Daily Brief

Ransomware attack on Peter Green Chilled occurred on May 14, impacting major UK supermarket chains. The company informed customers of the attack and ceased processing new orders on May 15, while continuing its transport operations. Communication channels such as phone and email were disrupted, with the company's website not accepting external messages. The attack affected not only Peter Green Chilled but also its clients, including The Black Farmer, which faced potential losses of around £100,000 due to immobilized stock. The broader impact on the supply chain highlights the dire consequences for small businesses and the potential wastage of fresh goods. M&S, another affected entity, is preparing a substantial cyber insurance claim to cover the financial fallout from the attack. Experts emphasize the shift in ransomware tactics from data theft to operational disruption to compel quicker payments and increase pressure on the victims. The incident underlines the need for enhanced operational resilience and security measures within the retail sector to mitigate the risks and impacts of such cyberattacks.

Pentera's 2025 State of Pentesting Report surveyed 500 CISOs globally to gain insight into current cybersecurity practices and challenges. Despite the adoption of more security tools—average of 75 per organization—67% of U.S. enterprises faced a breach within the last 24 months. Larger security stacks contribute to a significant increase in alert volumes, with some enterprises managing over 2000 alerts per week, necessitating better prioritization to combat alert fatigue. Software-based pentesting is on the rise, with 50% of CISOs adopting these tools as their primary security testing method due to increased trust and the need for scalable solutions. Cyber insurance providers are increasingly influencing cybersecurity strategies, with 59% of CISOs implementing solutions based on their recommendations. Confidence in government cybersecurity support is low among CISOs, with only 14% satisfied with the help provided, while a majority find it insufficient or unreliable. The report highlights a need for continuous, scalable, and effective security practices to address the increasing complexity of threats and tool management.

Chinese-affiliated hackers, known as UnsolicitedBooker, targeted a Saudi organization using spear-phishing with flight ticket lures. Attacks involved multiple backdoors, including Chinoxy, DeedRAT, Poison Ivy, and the newly deployed MarsSnake. MarsSnake was delivered via a malicious Word document disguised as a flight ticket PDF, triggering a harmful VBA macro. The persistent targeting of the organization since 2023 suggests a high strategic interest by the threat group. UnsolicitedBooker's activities show affiliation with larger Chinese cyber operations, sharing methods with groups like Space Pirates. Other Chinese groups, such as PerplexedGoblin and DigitalRecyclers, continue to target European and governmental entities using sophisticated espionage tools. The discovery highlights the ongoing and evolving threat from state-aligned actors against international and governmental organizations.

Virgin Media O2 resolved a privacy issue in its 4G Calling feature that allowed callers to pinpoint the recipients' location. Researcher Daniel Williams discovered that metadata from VoLTE could locate users within 100 meters using IMS, IMEI, and cell ID data. Williams highlighted this vulnerability in May after engaging with the MNO in March, with initial unresponsiveness from the company. Fixes were confirmed by a company spokesperson, stating comprehensive testing and implementation had occurred by May 19. Detailed findings from Williams showed IMSI and IMEI numbers returned by the server identified both caller and recipient's devices on the VMO2 network. The information leakage was demonstrated using tools like CellMapper, which could provide location data up to city center precision. Disabling 4G Calling occasionally halted data transmission but was not deemed a reliable solution to prevent the privacy breach. This resolution came after extensive research by Williams, who has stopped replicating the issue following the repair.

Researchers at Datadog Security Labs identified a new cryptojacking campaign, codenamed RedisRaider, targeting public Redis servers on Linux systems. The campaign uses a customized scanner to locate accessible Redis servers, checks for Linux OS via an INFO command, and then injects a cron job using the SET command. The malware changes the Redis working directory to "/etc/cron.d", setting up a database file "apache" that executes a Base64-encoded shell script. This script downloads the RedisRaider binary, which deploys a specialized XMRig miner to harness computing resources for mining Monero cryptocurrency. The malware also replicates itself to other Redis instances, expanding its impact while incorporating anti-forensics features such as short-key TTLs and database configuration alterations to evade detection. Moreover, RedisRaider supports a web-based Monero miner for additional revenue, signifying a complex, multi-pronged financial strategy by the threat actors. Additionally reported was a separate campaign exploiting Microsoft Entra ID's legacy authentication protocols for targeted brute-force attacks, primarily against accounts in Eastern Europe and Asia-Pacific.

