DOJ investigates Coinbase attack, Dutch cyber-espionage law passes, VanHelsing ransomeware leaked - Cybersecurity Headlines

Summary5 min read

Cybersecurity Headlines - May 21, 2025

Hosted by Sarah Lane, CISO Series

1. DOJ Launches Investigation into Coinbase Cyber Attack

Timestamp: [00:00]

The U.S. Department of Justice (DOJ) has initiated a criminal investigation into a recent cyber attack targeting Coinbase, the world's largest cryptocurrency exchange. Coinbase has clarified that it is not currently under investigation but is fully cooperating with the DOJ and other law enforcement agencies.

Key Details:

Breach Disclosure: May 11, 2025
Compromised Data: Customer names, addresses, and emails
Unaffected Data: Login credentials remain secure
Estimated Financial Impact: Between $180 million and $400 million

Notable Quote: "Coinbase is committed to the security and privacy of our customers' information and is working closely with authorities to address this incident," — Sarah Lane, [00:00]

2. Dutch Government Criminalizes Cyber Espionage

Timestamp: [00:02]

In a significant move to protect national security and infrastructure, the Dutch government has passed a new law that criminalizes digital espionage. This legislation empowers authorities to prosecute individuals or entities that leak sensitive non-classified data or act on behalf of foreign interests against Dutch national security.

Key Provisions:

Penalties: Up to 12 years imprisonment for severe offenses
Scope: Targets actions such as attempted infrastructure sabotage and infiltration of international organizations
Context: Aimed at countering cyber espionage threats from nations like China and Russia

Notable Quote: "This law is a robust response to the increasing cyber threats posed by state-sponsored actors aiming to destabilize our national infrastructure," — Sarah Lane, [00:02]

3. Ransomware Attack Disrupts UK Food Supply Chain

Timestamp: [00:04]

UK food distributor Peter Green Child experienced a ransomware attack on May 14, severely disrupting operations and deliveries to major supermarkets. The attack resulted in paused new orders, which could lead to significant financial losses, especially for smaller suppliers.

Implications:

Affected Services: Operations and deliveries to major UK supermarkets
Potential Impact: Financial losses for suppliers and disruptions in the food supply chain
Expert Warnings: Increased cyber threats targeting the operational systems of the UK retail supply chain

Notable Quote: "The ransomware attack on Peter Green Child highlights the vulnerability of our supply chains to cyber threats, emphasizing the need for robust security measures," — Sarah Lane, [00:04]

4. Sidewinder APT Targets South Asian Ministries

Timestamp: [00:06]

The Sidewinder Advanced Persistent Threat (APT) group has launched a targeted cyber espionage campaign against government institutions in Sri Lanka, Bangladesh, and Pakistan. Utilizing old Microsoft Office vulnerabilities and custom malware, Sidewinder deploys spear phishing emails and geofenced malware payloads to infiltrate systems.

Technical Insights:

Malware Used: Steelware bot, capable of capturing keystrokes, passwords, and screenshots
Exploitation Methods: Outdated Office flaws and custom malware
Targeting Precision: High degree of selectivity, reflecting methodical activity in the region

Notable Quote: "Sidewinder's continued exploits in South Asia demonstrate their sophisticated approach to cyber espionage, leveraging both old and new vulnerabilities to achieve their objectives," — Sarah Lane, [00:06]

5. SK Telecom's Three-Year Malware Breach

Timestamp: [00:08]

South Korea's SK Telecom disclosed a nearly three-year-long undetected malware breach that began in June 2022. The breach affected approximately 27 million customers by compromising sensitive SIM data, including authentication keys and contact information, thereby increasing the risk of SIM swapping attacks.

