San Mateo, CA, June 2, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
LexisNexis discloses breach affecting 364,000
LexisNexis Risk Solutions has disclosed a data breach affecting more than 364,000 individuals after a hacker accessed sensitive consumer information through the company’s GitHub account. The breach, traced back to December 25, 2024, involved a third-party platform used for software development. Compromised data includes names, birthdates, contact information, Social Security numbers, and driver’s license details. The company only became aware of the breach on April 1, 2025, when, according to LexisNexis spokesperson Jennifer Richman, the company received a report “from an unknown third party claiming to have accessed certain information.” It has not confirmed whether a ransom demand was issued. LexisNexis is a major data broker that collects extensive consumer information to help corporate clients assess risk, detect fraud, and perform due diligence. The company has previously drawn criticism for its opaque data collection practices, including partnerships with automakers that shared driving data with insurers without driver consent. Law enforcement also relies on LexisNexis to access personal details during investigations. The breach comes amid broader concerns over data privacy, as the Trump administration recently scrapped a proposed Biden-era rule that would have placed federal restrictions on data brokers. Read more.
Fake AI tools weaponized by cybercriminals
Lesser-known ransomware groups and malware operators are now weaponizing fake AI tools to deliver malicious payloads, marking a troubling shift in cybercriminal tactics. Cisco Talos researchers report that actors behind threats like CyberLock, Lucky_Gh0$t, and the new malware Numero are impersonating popular AI services through SEO poisoning and malvertising. These fake sites rank high in search results, tricking users into downloading malware disguised as legitimate AI software. CyberLock, a PowerShell-based ransomware, is distributed through a spoofed AI site and demands a $50,000 ransom in Monero after encrypting files with a .cyberlock extension. Lucky_Gh0$t, derived from Yashma and Chaos ransomware, poses as a ChatGPT installer bundled with real Microsoft AI tools to evade detection, encrypting smaller files and deleting larger ones. Victims are instructed to negotiate via the Session platform. Meanwhile, Numero disables Windows systems by corrupting the graphical interface using an infinite loop that overwrites screen elements with numeric strings. Though it causes no direct data loss, the malware renders systems unusable. These campaigns exploit public curiosity around AI, highlighting the growing need to verify sources and avoid downloading software from search engine ads or unofficial channels. Read more.
Interlock ransomware campaign emphasizes persistence
A new ransomware campaign by the Interlock group is raising alarms across cybersecurity circles for its sophisticated, multi-stage tactics that prioritize long-term access over quick financial gain. First identified in early 2024, Interlock departs from the traditional smash-and-grab ransomware model, instead deploying the NodeSnake Remote Access Trojan (RAT) alongside encryption attacks. This dual-payload strategy allows attackers to quietly maintain covert network access even after initial infections are discovered and addressed. Initial intrusions are typically carried out through compromised RDP credentials, phishing emails, or exploitation of unpatched vulnerabilities. Mid-sized businesses and critical sectors such as healthcare, manufacturing, and finance are prime targets, where operational disruptions can exert pressure for ransom payments. Analysts note Interlock’s increasing focus on persistence, suggesting links to APT groups or state-sponsored actors. NodeSnake, written in Node.js, blends with normal enterprise activity and is installed as a Windows service with deceptive names. It uses multiple persistence techniques, including registry edits and WMI abuse, enabling repeated attacks over time. Victim recovery costs are estimated to exceed $2.3 million, reflecting the campaign’s significant operational and financial toll. Read more.
Apple blocks $9B in App Store fraud since 2020
Apple announced it thwarted over $9 billion in fraudulent transactions over the past five years, with more than $2 billion blocked in 2024 alone. The company highlighted a persistent onslaught of deceptive schemes targeting its App Store, from data-stealing apps to payment frauds. Last year, Apple rejected over 711 million fake customer account creations and deactivated nearly 129 million accounts for suspicious activity, such as spamming or manipulating app rankings. It also terminated 46,000 developer accounts and denied 139,000 developer enrollments due to fraud risks. In terms of app security, Apple blocked 10,000 illegitimate apps on pirate storefronts, stopped 4.6 million illicit app installations outside approved marketplaces, and rejected 1.9 million app submissions for violating standards. The company also removed 37,000 fraudulent apps and over 9,000 deceptive apps from search results, while purging 143 million fake ratings and reviews. Additionally, Apple banned 1.6 million accounts after detecting 4.7 million stolen credit cards. This disclosure parallels Google’s report of blocking 2.36 million harmful Android apps in 2024, and comes as Apple faces heightened regulatory pressure over its App Store policies. Read more.
AT&T data leak exposes 31 million records
A threat actor has claimed responsibility for leaking 31 million AT&T customer records, totaling 3.1GB of data and containing highly sensitive personal information in JSON and CSV formats. The alleged breach, posted on a dark web forum in May 2025, includes full names, birthdates, tax IDs, device and cookie IDs, IP addresses, contact information, and physical addresses. Cybersecurity researchers and platforms like DarkEye warn that the data, if authentic, poses a significant privacy risk and could fuel identity theft, fraud, and targeted attacks. This potential breach adds to AT&T’s troubling cybersecurity track record, including a March 2024 leak of 73 million customer records and a July 2024 breach exposing call metadata from 110 million users linked to compromised Snowflake cloud accounts. The new incident, featuring structured and analyzable data, underscores persistent vulnerabilities and could mark another major violation of user privacy. AT&T has not yet commented on the claims, and the legitimacy of the breach remains under investigation.
Void Blizzard hackers target NATO-aligned sectors
According to Microsoft, a newly identified Russian hacking group, Void Blizzard, is targeting government and critical sectors across Europe and North America. Active since mid-2024, the group has focused on NATO members and Ukraine, achieving successful breaches, including compromising user accounts at a Ukrainian aviation organization. Likely affiliated with the Kremlin, Void Blizzard aims to gather intelligence supporting Russian strategic goals. It targets telecoms, defense, healthcare, government, NGOs, and media sectors. Initially using basic credential theft tactics, Void Blizzard has recently advanced to adversary-in-the-middle spear phishing, spoofing Microsoft portals to steal credentials from NGO targets in Europe and the U.S. The group automates data collection via cloud APIs and, in some cases, accesses Microsoft Teams content. In parallel, Dutch intelligence confirmed Void Blizzard, tracked locally as Laundry Bear, breached multiple national organizations, including police contact data. Authorities warn the group is focused on espionage involving military equipment and weapon supplies to Ukraine, with particular interest in E.U. and NATO nations. Read more.
Senate revives contractor cybersecurity disclosure bill
A bipartisan effort in the Senate seeks to require federal contractors to follow National Institute of Standards and Technology guidelines for vulnerability disclosure policies. The Federal Contractor Cybersecurity Vulnerability Reduction Act, reintroduced by Senators Mark Warner and James Lankford, aims to align contractor obligations with those already imposed on federal agencies. Vulnerability disclosure policies (VDPs) allow organizations to receive and address unsolicited reports of software flaws before they can be exploited. The legislation mirrors a companion House bill from Representatives Nancy Mace and Shontel Brown, which passed in March. “Federal agencies and contractors must be quickly made aware of cyber vulnerabilities so that they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” said Lankford of the bill. The bill also mandates oversight from the Office of Management and Budget and the Defense Secretary to ensure contractor compliance through updates to procurement regulations. Industry leaders, including Palo Alto Networks and HackerOne, voiced strong support, calling the measure essential for bolstering national cybersecurity and closing a critical defense gap. Read more.
Silent Ransom Group targets law firms in vishing campaign
The FBI has issued a warning about an ongoing vishing campaign by the Silent Ransom Group, also known as Luna Moth, Chatty Spider, and UNC3753, which is targeting law firms through social engineering tactics. Since 2022, the group has gained notoriety for stealing sensitive data and demanding ransom without using traditional ransomware. In this latest campaign, attackers impersonate IT staff during unsolicited phone calls. They use callback phishing emails to convince victims to install remote access software such as Zoho Assist, AnyDesk, or Splashtop. Once inside a system, the group exfiltrates data using tools like Rclone or WinSCP and then sends extortion messages threatening to release the stolen information. Unlike its earlier broad targeting across industries, Silent Ransom now focuses on legal firms, likely due to the sensitive nature of their data. These attacks show increased sophistication, with threat actors tailoring their efforts to match specific business operations. The FBI urges firms to practice basic cyber hygiene and advanced defenses like staff training, clear IT protocols, and maintaining regular backups, noting that this particular campaign is “unlikely to be flagged by traditional antivirus products.” Read more.
U.S. dismantles DanaBot malware operation
The U.S. Department of Justice has dismantled the infrastructure behind DanaBot. This Russia-linked malware-as-a-service operation has infected over 300,000 computers globally and caused at least $50 million in damages. Charges were unsealed against 16 people, including Russian nationals Aleksandr Stepanov and Artem Kalinkin, who remain at large. DanaBot, active since 2018, evolved from a banking trojan into a modular platform used for fraud, espionage, and ransomware. The malware could hijack banking sessions, steal credentials, provide full remote access, and deploy follow-on payloads via a multi-tiered command-and-control architecture. A second variant targeted military and government entities in North America and Europe. The malware’s developers rented access to affiliates, enabling customized attacks through private servers. DanaBot’s infrastructure included hundreds of active C2 servers daily, with its operators also leveraging it for DDoS attacks against Ukraine in 2022. The operation’s disruption was part of Operation Endgame, carried out with “valuable assistance” from Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team Cymru, and Zscaler. Read more.
Chinese hackers exploit Cityworks flaw in U.S. local governments
Financially motivated Chinese hackers, identified as UAT-6382, are exploiting a critical vulnerability (CVE-2025-0994) in Trimble’s Cityworks, a widely used asset management platform in the U.S., to target local government systems. Cisco Talos reports that the group began its campaign in January 2025 by leveraging the flaw, which allows remote code execution on Microsoft IIS servers running outdated Cityworks versions. Once inside, the attackers deployed web shells and custom malware, including AntSword, chinatso, Behinder, and file uploaders containing Chinese-language messages. They conducted reconnaissance, staged files for exfiltration, and established long-term access through backdoors delivered via PowerShell. Tools like Cobalt Strike and VShell were injected using Rust-based TetraLoader, linked to a Chinese-made malware builder. The group showed a strong interest in utility-related systems post-compromise. Trimble has patched the flaw in version 15.8.9 and urges all Cityworks users to update immediately to avoid further compromise. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
