2025-35939/CVE-2024-56145 (two code-injection flaws in Craft CMS). Organizations using those products must apply vendor patches immediately under U.S. directive. CISA’s list also included two legacy ASUS router vulnerabilities (CVE-2021-32030, CVE-2023-39780) demonstrating that unpatched older devices remain targets.

4. Government and Industry Cyber Responses

  • International Collaboration: On May 20–21, NATO held its annual Cyber Defence Pledge Conference in Poland, bringing together member and partner nations to review cybersecurity progress. Attendees (including EU and Indo-Pacific partners) discussed public-private information-sharing and critical infrastructure resilience. NATO emphasized increased cross-border cooperation and innovation to boost collective cyber defenses. This reflects the global push for unified cyber readiness amid rising threats.
  • U.S. Sanctions on Crypto Scam Infrastructure: The U.S. Treasury (OFAC) sanctioned FunNull Technology Inc. (Philippines) on May 29 for providing networking services to hundreds of thousands of crypto scam (“pig butchering”) sites. FunNull rented bulk cloud IPs and domain-generation algorithms used by fraudsters; OFAC noted U.S. victims lost over $200 million via these scams. Deputy Sec. Faulkender said the move targets criminal infrastructure that fleeces Americans. The FBI also issued a cybersecurity advisory listing FunNull’s IPs/domain patterns and urged the public to report related scams to the IC3 portal. This combined sanction/advisory action shows government resolve to dismantle emerging cybercrime platforms.
  • Law Enforcement Actions (Lumma Infostealer): On May 30, a transnational law enforcement operation (led by Europol, FBI and Microsoft) disrupted the Lumma infostealer service. Authorities seized ~2,500 domains and wiped Lumma’s main server by exploiting a Dell iDRAC bug. Check Point Research notes that while the takedown disrupted Lumma’s infrastructure, operators quickly restored some services via new servers. This action targets a malware-as-a-service platform used by multiple criminal groups, illustrating continued pressure on cybercrime ecosystems.
  • Company Incident Responses: Affected organizations have been quick to mobilize expert help. ConnectWise engaged Mandiant for forensic analysis and is coordinating with law enforcement as it patches ScreenConnect. Adidas and LexisNexis both say they are notifying regulators and customers and working with outside security teams on investigations. In general, firms are strengthening monitoring and implementing mitigation steps (e.g. ConnectWise hardening its network) as incidents unfold. These responses follow best practices: containment, forensics, and stakeholder communication.

5. Miscellaneous

  • Threat Intelligence & Research: Industry researchers are actively tracking these developments. Check Point Research’s weekly Threat Intelligence bulletin (June 2) summarizes many of the above events and highlights emerging threats. Of note, CPR reported new cyber-espionage findings: a China-linked APT41 campaign using a custom stealer (“TOUGHPROGRESS”) delivered via spearphishing, and a novel Linux-based IoT botnet called “PumaBot” that brute-forces SSH on cameras and traffic systems. These reports show attackers innovating (e.g. hiding in Google Calendar traffic, targeting IoT) even as older threats persist.
  • Industry Conferences: Aside from NATO’s pledge conference, the week saw major security events. For example, the ECSO’s Cybersec Europe 2025 expo (May 21–22 in Brussels) attracted thousands of cybersecurity professionals. (Organizers reported ~7,000 attendees, an increase of 14% year-over-year.) Such conferences reinforce shared learnings on threats like ransomware and third-party risk.
  • Policy and Standards Updates: In late May, the EU’s Cyber Solidarity Act (February 2025) and the amended Cybersecurity Act (Jan. 2025) came into effect, laying groundwork for future certification schemes and incident response coordination in Europe. (While these laws predate the week, companies continue aligning with them.) In the U.S., CISA’s ongoing “Shields Up” guidance reminds organizations to patch the KEV-listed flaws and review multifactor controls, echoing lessons from recent breaches.

Conclusion

This week’s events reinforce that cyber threats remain diverse and rapidly evolving. Major incidents—from high-profile corporate breaches (Adidas, LexisNexis) to critical infrastructure attacks (ASVT DDoS, healthcare outages)—underscore persistent weaknesses in supply chains, third-party services, and legacy systems. Ransomware remains a clear danger (as seen at MathWorks, Victoria’s Secret and through DragonForce’s MSP attack), and new vectors like DeFi exploits and IoT botnets pose growing risks. The patching activity (Chrome updates, KEV mandates, plugin fixes) highlights that timely vulnerability management is crucial.

For organizations and users, the key takeaways are: maintain rigorous vendor oversight and network segmentation to limit breach impact, apply critical patches immediately, and monitor for unusual activity (including vendor portals and cloud services). Collaboration with government and industry bodies can pay dividends: the coordinated takedowns and advisories (e.g. Lumma, FunNull) show law enforcement and regulators taking action, while sharing IOCs and hardening guidance helps defenders.

In summary, the week of May 27–June 2 saw a mix of cautionary incidents and positive response initiatives. Organizations should use these lessons to bolster cyber resilience—reinforcing access controls, accelerating vulnerability remediation, and preparing incident response plans—so they are better prepared for the threats to come.

Sources

  • U.S. Dept. of the Treasury – “Treasury Takes Action Against Major Cyber Scam Facilitator” (OFAC press release, May 29, 2025)
    home.treasury.gov

  • CISA (Cybersecurity & Infrastructure Security Agency) – “Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data” (Joint FBI/CISA advisory, AA25-141B, May 21, 2025)
    cisa.gov

  • NATO – “Allies review progress with NATO cyber defence pledge” (NATO News, May 23, 2025)
    nato.int

  • Dark Reading – “Adidas Falls Victim to Third-Party Data Breach” (news brief, May 27, 2025)
    darkreading.com

    “ConnectWise Breached, ScreenConnect Customers Targeted” (May 30, 2025)
    darkreading.com

  • Recorded Future – The Record
    “Nearly 70,000 impacted by ransomware attack on Sheboygan, Wisconsin” (May 27, 2025)
    therecord.media

    “LexisNexis says 364,000 impacted by breach involving GitHub data” (May 28, 2025)
    research.checkpoint.com

  • Sophos News – “DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers” (May 27, 2025)
    news.sophos.com

  • American Banker – “Arvest Bank glitch enabled customers to see other customers’ data” (May 30, 2025)
    americanbanker.com

  • Cybersecurity Dive – “Victoria’s Secret shuts down website in response to security incident” (May 29, 2025)
    cybersecuritydive.com

  • Check Point Research – “2nd June – Threat Intelligence Report” (June 2, 2025)
    research.checkpoint.com
    research.checkpoint.com

© 2025 Senthorus Blog