Cybersecurity researchers discovered malicious Python packages on PyPI exploiting social media APIs to validate stolen email addresses. The packages, named "checker-SaGaF", "steinlurks", and "sinnercore", use various techniques to abuse Instagram and TikTok APIs, mimicking legit app functions to evade detection. These tools check if email addresses are associated with existing social media accounts, enabling cybercriminals to refine their attack targets and potentially threaten users through various harmful actions. Validated email lists from these attacks are often sold on the dark web, contributing to broader cybercrime activities like credential stuffing or phishing attacks. Additional functionality in these packages includes targeting Telegram user data and crypto utilities, indicating a complex and multi-purpose nature of the malware. The findings reveal significant risks not only to individual privacy but also to organizations, as these validated emails can lead to targeted and sophisticated cyber attacks. One package named "dbgpkg" served as a backdoor implant on developers' systems, demonstrating a trend in using developer tools as malware dissemination vectors. The techniques and targeted deployment indicate a high level of sophistication among the attackers, seeking to establish a long-term presence on infected systems anonymously.

CISA announced Madhu Gottumukkala as the new deputy director amidst budget reductions and staffing challenges. The agency still lacks a Senate-confirmed leader, with interim duties performed by Bridget Bean. Key focus areas under threat due to a proposed $491 million cut, about 17 percent of CISA's budget. The budget cuts align with an administrative push to limit scope to China-focused defenses, excluding certain red team functions and Russian threats. Resignations include leaders from the Secure by Design program, and other staff have taken voluntary resignation options. Senator Ron Wyden blocked the director nominee, Sean Plankey, demanding the release of a report on vulnerabilities in U.S. telecom networks. CISA's refocus on its mission includes an evaluation of election security, particularly how it handles misinformation and foreign influence. DHS remains tight-lipped about exact numbers on CISA staff reductions or restructuring details, leading to congressional inquiries.

Threat actors distributed trojanized KeePass versions for eight months to deploy Cobalt Strike beacons and ransomware. Malicious KeePass installer was promoted through Bing ads, leading to fake software download sites. The modified KeePass, named KeeLoader, included functionality that stole credentials and exported password databases in cleartext. KeePass alterations linked to Black Basta ransomware and believed to be operated by Initial Access Brokers. Researchers unearthed various signed variants fooling users through typo-squatting domains. The compromised companies' VMware ESXi servers were encrypted in the ransomware attacks. WithSecure linked the activity to UNC4696, a group associated with past Nitrogen Loader and BlackCat/ALPHV ransomware campaigns. The investigation revealed an extensive infrastructural setup for disseminating various malware and credential phishing schemes under impersonated domains.

Security flaw in O2 UK's VoLTE and WiFi Calling allowed location tracking through call metadata. Researched by Daniel Williams, the vulnerability persisted since March 2017 until its recent resolution. The breach leaked sensitive information such as IMSI, IMEI numbers, and cell tower locations. Williams used the Network Signal Guru app and public tools to pinpoint user locations accurately. O2 UK, with nearly 23 million mobile users, implemented the fix without requiring customer action. Virgin Media O2 confirmed the issue and its resolution, assuring no customer action needed. Uncertainty remains on whether O2 UK previously knew about the flaw or if any exploitation occurred.

Eric Council Jr., 26, from Huntsville, Alabama, was sentenced to 14 months in prison for initiating a SIM-swap scam that targeted the SEC's official social media account. Council and accomplices hijacked the SEC's X account and posted a fake announcement about government approval of Bitcoin ETFs, causing significant market fluctuations. The fraudulent post led to a temporary increase in Bitcoin's price by over $1,000; however, the value plummeted by more than $2,000 after the SEC regained control and issued a retraction. To execute the scam, Council used a fake ID at an AT&T store to obtain a new SIM card linked to the victim C.L.'s number, and subsequently accessed C.L.'s two-factor security codes. Incriminating searches by Council on his personal computer, including "SECGOV hack" and "how can I know for sure if I am being investigated by the FBI," were instrumental in his capture and conviction. The FBI highlighted the case as a deliberate attempt to deceive the public and manipulate financial markets, endangering trust in public communications platforms. Following his prison term, Council will undergo three years of supervised release, underscoring the legal penalties for cybercrimes involving identity theft and fraud.

Arla Foods, a major international dairy producer, confirmed a cyberattack at its Upahl, Germany facility, impacting local IT network and production. The incident caused disruptions, leading to potential product delivery delays or cancellations. Arla is actively working on resuming normal operations, with expectations to restore full functionality within the week. The cyberattack specifics, including whether data was stolen or encrypted, remain undisclosed by Arla. No reports have linked this incident to known ransomware groups or featured on extortion portals, leaving the attacker's identity unclear. This event affected only the Upahl location, with production at other Arla sites continuing unaffected. Arla has informed customers potentially affected by delivery issues resulting from the disruption.

The official website of RVTools was hacked to distribute a malicious installer for the VMware utility software. An infected installer was found sideloading a harmful DLL identified as the Bumblebee malware loader. The extent of the infection and the duration of the compromised installer's availability are unknown. RVTools has cautioned users against downloading their software from any sources other than their official websites. A separate malware threat through Procolored printer software included a backdoor and a clipper malware capable of cryptojacking. The clipper malware, SnipVex, intercepted and altered Bitcoin wallet addresses in clipboard data to reroute transactions. Procolored has acknowledged the issue, stating the source might have been infected USB drives used in October 2024. Despite the command and control server for the backdoor being offline since February 2024, the clipper malware remains active and damaging.

The UK Legal Aid Agency (LAA) confirmed the theft of extensive applicant data in a recent cyberattack, originally believed to be less severe. This breach affected records dating from 2010, compromising sensitive personal information of those who applied for legal aid. The LAA, an arm of the UK Ministry of Justice, provides crucial legal services to individuals unable to afford legal representation. Following the breach discovery on May 16, immediate measures included securing all LAA systems with assistance from the National Cyber Security Centre and temporarily shutting down the online application platform. The UK government urges all legal aid applicants to be cautious of potential scams and to verify communications before sharing personal information. LAA’s CEO, Jane Harbottle, expressed deep regret over the incident and committed to providing ongoing updates and addressing the breach's implications. It is still unclear if the data theft at the LAA is connected to recent attacks on UK retailers by a group using DragonForce ransomware.

Ransomware actors have adopted Skitnet malware for advanced data theft and remote control of targeted systems. Skitnet, also referred to as Bossnet, was first sold on the dark web in April 2024 and has been actively used in attacks since early 2025. The malware's complex design uses languages like Rust and Nim to evade typical security detections by launching a reverse shell over DNS. Skitnet includes capabilities for persistence, remote access, command execution, data exfiltration, and delivering additional payloads. Notable usage includes a Black Basta phishing campaign in April 2025, which targeted enterprise environments via Teams-themed emails. The malware facilitates stealth by dynamically resolving API function addresses and can manage infected hosts via a command-and-control panel. Concurrently, another malware, TransferLoader, targets US law firms and also features advanced evasion and management techniques.

Pwn2Own Berlin 2025 concluded with security experts exploiting 29 zero-day vulnerabilities, earning a total of $1,078,750. Competitors targeted advanced enterprise technologies across various categories, including AI, browsers, virtualization, servers, and automotive. The event featured rigorous conditions with all devices updated and running the latest OS versions, including contributions from Tesla with their latest models. STAR Labs SG emerged as the top team, securing 35 Master of Pwn points and $320,000 by exploiting systems like Red Hat Enterprise Linux and VMware ESXi. The highest individual reward of $150,000 went to Nguyen Hoang Thach from STAR Labs for an integer overflow exploit in VMware’s ESXi software. Early patches were issued by Mozilla for two exploited zero-days in Firefox, reinforcing the prompt response benefit of the competition's disclosure policy. The disclosed vulnerabilities are held privately for 90 days, giving vendors a window to patch before public release by TrendMicro's Zero Day Initiative. The competition underscored the critical role of ethical hacking in strengthening cybersecurity defenses across multiple technology domains.