WEEKLY TOP TEN: May 26, 2025, 16:00 GMT
- Botnets Disrupted Worldwide…Operation Endgame Is Back
Law enforcement agencies coordinated by Europol and Eurojust executed the second phase of Operation Endgame from May 19-22, 2025, taking down approximately 300 servers and neutralizing 650 domains used for ransomware distribution. The operation targeted successor groups that emerged after last year’s takedowns, including Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE. International arrest warrants were issued for 20 suspects as authorities continue their campaign against the ransomware ecosystem. - CISA Warns of Suspected Broader SAAS Attacks Exploiting App Secrets and Cloud Misconfigs
CISA revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment after threat actors accessed client secrets. The nation-state actors exploited CVE-2025-3928 (CVSS 8.7), an unspecified flaw in Commvault’s Web Server enabling authenticated attackers to create and execute web shells. While Commvault confirmed no customer backup data was compromised, the incident affected a small number of customers sharing infrastructure with Microsoft, prompting mandatory federal patching by May 19, 2025. - Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks
A group of hackers from China, known as UNC5221, has been taking advantage of security weaknesses in Ivanti Endpoint Manager Mobile software to attack healthcare, telecommunications, aviation, and local government services in Europe, North America, and Asia-Pacific. The vulnerability chain lets unauthenticated remote code execution through an authentication bypass combined with unsafe Expression Language injection. Exploitation began on May 15, 2025, with multiple malicious payloads deployed, including Sliver beacons, indicating involvement from different threat actors. - Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise
Akamai researchers discovered a privilege escalation flaw in Windows Server 2025’s delegated Managed Service Account (dMSA) feature that allows attackers to compromise any user in Active Directory. The vulnerability works with default configurations and is trivial to implement, affecting 91% of examined environments where users outside domain admins had required permissions. Microsoft classified the issue as having moderate severity and stated that it does not meet the criteria for immediate servicing; however, a patch is currently in development. - Ransomware Attack Triggers ‘System-Wide’ Tech Outage at Large Network of Medical Centers
Kettering Health’s network of 14 Ohio medical centers experienced a system-wide technology outage on May 20, 2025, forcing the cancellation of all elective procedures after the Interlock ransomware gang deployed malware across their network. The attack disrupted critical patient care systems and call centers, with emergency departments diverting ambulances to other facilities. The ransom note threatened to leak stolen data unless negotiations began within 72 hours, continuing the trend of healthcare being the most targeted critical infrastructure sector. - UAT-6382 Exploits Cityworks Zero-Day Vulnerability to Deliver Malware
Cisco Talos observed Chinese threat actors exploiting CVE-2025-0994, an RCE vulnerability in Cityworks asset management systems, to target U.S. government networks during January 2025. The attackers rapidly deployed web shells, including AntSword and chinatso/Chopper, along with custom Rust-based loaders called “TetraLoader” built using the MaLoader framework to deliver Cobalt Strike beacons and VShell malware. Post-compromise activity showed clear interest in pivoting to utilities management systems, with the threat actors exfiltrating backup archives and establishing persistent backdoor access through C2 domains like cdn[.]lgaircon[.]xyz and www[.]roomako[.]com. Organizations should immediately patch Cityworks installations and monitor the provided indicators of compromise. - M&S’ $400 Million Cyberattack Upheaval to Linger Into July
UK retailer Marks & Spencer disclosed that a “highly sophisticated and targeted” cyberattack will cost about £300 million ($403 million) in lost operating profit, with disruption to online services likely until July. The attack compelled M&S to rely on manual labor to transport billions of pounds of fresh food and clothing, following the deactivation of automated stock systems. Scattered Spider deployed ransomware from the DragonForce group, with at least two Tata Consulting Services employees’ M&S logins used as part of the breach. - Forgotten DNS Records Enable Scam Actor
Infoblox researchers identified a sophisticated threat actor named “Hazy Hawk.” They have been hijacking abandoned cloud resources through dangling CNAME DNS records at high-profile organizations, including cdc[.]gov, berkeley[.]edu, and deloitte[.]com, since December 2023. The actor exploits forgotten DNS records pointing to decommissioned cloud services on platforms like Azure, AWS S3, and GitHub, then uses the hijacked domains to host malicious URLs that lead victims through traffic distribution systems to scams and malware. Hazy Hawk employs sophisticated techniques, including passive DNS analysis to find vulnerable records, content theft from legitimate sites like PBS to disguise their pages, and push notification abuse to maintain persistent access to victims. When shutting down cloud resources, organizations should implement processes to remove DNS CNAME records and maintain comprehensive tracking of active cloud services. - 3AM Ransomware Adopts Email Bombing, Vishing Combo Attack
The 3AM ransomware group has adopted a sophisticated attack combining email bombing with vishing, documented in more than 15 incidents between November 2024 and January 2025, with 55 other attempted attacks detected. Attackers performed reconnaissance to gather employee email addresses and IT department phone numbers, then subscribed victims to multiple email lists, causing email bombing. While employees were overwhelmed by unwanted emails, attackers made voice calls impersonating IT support to trick them into allowing remote access via Quick Assist or AnyDesk. - Mozilla Fixes Firefox Zero-Days Exploited at Hacking Contest
Mozilla released emergency security updates addressing two critical Firefox zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) demonstrated at Pwn2Own Berlin 2025, both involving out-of-bounds read/write issues in the JavaScript engine. The vulnerabilities, discovered by Palo Alto Networks researchers and security researcher Manfred Paul, earned $50,000 each but notably failed to achieve sandbox escape due to Mozilla’s recent architectural improvements. Mozilla’s global task force rapidly developed and tested fixes within hours of the demonstrations, pushing updates to Firefox 138.0.4, ESR 128.10.1, and ESR 115.23.1. Users should immediately update to these versions to mitigate the risk of exploitation, as publicly demonstrated vulnerabilities often lead to real-world attacks.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: