Cyber Security Headlines - May 22, 2025

Host: Rich Strofalino
Podcast: CISO Series
Description: Daily stories from the world of information security. For in-depth coverage, visit CISOseries.com.

1. Kettering Health Ransomware Attack

Incident Overview:
Kettering Health, an Ohio-based healthcare network, experienced a significant outage due to a ransomware attack. The disruption primarily affected call centers and patient care systems, leading to the cancellation of elective inpatient and outpatient procedures on May 20. Despite these cancellations, emergency rooms and clinics remained operational, ensuring that urgent patient care continued.

Ransomware Group Involved:
The Interlock ransomware gang was identified as the perpetrator through ransom notes found on the encrypted systems. However, Interlock has not yet publicized this attack on its leak site, making attribution uncertain.

Additional Concerns:
Kettering Health also reported a recent surge in scammer activities, where individuals posing as representatives called patients to request credit card information. It remains unclear whether this scam campaign is directly related to the ransomware attack.

Notable Quote:
“The Ohio-based healthcare network confirmed a recent outage was caused by a ransomware attack impacting call centers and patient care systems.” ([00:06])

2. Disruption of Luma Malware Operation

Operation Details:
Microsoft, in collaboration with various partners including ESET, Clean, DNS, BitSight, Lumen, and GMO Registry, successfully disrupted the Luma malware operation. Since March 16, 2025, the Luma malware had infected over 394,000 Windows computers globally.

Actions Taken:
The joint efforts led to the seizure and takedown of approximately 2,300 domains used by Luma operators. Additionally, the U.S. Department of Justice targeted online marketplaces selling Luma services, while Europol and Japan's Cybercrime Control Center dismantled physical infrastructure within their jurisdictions.

Impact:
The coordinated international response effectively neutralized a significant malware-as-a-service operation, safeguarding numerous systems worldwide.

Notable Quote:
“Microsoft identified over 394,000 Windows computers globally infected by the Luma malware.” ([00:40])

3. Major Data Breach at Opexus

Company Background:
Opexus, a company owned by Tama Bravo, provides digital tools to federal government agencies for processing electronic records.

Breach Details:
An insider threat attack by twin brothers Suhaib and Muneeb Akhtar resulted in the improper access and deletion of over 30 databases, including sensitive information from the IRS and the General Services Administration. The Akhtar brothers had a history of cybercrimes, having previously pleaded guilty in 2015 for wire fraud and hacking charges related to creating and selling fake passports and visas.

Breach Execution:
During a virtual human resources meeting intended to terminate their employment, the brothers deleted and exfiltrated data while on the call. The malicious activities were completed within an hour of their termination.

Notable Quote:
“Opexus provides digital tools used by federal government agencies to process electronic records, according to documents seen by Bloomberg News.” ([02:30])

4. Telemessage Hack Exposes Government Data

Breach Overview:
A recent breach of Telemessage, revealed through a cache of leaked data from Distributed Denial of Secrets, exposed information from over 60 government users. The affected individuals ranged from disaster responders to diplomatic staff, including those from the White House and Secret Service.

Data Compromised:
The leaked data included fragmented message data around May 4, covering discussions such as a U.S. trip to Jordan and logistics for a Vatican visit. While the content itself wasn't deemed highly sensitive, the exposed metadata poses potential counterintelligence risks.

Expert Insight:
Former NSA cyberspecialist Jake Williams emphasized the risks associated with metadata exposure, stating, “Even if the contents themselves weren't damaging, the wealth of exposed metadata could pose a counterintelligence risk.” ([04:50])

5. Russian APT 28 Launches Cyber Attacks on Logistics Providers

Advisory Details:
A joint cybersecurity advisory from 11 allied countries and 21 intelligence agencies has attributed a series of cyber attacks against logistics providers to the Russian-linked APT 28 group, also known as Fancy Bear or Blue Delta.

Attack Scope:
The attacks targeted logistics across various transportation modes, including air, sea, and rail. NATO member states, Ukraine, and international organizations were among the victims.

Attack Objectives and Techniques:
The campaign focused on espionage and attempts to access remote cameras. While the techniques used weren't particularly novel, the widespread nature and persistence of the attacks warranted international concern and a coordinated response.

Notable Quote:
“The Russian linked APT 28, aka Fancy Bear or Blue Delta, was behind a campaign of cyber attacks against logistics providers across virtually all transportation modes.” ([05:15])

6. Coinbase Data Breach Affects 69,461 Users

Breach Details:
Coinbase, a leading cryptocurrency exchange, disclosed a data breach that impacted 69,461 individuals. The compromised data includes:

• Names
• Dates of birth
• Last four digits of Social Security numbers
• Some bank identifiers
• Phone numbers
• Email addresses
• Government IDs and account information for some users

Financial Implications:
Coinbase anticipates the breach will cost between $180 million and $400 million. The company has committed to making customers whole for any lost funds resulting from the breach.

Notable Quote:
“Data exposed includes names, dates of birth, the last four Social Security numbers, some bank identifiers, phone numbers and email, and some customers also lost government IDs and account information.” ([05:55])

7. PowerSchool Hacker Pleads Guilty

Case Overview:
Matthew Lane, a 19-year-old from Massachusetts, has pleaded guilty to charges related to hacking two companies, one of which is believed to be PowerSchool, an educational technology vendor.

Details of the Crime:
Lane accessed PowerSchool's platform using stolen credentials. While it is unclear if he was directly involved in the subsequent extortion attempts against school districts, his actions prompted a plea deal.

Plea Agreement:
In exchange for a reduced prison sentence of less than nine years and four months, Lane agreed not to contest the sentencing, securing a shorter term than initially possible.

Notable Quote:
“19 year old Matthew Lane of Massachusetts signed a plea deal on charges of hacking two companies, one of them an educational technology vendor.” ([06:35])

8. UK National Crime Agency Investigates Retail Cyber Attacks

Investigation Details:
Paul Foster, head of the National Cybercrime unit at the UK's National Crime Agency (NCA), announced that the agency is investigating recent cyber attacks targeting major retailers, including Co-op, Harrods, and Marks & Spencer.

Suspected Threat Actors:
Google researchers suspect that the attacks are linked to a group known as "scattered spider." However, Foster stated that while this group is on their radar, the NCA is considering a range of potential threat actors as the investigation progresses.

Financial Impact:
Marks & Spencer has projected a £300 million reduction in its annual operating profit due to the cyber attacks. The company anticipates that disruptions will continue until July.

Notable Quote:
“Marks Spencer announced that it expects a £300 million hit to its annual operating profit as a result of the attack, with disruptions from it lasting likely until July.” ([06:55])

9. Upcoming Episode Teaser: CISO Job Descriptions

Rich Strofalino briefly mentions an upcoming episode of "Defense In Depth," which will delve into the complexities of crafting effective CISO job descriptions. The discussion will cover:

• Questions organizations should ask when creating CISO job postings
• Insights into what CISOs and aspiring CISOs value most

Notable Quote:
“CISO job descriptions are all over the map in terms of what is desired and what the company is willing to pay. What are the questions organizations should be asking themselves when putting a CISO job post together? And what really matters to CISOs and wannabe CISOs? That's what we're answering on this week's episode of Defense In Depth.” ([06:55])

Conclusion

Rich Strofalino wraps up the episode by directing listeners to CISOseries.com for comprehensive coverage of cybersecurity headlines every weekday.

Final Quote:
“Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.” ([07:02])

This episode of Cyber Security Headlines provided a thorough overview of significant cybersecurity incidents affecting various sectors, highlighting the evolving nature of cyber threats and the importance of proactive security measures.