Response Measures:

Actions Taken: Replacing SIM cards and blocking unauthorized device changes
Responsibility: SK Telecom accepts responsibility for the damages resulting from the breach
Investigation Findings: Identification of 25 malware types across 23 servers, with the full scope of data loss still uncertain due to limited early logging

Notable Quote: "We deeply regret the impact this breach has had on our customers and are taking comprehensive steps to mitigate the risks and prevent future incidents," — Sarah Lane, [00:08]

6. NIST and CISA Propose New Vulnerability Metric

Timestamp: [00:10]

Researchers from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed the Likelihood of Exploit Vulnerabilities (LEV) metric. This new metric uses mathematical models to predict the probability of vulnerability exploitation, enhancing patch prioritization alongside existing metrics like KEV and EPSS.

Key Points:

Purpose: To identify potential overlooked threats and improve patching strategies
Current Status: NIST is seeking industry partners to evaluate the real-world impact of LEV

Notable Quote: "The introduction of LEV represents a significant advancement in our ability to proactively address vulnerabilities before they are exploited," — Sarah Lane, [00:10]

7. Krebs on Security Suffers Massive DDoS Attack

Timestamp: [00:12]

Krebs on Security reported a near-record 6.3 TB Distributed Denial of Service (DDoS) attack on May 12. The attack, linked to the Asuru Internet of Things Botnet, lasted less than a minute and was successfully mitigated by Google's Project Shield. The Asuru botnet, associated with the alias "forky," is known for compromising hijacked IoT devices using zero-day exploits.

Current Situation:

Attack Duration: Less than one minute
Mitigation Success: Largest attack yet mitigated by Google’s defense mechanisms
Perpetrator's Stance: Forky denies involvement and claims to focus on their hosting business

Notable Quote: "Despite the unprecedented scale of the attack, our defenses held strong, demonstrating the effectiveness of collaborative cybersecurity measures," — Sarah Lane, [00:12]

8. Cellcom Confirms Cyber Attack Caused Service Outages

Timestamp: [00:14]

Cellcom, a mobile carrier based in Wisconsin, has confirmed that a cyber attack was responsible for the widespread service outages beginning on May 14. The attack disrupted voice and SMS services across Wisconsin and Upper Michigan. Initially reported as a technical issue, Cellcom later acknowledged the cyber incident, assuring that no sensitive customer data was compromised.

Recovery Efforts:

Collaboration: Working with the FBI and cybersecurity experts
Restoration Timeline: Aiming to restore full services by the end of the week

Notable Quote: "We apologize for the inconvenience caused and are committed to restoring full service as swiftly and securely as possible," — Sarah Lane, [00:14]

9. Van Helsing Ransomware Source Code Leaked on Hacking Forum

Timestamp: [00:16]

The source code of the Van Helsing ransomware group was leaked on a hacking forum following a failed sale attempt by a former developer. Subsequently, the group released parts of the code themselves, including the Windows encryptor builder and affiliate panel. However, the full Linux builder and databases were not disclosed. Despite being incomplete, the leak poses a risk of enabling copycat attacks akin to those seen with ransomware groups like Babook, Conti, and Lockbit.

Implications:

Available Code: Windows encryptor builder and affiliate panel
Missing Components: Full Linux builder and databases
Potential Risks: Increased likelihood of similar ransomware attacks emerging

Notable Quote: "The partial leak of Van Helsing's code could significantly lower the barrier to entry for aspiring cybercriminals, potentially leading to an increase in ransomware incidents," — Sarah Lane, [00:16]

