Legal Aid breached, patients at risk from cyberattacks, 23andMe buyer - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines Podcast Summary

Title: Cyber Security Headlines
Host: Rich Stroffelino, CISO Series
Release Date: May 20, 2025
Episode Focus: Legal Aid Breach, NHS Cyberattacks, 23andMe Acquisition, Federal Cyber Workforce Bill, Ransomware Trends, Arla Foods Attack, Printer Software Malware, Pwn2Own Aftermath, Mozilla Security Patches

1. UK Legal Aid Agency Breached

At the beginning of the episode (00:00), host Rich Stroffelino reports a significant cybersecurity incident involving the UK's legal aid agency, a subdivision of the Ministry of Justice. On April 23, the agency identified a breach by a threat actor. Jane Harbottle, CEO of the agency, stated:

"We immediately coordinated with the National Crime Agency to bolster the security of our systems." (00:30)

Further investigation revealed on May 16 that the breach was more extensive than initially thought, with attackers accessing sensitive data such as criminal records, addresses, national ID numbers, and financial information of legal aid applicants. In response, the agency temporarily took its services offline to secure the systems, emphasizing the necessity for radical action to protect user data. The Ministry of Justice assured the public that contingency plans are in place to support those requiring legal aid. The identity of the attackers and their method of infiltration remain undisclosed.

2. NHS Patients at Risk from Cyberattacks

Rich moves on to discuss cybersecurity within the healthcare sector. Data obtained through a Freedom of Information Act request revealed that two cyberattacks on Britain's National Health Service (NHS) last year resulted in "potential clinical harm" to over 50 patients. This classification is just below the most severe categories of "excess fatalities" and "excess casualties." Although specific attacks were not named, it is likely linked to the Synovus pathology services provider breach, which led to delays and cancellations of medical appointments, thereby impacting patient care.

3. 23andMe Acquisition by Regeneron Pharmaceuticals

A major corporate development was highlighted regarding 23andMe, the popular DNA testing company. After declaring bankruptcy amid privacy concerns over genetic data, Regeneron Pharmaceuticals stepped in to acquire the company for $256 million. Rich explains:

"With the acquisition expected to close in Q, 23andMe services will continue uninterrupted, and Regeneron will need to tell a court-appointed ombudsman how it plans to use the genetic data, as well as detail security and privacy controls."

Regeneron has committed to maintaining 23andMe's existing privacy policies post-acquisition, aiming to address the raised privacy concerns and ensure the continuity of services.

4. Bipartisan Bill for Federal Cyber Workforce Training

The episode covers legislative efforts to bolster the federal cybersecurity workforce. Representatives Pat Fallon and Marcy Kaptor introduced the Federal Cyber Workforce Training Act in the House. This bipartisan bill proposes:

Establishing a centralized training center focused on federal cyber workforce development.
Setting cybersecurity standards for new federal employees, particularly entry-level positions.
Developing role-specific training in collaboration with relevant federal agencies.
Introducing specialized training for federal HR officials to enhance recruitment for cybersecurity roles.

The bill aims to create a robust and well-trained federal cyber workforce to address evolving cybersecurity challenges.

5. Ransomware Operators Turning to Skitnet

Rich delves into emerging trends in ransomware operations, specifically the adoption of Skitnet (also known as Boss Net) by cybercriminals. Researchers at Prodaft have identified that Skitnet is increasingly favored in ransomware attacks due to its sophisticated features:

Automated Installation: Skitnet offers a lightweight package with fully automated installation processes.
Programming Languages: Initial executables are crafted in Rust, decrypting and running payloads compiled in Nim.
Communication: Establishes reverse shell connections to C2 servers via DNS.
Persistence: Utilizes PowerShell-based commands to achieve persistence at system startup.
Legitimate Tools: Deploys tools like AnyDesk and RutService for remote access.

Skitnet first appeared on underground forums in April 2024 and was notably used by the Black Basta group last month, illustrating its growing prevalence in the ransomware landscape.

6. Arla Foods Confirms Cyberattack

The Danish food cooperative giant, Arla Foods, confirmed experiencing a cyberattack that disrupted production at its dairy facility in Uppal, Germany. Key points include:

Impact: Anticipated product delays or order cancellations in the near future.
Response: Arla aims to restore production by the end of the week.
Details: The company has not confirmed whether the attack was ransomware-related, and no threat actor has claimed responsibility.
Global Reach: Arla's products are integrated into brands across 140 countries, including Starbucks, Costello, Puck, and Lorpak.

7. Malware Found in ProColored Printer Software

An alarming development involves malware infiltrating software downloads from the printer company ProColored. Following a tip from tech writer Cameron Coward, security firm GDATA discovered that:

Infected Downloads: 39 software downloads hosted on Mega.nz were compromised with cryptostealer and wormable backdoor Xred malware.
Capabilities: The malware can log keystrokes, download payloads, and exfiltrate cryptocurrency wallet information.
Company Response: Initially dismissed the findings as false positives, ProColored eventually removed the infected software after recognizing that the malware was likely introduced via a flash drive during software transfer.

8. Pwn2Own Aftermath

Rich reviews the outcomes of the recent Pwn2Own Berlin competition:

Bounties Awarded: Security researchers collectively earned $1,078,000 by exploiting various system vulnerabilities over 290 days.
Top Earners: Star Labs' Security Group secured the largest portion with $320,000.
Vendor Responsibilities: Participants have 90 days post-competition to patch the identified vulnerabilities before Trend Micro's Zero Day initiative publishes the technical details.
Immediate Patches: Over the weekend, Mozilla addressed two critical JavaScript vulnerabilities in Firefox, enhancing browser security.

9. Mozilla Patches Critical JavaScript Issues

In continuation of the Pwn2Own discussion, Mozilla swiftly patched two severe out-of-bound read/write vulnerabilities in JavaScript for Firefox. This proactive measure underscores the importance of timely responses to identified security flaws to protect users from potential exploits.

10. Closing Reflections on Cybersecurity Fundamentals

In his concluding remarks, Rich emphasizes the enduring importance of foundational cybersecurity principles. He reflects on a 1995 talk by cryptocurrency pioneer Adi Shamir, highlighting timeless advice:

"Don't aim to be perfect for cybersecurity, don't trust systems, don't trust people, and don't rely on a single line of defense."

Rich poses a thought-provoking question:

"So why are we still struggling to understand that?"

He encourages listeners to revisit and uphold these fundamental principles amidst the rapidly evolving cybersecurity landscape, advocating for a balanced approach between foundational knowledge and innovative defenses.

Notable Quotes:

Jane Harbottle, CEO of UK's Legal Aid Agency:
"We immediately coordinated with the National Crime Agency to bolster the security of our systems." (00:30)
Rich Stroffelino on Cybersecurity Principles:
"Don't aim to be perfect for cybersecurity, don't trust systems, don't trust people, and don't rely on a single line of defense."

For an in-depth exploration of each headline and more cybersecurity insights, visit CISO Series.

