Coinbase hackers bribe staff, Windows 11 hacked at Pwn2Own, Telegram purges black market group - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines - May 16, 2025

Hosted by Sarah Lane from the CISO Series

1. Coinbase Hackers Bribe Staff to Steal Customer Data

At the outset of today's episode, Sarah Lane reports a significant breach at Coinbase. Hackers successfully bribed overseas support agents to access and steal sensitive customer information. This data includes names, contact details, partial Social Security numbers, and government ID images. Notably, there was no compromise of passwords, private keys, or funds.

Sarah Lane (00:07): "Coinbase says that attackers bribed overseas support agents to steal sensitive customer data and including names, contact details, partial Social Security numbers and government ID images."

Despite the severity of the breach, Coinbase has refused the hackers' $20 million ransom demand. Instead, the company anticipates internal resolution costs could reach up to $40 million while it collaborates with law enforcement and bolsters its security measures.

Sarah Lane (00:07): "Coinbase says it refused to pay a $20 million ransom, but it did say the breach may cost up to $40 million to resolve internally while it cooperates with law enforcement and enhances security."

2. Windows 11 and Red Hat Linux Hacked at Pwn2Own Berlin 2025

The first day of Pwn2Own Berlin 2025 showcased significant vulnerabilities in major software platforms. Researchers exploited zero-day vulnerabilities in Windows 11, Red Hat Linux, Oracle VirtualBox, and Docker Desktop, earning a total of $260,000 in prizes.

Key exploitation techniques included privilege escalations and sandbox escapes, utilizing bugs such as Use After Free and Integer Overflows. Vendors participating in the competition have been given a 90-day window to patch these identified flaws. The competition continues through Saturday, May 17, with over $1 million in prizes still at stake.

Sarah Lane (00:07): "On day one of PWN2Own Berlin 2025 researchers earned $260,000 by exploiting zero days in Windows 11, Red Hat Linux, Oracle VirtualBox and Docker Desktop."

3. Telegram Purges the Internet's Biggest Black Market

In a major crackdown, Telegram has shut down Hou Wang Guarantee (formerly Hui Wang Guarantee), a significant player in the black market, following investigative reports by Wired and blockchain analytics firm Elliptic. The group was implicated in facilitating over $27 billion in illicit transactions, including money laundering for crypto scammers using Tether, as well as the sale of stolen data, deepfakes, and tools for human trafficking operations.

Another Telegram-based market, Rohingb Guarantee, was linked to $8.4 billion in similar activities and was also subsequently taken down.

Sarah Lane (00:07): "Overall, the Internet's biggest ever black market just shut down amid a Telegram purge."

Telegram has stated that these actions are in alignment with its terms of service, which prohibit illegal activities.

4. Kremlin-Based Hackers Target Eastern European Government Agencies

APT28, also known as Fancy Bear, a Russia-linked hacking group, has been actively targeting webmail servers of Eastern European government agencies and defense firms. They exploit Cross-Site Scripting (XSS) vulnerabilities to steal login credentials and access sensitive emails. This phishing campaign has impacted entities in Ukraine, Romania, Bulgaria, and other regions.

Victims typically receive emails embedded with malicious code disguised as news links. APT28 has a history of exploiting vulnerabilities in systems like Round Cube and Zimbra webmail, underscoring their persistent threat to regional security.

Sarah Lane (00:07): "Russia linked hacking group APT28, also known as Fancy Bear, has been targeting webmail servers used by Eastern European government agencies and defense firms."

5. Dior Confirms Data Breach Affecting Customer Information

French luxury brand Dior has disclosed a data breach discovered on May 7, impacting customers in countries such as China and South Korea. The compromised information includes names, contact details, addresses, and purchase preferences. Fortunately, financial data and passwords were not affected.

Dior has notified the affected individuals and is actively investigating the incident. Korean authorities are currently reviewing Dior's response to the breach.

Sarah Lane (00:07): "Dior says it's notified affected individuals and is investigating the incident, while Korean authorities are reviewing the company's response."

6. FTC Seeks to Enforce the Take It Down Act Against Deepfake Pornography

The Federal Trade Commission (FTC) is pushing for the enforcement of the Take It Down Act, which targets non-consensual deepfake pornography. FTC Chair Andrew Ferguson addressed Congress, emphasizing the need for increased funding, more secure software, and specialized staff to effectively review explicit content and pursue legal actions.

The proposed law mandates platforms to remove such content within 48 hours, a timeline that may pose significant challenges under current regulations. Additionally, there is ongoing controversy surrounding the current US President's dismissal of two Democratic commissioners, raising concerns about the agency's independence and potential legal ramifications.

Sarah Lane (00:07): "FTC Chair Andrew Ferguson told Congress the agency needs more funding, needs more secure software and specialized staff to review explicit content and pursue enforcement."

7. AI Advances: Encrypting Secret Messages Invisible to Cybersecurity Systems

Researchers from the University of Oslo have unveiled "Embedder LLM," an AI-driven system capable of embedding encrypted messages within natural-sounding chatbot responses. This technique renders the messages invisible to current cybersecurity tools and allows them to be transmitted via any messaging platform. The system supports both symmetric and public key encryption and is resistant to quantum decryption methods.

Sarah Lane (00:07): "They developed Embedder LLM, a system that hides encrypted messages in AI generated text, making them invisible to current cybersecurity tools."

8. How Co Op Averted an Even Worse Cyber Attack

Co Op, a UK retailer, narrowly avoided a catastrophic ransomware attack orchestrated by the Dragon Force Cybercrime group. The attackers attempted to infect Co Op's systems, but the company responded swiftly by taking its own systems offline. Although customer data was still stolen, Co Op managed to prevent a full system lockdown and is recovering more rapidly compared to competitors like Marks and Spencer, which endured deeper system compromises and substantial financial losses estimated at 43 million pounds per week.

Dragon Force Cybercrime has also claimed responsibility for attacks on Harrods, utilizing platforms like Telegram and Discord to coordinate their illicit activities.

Sarah Lane (00:07): "Attackers from the Dragon Force Cybercrime group attempted to infect UK retailer Co Op with ransomware, but in response the company took its own systems offline."

Upcoming and Additional Content

While the episode primarily focused on the aforementioned topics, listeners were also informed about upcoming segments and shows, including discussions with Sanfly Security on securing unmonitored Linux devices and a Week in Review show featuring Nick Espinosa from Deep Dive Radio. Participation and comments are encouraged through the CISO Series' YouTube live channel.

Conclusion

Today’s episode of Cyber Security Headlines provided a comprehensive overview of critical incidents and developments in the cybersecurity landscape. From high-profile data breaches and sophisticated hacking competitions to regulatory efforts and innovative AI applications, the discussions underscored the ever-evolving challenges and responses within the realm of information security.

For those seeking detailed stories and further insights, additional information is available at CISOseries.com.

This summary encapsulates the key points discussed in the episode, complete with notable quotes and proper attribution, ensuring a thorough understanding for those who have not listened to the original podcast.

Loading summary

Transcript3 lines

[00:00]
Unknown Host
From the CISO series, it's Cybersecurity headlines.
[00:07]
Sarah Lane
These are the cybersecurity headlines for Friday, May 16, 2025. I'm Sarah Lane. Coinbase says that hackers bribed staff to steal customer data and are demanding a $20 million ransom. Coinbase says that attackers bribed overseas support agents to steal sensitive customer data and including names, contact details, partial Social Security numbers and government ID images. Although no passwords, private keys or funds. Coinbase says it refused to pay a $20 million ransom, but it did say the breach may cost up to $40 million to resolve internally while it cooperates with law enforcement and enhances security. Windows 11 and Red Hat Linux hacked on first day of PWN2Own on day one of PWN2Own Berlin 2025 researchers earned $260,000 by exploiting zero days in Windows 11, Red Hat Linux, Oracle VirtualBox and Docker Desktop. Attacks included privilege escalations and sandbox escapes using bugs like Use After Free and Integer overflows. Vendors have 90 days to patch these flaws. The competition is running through Saturday, May 17, offering more than $1 million in prizes. Overall, the Internet's biggest ever black market just shut down amid a Telegram purge. Telegram shut down Hou Wang Guarantee, formerly Hui Wang Guarantee, after Wired reported that it was complicit in over $27 billion and in illicit transactions letting crypto scammers launder money using Tether and offering services like stolen data, deepfakes and tools for human trafficking operations. The takedown followed reports from blockchain analytics firm Elliptic, which also linked another Telegram based market, Rohingb guarantee, to $8.4 billion in similar activity. Telegram says the bans aligned with its terms that prohibit illegal activity. Kremlin based hackers target webmail service of Eastern European government agencies Russia linked hacking group APT28, also known as Fancy Bear, has been targeting webmail servers used by Eastern European government agencies and defense firms, exploiting XSS vulnerabilities to steal login credentials and access emails. The phishing campaign has said to affect entities in Ukraine, Romania, Bulgaria and other regions. Victims received emails with embedded malicious code often disguised as News Links. APT28 has previously exploited vulnerabilities in Round Cube and also the Zimbra webmail system and is believed to be tied to Russia's gru. Huge thanks to our sponsor Vanta. Do you know the status of your compliance controls right now, like right this second? We know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time tracks, but more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across 35 frames frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and help you get security questionnaires done five times faster with AI. Now that is a new way to GRC. Get started at vanta.com headlines Deor confirms data breach affecting customer information French luxury brand Dior confirmed a data breach discovered on May 7 impacting customers in countries like China and South Korea affecting information like names, contact details, addresses and purchase preferences. Financial data and passwords don't appear to be compromised. Dior says it's notified affected individuals and is investigating the incident, while Korean authorities are reviewing the company's response. FTC wants a new segregated software system to police deepfake porn the FTC is seeking to enforce the Take It down act targeting non consensual deepfake porn. Chair Andrew Ferguson told Congress the agency needs more funding, needs more secure software and specialized staff to review explicit content and pursue enforcement. The law requires platforms to remove such content within 48 hours, but that could be a challenge under current law. Controversy also continues over the current US President's firing of two Democratic commissioners, raising concerns about agency independence and potential legal challenges. Scientists use AI to encrypt secret messages that are invisible to cybersecurity systems Researchers from the University of Oslo have developed Embedder LLM, a system that hides encrypted messages in AI generated text, making them invisible to current cybersecurity tools. The technique embeds data into natural sounding chatbot responses and can be sent via any messaging platform. It supports both symmetric and public key encryption and is resistant to quantum decryption. They yanked their own plug. How Co Op averted an even worse cyber attack Attackers from the Dragon Force Cybercrime group attempted to infect UK retailer Co Op with ransomware, but in response the company took its own systems offline. Customer data was still stolen, but Co Op avoided full system lockdown and is recovering faster than Marks and Spencer, which suffered deeper system compromise and has had ongoing disruptions while maintaining that no payment or password details were accessed. It is expensive, though, costing Marks and Spencer an estimated 43 million pounds per week. The same group also claims responsibility for attacks on Harrods and uses Telegram and Discord to coordinate activities. Have you checked out security? You should know yet. If not, you should. It's our new show where we give you the answers to the questions about how a vendor solution helps you solve a specific problem. This week on the show, we're talking with Sanfly Security about what they're doing to help secure unmonitored Linux devices. Look for it@cisoseries.com or wherever you get your podcasts. Also, make sure to join us later today at 3:30pm Eastern Time for our Week in Review show. Nick Espinosa, host of the Deep Dive Radio show, will be our guest, providing their expert commentary on the news of the week. We encourage participation comments through our YouTube live channel. Just go to the events page@cisoseries.com I'm Sarah Lane, reporting for the CISO series. Thank you so much for listening to talk to you Next time.
[07:52]
Unknown Host
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.