For more detailed stories behind these headlines, visit CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
Sarah Lane
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Wednesday, May 21, 2025. I'm Sarah Lane. U.S. dOJ opens investigation into Coinbase's recent cyber attack the U.S. department of justice has launched a criminal investigation into a recent cyber attack targeting Coinbase, the world's largest crypto exchange. Coinbase clarified it is not under investigation but is cooperating with the DOJ and other law enforcement agencies. The breach was disclosed on May 11 and compromised some customer data names, addresses and emails, but not login credentials, and is expected to cost the company between 180 and 400 million dollars. Dutch government passes law to criminalize cyber Espionage the Dutch government has enacted a new law criminalizing digital espionage to safeguard national security and infrastructure. This legislation now allows prosecution for leaking sensitive non classified data and acting for foreign entities against Dutch interests, carrying penalties up to 12 years for severe offenses. The law addresses growing concerns about cyber espionage from nations like China and Russia, citing attempted infrastructure sabotage and infiltration of international organizations. In the Netherlands Ransomware Attack on Food Distributors Spells More Pain for UK Supermarkets UK food distributor Peter Green Child says it was hit by a ransomware attack on May 14, disrupting operations and deliveries to major supermarkets. New orders were paused, potentially causing significant losses for smaller suppliers. Experts warn of increasing cyber threats targeting the UK retail supply chain's operational systems. South Asian Ministries Hit by Sidewinder APT Using old Office flaws and custom malware, the Sidewinder APT group has launched a targeted cyber espionage campaign against government institutions in Sri Lanka, Bangladesh and Pakistan. Using spear phishing emails and geofenced malware payloads and attackers exploited outdated Microsoft Office vulnerabilities to deliver the Steelware bot malware. This net based tool captures sensitive data like keystrokes, passwords and screenshots with a high degree of precision and selectivity in targeting, reflecting Sidewinder's ongoing and methodical activity in the region. What if your sales team could answer security questions themselves without blowing up your slack or email every 10 minutes? With conveyor they can. Conveyor is the Trust center and security questionnaire automation tool your infosec Bretons love to use, whether through Slack or the Conveyor app, Sales and pre sales teams can easily get AI generated answers to any customer security question with your preset rules and reviews in place. Free up your team and keep deals moving@www.conveyor.com. sK Telecom says malware breach lasted three years impacted 27 million members South Korea's SK Telecom reported a nearly three year long undetected malware breach beginning in June of 2022, which compromised sensitive SIM data of nearly 27 million customers, including authentication keys and contact information, elevating SIM swapping risks. The company is replacing sims, blocking unauthorized device changes and accepting responsibility for resulting damages. Investigations identified 25 malware types on 23 different servers, but the full scope of data loss is uncertain due to limited early logging. Vulnerability exploitation probability metric proposed by NIST CISA researchers NIST and cisa, you know them. NIST and CISA have developed likely exploited vulnerabilities, also known as lev, a new metric using mathematical equations to predict vulnerability exploitation probability. This complements KEV and EPSS to improve patching prioritization by identifying potential overlooked threats. NIST is currently seeking industry partners to evaluate lev's real world impact. Krebs on security hit with near record 6.3 TB dDoS Krebson Security reports it was hit by a 6.3 TB dDoS attack on May 12, likely a test of the Asuru Internet of Things Botnet. The attack lasted less than a minute, but was clocked as the largest ever mitigated by Google's Project Shield. Asuro has been linked to a known figure named forky, compromising hijacked IoT devices using zero day exploits. Forky denies involvement in the attack, now claiming to focus on their hosting business. Bot Shield Mobile carrier Cellcom confirms cyber attack behind extended outages Cellcom, a Wisconsin based mobile carrier, confirmed a cyber attack was behind the widespread outages that began on May 14, disrupting voice and SMS services across Wisconsin and Upper Michigan. The company initially described this as a technical issue, but later acknowledged the cyber incident, stating that sensitive customer data was not impacted. Cellcom is working with the FBI and cybersecurity experts to restore service, which it aims to complete by the end of the week. Van Helsing ransomware builder leaked on Hacking Forum the source code of the Van Helsing ransomware group was leaked after a failed sale by a former developer. The group then released parts of the code themselves and including the Windows encryptor builder and affiliate panel, but not the full Linux builder or databases. Despite being incomplete, the leak could enable copycat attacks similar to past incidents involving Babook, Conti and Lockbit. I'm Sarah Lane reporting for the CISO series. Thank you so much for listening and we'll talk to you next time. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines. It.

Cybersecurity Headlines - May 21, 2025

Hosted by Sarah Lane, CISO Series

1. DOJ Launches Investigation into Coinbase Cyber Attack

Timestamp: [00:00]

Key Details:

Breach Disclosure: May 11, 2025
Compromised Data: Customer names, addresses, and emails
Unaffected Data: Login credentials remain secure
Estimated Financial Impact: Between $180 million and $400 million

Notable Quote: "Coinbase is committed to the security and privacy of our customers' information and is working closely with authorities to address this incident," — Sarah Lane, [00:00]

2. Dutch Government Criminalizes Cyber Espionage

Timestamp: [00:02]

Key Provisions:

Penalties: Up to 12 years imprisonment for severe offenses
Scope: Targets actions such as attempted infrastructure sabotage and infiltration of international organizations
Context: Aimed at countering cyber espionage threats from nations like China and Russia

Notable Quote: "This law is a robust response to the increasing cyber threats posed by state-sponsored actors aiming to destabilize our national infrastructure," — Sarah Lane, [00:02]

3. Ransomware Attack Disrupts UK Food Supply Chain

Timestamp: [00:04]

Implications:

Affected Services: Operations and deliveries to major UK supermarkets
Potential Impact: Financial losses for suppliers and disruptions in the food supply chain
Expert Warnings: Increased cyber threats targeting the operational systems of the UK retail supply chain

4. Sidewinder APT Targets South Asian Ministries

Timestamp: [00:06]

Technical Insights:

Malware Used: Steelware bot, capable of capturing keystrokes, passwords, and screenshots
Exploitation Methods: Outdated Office flaws and custom malware
Targeting Precision: High degree of selectivity, reflecting methodical activity in the region

5. SK Telecom's Three-Year Malware Breach

Timestamp: [00:08]

Response Measures:

Actions Taken: Replacing SIM cards and blocking unauthorized device changes
Responsibility: SK Telecom accepts responsibility for the damages resulting from the breach
Investigation Findings: Identification of 25 malware types across 23 servers, with the full scope of data loss still uncertain due to limited early logging

Notable Quote: "We deeply regret the impact this breach has had on our customers and are taking comprehensive steps to mitigate the risks and prevent future incidents," — Sarah Lane, [00:08]

6. NIST and CISA Propose New Vulnerability Metric

Timestamp: [00:10]

Key Points:

Purpose: To identify potential overlooked threats and improve patching strategies
Current Status: NIST is seeking industry partners to evaluate the real-world impact of LEV

Notable Quote: "The introduction of LEV represents a significant advancement in our ability to proactively address vulnerabilities before they are exploited," — Sarah Lane, [00:10]

7. Krebs on Security Suffers Massive DDoS Attack

Timestamp: [00:12]

Current Situation:

Attack Duration: Less than one minute
Mitigation Success: Largest attack yet mitigated by Google’s defense mechanisms
Perpetrator's Stance: Forky denies involvement and claims to focus on their hosting business

Notable Quote: "Despite the unprecedented scale of the attack, our defenses held strong, demonstrating the effectiveness of collaborative cybersecurity measures," — Sarah Lane, [00:12]

8. Cellcom Confirms Cyber Attack Caused Service Outages

Timestamp: [00:14]

Recovery Efforts:

Collaboration: Working with the FBI and cybersecurity experts
Restoration Timeline: Aiming to restore full services by the end of the week

Notable Quote: "We apologize for the inconvenience caused and are committed to restoring full service as swiftly and securely as possible," — Sarah Lane, [00:14]

9. Van Helsing Ransomware Source Code Leaked on Hacking Forum

Timestamp: [00:16]

Implications:

Available Code: Windows encryptor builder and affiliate panel
Missing Components: Full Linux builder and databases
Potential Risks: Increased likelihood of similar ransomware attacks emerging

For more detailed stories behind these headlines, visit CISOseries.com.