Loading summary

Transcript1 lines

[00:00]
Rich Stroffelino
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Tuesday, May 20, 2025. I'm Rich Stroffelino UK's legal aid agency breached On April 23, the UK's legal aid agency, a part of the Ministry of Justice, discovered a threat actor had breached its systems. It immediately coordinated with the National Crime Agency to bolster the security of our systems, according to CEO Jane harbottle. On Friday, May 16, it was discovered that the attack was more extensive than originally understood, with threat actors accessing a significant amount of data on applicants for legal aid, including criminal records, addresses, national ID numbers and financial data. Citing a need for radical action to safeguard users, the agency took its services offline while it recovers. The Ministry of Justice has contingency plans in place for those in need of legal support. No word on who orchestrated the attack or how they gained access. NHS patients put at risk from cyber attacks recorded Future News Acquired data from Britain's National Health Service under a Freedom of Information act showing that two cyber attacks last year caused what was categorized as potential clinical harm to over 50 patients stemming from a lack of available medical care. This category falls below the two most critical categories, excess fatalities and excess casualties. While the data doesn't name the specific attacks, it could have likely stemmed from the attack on the pathology services provider Synovus, which resulted in delayed and canceled medical appointments. 23andMe has a buyer when the DNA testing company 23andMe declared bankruptcy, there was obvious privacy concerns raised about the implications for its genetic data. Now Regeneron Pharmaceuticals agreed to buy the company out of bankruptcy for $256 million. With the acquisition expected to close in Q, 23andMe services will continue uninterrupted and Regeneron will need to tell a court appointed ombudsman how it plans to use the genetic data, as well as detail security and privacy controls. Regeneron said it will maintain 23andMe's existing privacy policies after the acquisition. Bipartisan Bill for Federal Cyber Workforce Training Representatives Pat Fallon and Marcy Kaptor introduced the Federal Cyber Workforce Training act in the House. This bill calls on the National Cyber Director to plan for the creation of a centralized training center for federal cyber workforce development. This center would focus on setting cybersecurity standards for new federal employees at the start of onboarding, specifically for entry level workers with role specific training developed in cooperation with relevant federal agencies. The bill also proposes the idea of specialized training for federal HR officials to better recruit personnel for for the federal cyber workforce. And now, thanks to today's sponsor, Conveyor. Ever spent an hour in a clunky portal questionnaire with UI from 1999 just to lose your work because it timed out? Conveyor's got you. Their browser extension completes questionnaires in the most tedious portals for you. By auto importing all the questions and generating AI answers for popular portals, it can go full autopilot and fill in reviewed answers into the portal up on one click. You shouldn't have to fight a portal just to prove your security posture. Learn more@conveyor.com that's C-O-N-V-E-Y-O-R.com ransomware operators turning to Skitnet Researchers at Prodaft report that the malware Skitnet, also known as Boss Net, is becoming increasingly popular in the post exploitation toolkit of ransomware actors. Skitnet first appeared for sale on underground forums in April 2024, but was most recently seen used by Black Basta last month. Skitnet offers a lightweight package with a fully automated installation. Initial executables are written in Rust, which then decrypt and run payloads compiled in Nim, ultimately to establish a reverse shell connection to a C2 server communicating over DNS. It uses PowerShell based commands to obtain persistence at startup and deploys the legitimate tools AnyDesk and RutService for remote access. Arla Foods confirmed cyberattack the Danish Food co op giant confirmed it suffered a cyber attack that disrupted production at its dairy site in Uppal, Germany. It expects this will lead to product delays or order cancellations in the near future. It hopes to restore production at the facility by the end of the week. Arlo was mum when asked if this was a ransomware attack. Arlo's products are used in brands across 140 countries, including Starbucks, Costello, Puck and Lorpak. No threat actor took credit for the disruption. Yet threat actors find a way to make printer software even worse. On a tip from tech writer Cameron Coward, an analysis by the security firm GDATA found that software downloads from the printer company ProColored contain malware. Coward notified ProColord, only to be told that these were likely false positives. GDATA found that the company hosted software on Mega nz and had 39 software downloads infected with a cryptosteeler and wormable backdoor Xred. This could log keystrokes, download payloads, and copy cryptocurrency wallet information when installed. Despite the initial denial, procolored eventually removed software downloads telling GDATA that it initially transferred its software to the host through a flash drive, which might have been where the malware was introduced. Pwned to own Aftermath we already discussed some of the vulnerabilities discovered at Pwn to Own Berlin last week. Now that the event is over, we know security researchers pocketed $1,078,000 in bounties exploiting 290 days. The Star Labs SG team took home the most money with $320,000. Vendors have 90 days from PWN to Own to patch vulnerabilities before Trend Micro's Zero Day initiative publishes technical details. Over the weekend, Mozilla wasted no time patching two critical out of bound read write issues in JavaScript for Firefox. Don't aim to be perfect for cybersecurity, don't trust systems, don't trust people, and don't rely on a single line of defense. Those might sound like modern cybersecurity principles, but they date Back to a 1995 talk by cryptocurrency pioneer Adi Shamir. The landscape is changing, but the fundamentals have been around for decades. So why are we still struggling to understand that? That's what we're going to try to answer on this week's episode of the CISO Series podcast. Look for why learn security fundamentals when we could just chase our tails? Wherever you get your podcasts, reporting for the CISO series, I'm Rich Stroffolino, reminding you to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headline. It.