Daily Briefing for 05.16.25

At a glance.

• Co-op continues recovery from cyberattack.
• US DOJ charges twelve more suspects in theft of $263 million in cryptocurrency.
• APT28 exploits webmail vulnerabilities to target government agencies.

Co-op continues recovery from cyberattack.

UK retail chain Co-op says systems are now running normally following a cyberattack earlier this month, Reuters reports. The incident disrupted grocery resupplies at some stores, leaving food shelves empty. The company says deliveries are back to normal, and stores should be better-stocked this weekend.

The DragonForce ransomware gang claims to have stolen information belonging to 20 million people who signed up for Co-op's membership program, BleepingComputer reports. Co-op hasn't confirmed this exact number, but said the attackers accessed data belonging to "a significant number of our current and past members." The breached information includes "Co-op Group members' personal data such as names and contact details, and did not include members' passwords, bank or credit card details, transactions or information relating to any members' or customers' products or services with the Co-op Group."

US DOJ charges twelve more suspects in theft of $263 million in cryptocurrency

The US Justice Department has charged twelve additional individuals for their alleged roles in "a cyber-enabled racketeering conspiracy throughout the United States and abroad that netted them more than $263 million." The defendants are accused of various activities related to cryptocurrency theft, including carrying out physical burglaries to steal hardware wallets. Several of the suspects were arrested in California this week, while two are believed to be living abroad in Dubai.

The Justice Department stated, "The various roles included database hackers, organizers, target identifiers, callers, money launderers, and residential burglars targeting hardware virtual currency wallets. Database hackers hacked websites and servers to obtain cryptocurrency-related databases or purchased databases on the darkweb. Organizers and target identifiers organized and collated information across the databases to determine the most valuable targets. Callers cold-called victims and used social engineering to convince them their accounts were the subject of cyberattacks and the enterprise callers were attempting to help secure their accounts. Money launderers received the stolen crypto currency and turned it into fiat U.S. currency in the form of bulk cash or wire transfers."

APT28 exploits webmail vulnerabilities to target government agencies.

ESET describes a Russia-aligned cyberespionage campaign that's exploiting cross-site scripting (XSS) vulnerabilities affecting webmail software, including Roundcube, Horde, MDaemon, and Zimbra. A vulnerability affecting MDaemon (CVE-2024-11182), which has since been patched, was exploited as a zero-day. The researchers attribute the campaign with medium confidence to Sednit (also known as "APT28" or "Fancy Bear"), a threat actor associated with Russia's GRU.

The majority of the victims were "governmental entities and defense companies in Eastern Europe," although attacks were also observed against governments in Africa, Europe, and South America. The malware strains used in the campaign are designed "to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox."