Cybersecurity News Digest: May 16-19, 2025
This digest compiles critical cybersecurity events from May 16 to May 19, 2025, specifically curated for application security teams. Drawing from recent reports, X posts, and expert analysis, it highlights breaches, vulnerabilities, malware, and emerging trends that may impact your applications and systems.
Major Breaches and Incidents
Coinbase Breach
On May 15, 2025, Coinbase suffered a significant breach where attackers used social engineering to bribe overseas support agents, gaining access to sensitive user data, including names, addresses, phone numbers, emails, masked SSNs, ID images, masked bank account numbers, account balances, and transaction histories. Notably, login credentials, two-factor authentication codes, private keys, and customer funds were not compromised. The financial impact is estimated at $180 million to $400 million for remediation and reimbursements, with a $20 million ransom demand refused by Coinbase, which also offered a $20 million reward for information leading to the attackers’ arrest. Coinbase has since terminated involved employees, opened a new U.S. support hub, and enhanced security with insider-threat detection and fraud monitoring. This incident emphasizes the need for application security teams to implement strict access controls, monitor insider activities, and educate staff on social engineering risks. Source
Nucor Halts Operations
Nucor, a major steel producer, reportedly halted operations, likely due to a cyber incident, as noted in an X post by @AnvikshaMore on May 16, 2025. Limited details are available, but this event highlights the potential for cyber attacks to disrupt critical industries, urging application security teams to ensure robust incident response plans for business-critical applications. Source
Vulnerabilities and Patches
Browser Vulnerabilities
- Chrome (CVE-2025-4664): A high-severity vulnerability in Google Chrome’s Loader component, due to insufficient policy enforcement, allows cross-origin data leaks via malicious HTML pages, potentially leading to account takeovers. It has been exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities catalog with a mitigation deadline of July 5, 2025. Update to Chrome version 136.0.7103.113/.114 or later on Windows, macOS, and Linux. Application security teams should ensure all organizational browsers are updated and monitor for suspicious web activity. Source
- Firefox (CVE-2025-4918, CVE-2025-4919): Mozilla patched two zero-day vulnerabilities exploited at Pwn2Own Berlin, which could enable sensitive data access or arbitrary code execution. Immediate updates to Firefox are critical to protect web applications accessed via the browser. Source
Hardware and System Vulnerabilities
- Intel CPU Flaws: Researchers identified new vulnerabilities in all modern Intel CPUs, enabling memory leaks and Spectre v2 attacks through Branch Privilege Injection (BPI) and Branch Predictor Race Conditions (BPRC). Application security teams should verify firmware updates from Intel and apply recommended mitigations to safeguard application environments. Source
- Windows CLFS Zero-Day (CVE-2025-29824): The Play Ransomware Group exploited a privilege escalation vulnerability in the Windows Common Log File System (CLFS) before it was patched on April 8, 2025. Recent reports from May 2025 indicate continued relevance, possibly due to unpatched systems or new attack vectors. Ensure all Windows systems are updated to prevent ransomware deployment via applications. Source
Enterprise Software and Network Vulnerabilities
- SAP and DrayTek Vulnerabilities: CISA flagged actively exploited vulnerabilities in SAP systems and DrayTek routers, as reported on May 15, 2025. The SAP NetWeaver flaw is particularly concerning for organizations running SAP applications, as it has attracted hacker attention. Application security teams should prioritize patching these systems to protect web and enterprise applications. Source
- Ivanti Endpoint Mobile Manager 0-Days: Chained zero-day vulnerabilities in Ivanti’s Endpoint Mobile Manager were reported, potentially allowing unauthorized access. Teams should check for and apply the latest updates to secure endpoint management systems integrated with applications. Source
Malware and Ransomware Threats
Play Ransomware Campaign
The Play Ransomware Group, also known as Balloonfly or PlayCrypt, has been exploiting the Windows CLFS zero-day (CVE-2025-29824) to gain SYSTEM privileges and deploy ransomware. Initial access in a U.S. organization was achieved via a public-facing Cisco Adaptive Security Appliance, followed by deployment of the Grixba information-stealing payload and the exploit, concealed by spoofing Palo Alto Networks software. This campaign highlights the need for application security teams to secure public-facing interfaces and monitor for privilege escalation attempts. Source
Fileless Remcos RAT Attacks
A new campaign delivers the Remcos Remote Access Trojan (RAT) via LNK files and MSHTA in PowerShell-based attacks, using tax-related lures to trick users. This fileless malware operates entirely in memory, evading traditional detection methods. Application security teams should enhance endpoint detection and response (EDR) capabilities and conduct user awareness training to mitigate phishing risks. Source
HTTPBot Botnet
A new botnet, HTTPBot, written in Golang, has launched over 200 precision DDoS attacks targeting the gaming, tech, and education sectors, particularly in China. It leverages HTTP protocols to disrupt services, posing a risk to application availability. Teams should implement DDoS protection measures and monitor application performance for signs of attack. Source
Other Notable Events
State-Sponsored Threats
- North Korean Email Lures: North Korean threat actors are using email lures to target individuals and organizations, as reported on May 16, 2025. Application security teams should strengthen email security controls and educate users to recognize phishing attempts. Source
- Russian Hackers Targeting Webmail Servers: Russian state-sponsored group APT28 is targeting webmail servers like Roundcube and Zimbra via XSS vulnerabilities, aiming to steal confidential data. Teams should secure webmail applications and monitor for unauthorized access. Source
Privacy and Policy Developments
- Meta’s AI Training on EU User Data: Meta plans to train AI models using public Facebook and Instagram data starting May 27, 2025, without explicit user consent, prompting a potential lawsuit from privacy group Noyb. This raises compliance concerns for applications handling EU user data, requiring adherence to GDPR and similar regulations. Source
- Japan’s Active Cyberdefense Law: Japan introduced a new Active Cyberdefense Law, noted on May 16, 2025, which may influence global cybersecurity policies. Application security teams should stay informed about regulatory changes affecting application security practices. Source
Additional Incidents
- DOGE Employee Credentials Leaked: Credentials of an employee at an organization referred to as DOGE were leaked, potentially leading to further compromises. Teams should review credential management and implement multi-factor authentication (MFA) for application access. Source
- Malicious npm Package: A malicious npm package, “os-info-checker-es6,” was identified on May 16, 2025, using Unicode-based steganography to drop payloads. Application security teams should vet third-party dependencies and scan for malicious code in development pipelines. Source
Recommendations for Application Security Teams
- Patch Management: Prioritize patching for Chrome, Firefox, SAP, Windows, and Ivanti systems to address actively exploited vulnerabilities.
- Threat Detection: Enhance EDR and application-layer monitoring to detect fileless malware and privilege escalation attempts.
- Access Controls: Implement strict access controls and MFA to mitigate insider threats and credential leaks.
- User Training: Conduct regular training on phishing and social engineering to reduce risks from email lures and malicious packages.
- DDoS Protection: Deploy robust DDoS mitigation strategies to ensure application availability against botnet attacks.
- Compliance Monitoring: Review data handling practices to ensure compliance with GDPR and other regulations, especially in light of Meta’s AI training plans.