Targeting schools is not cool.

The LockBit ransomware gang has been hacked. Google researchers identify a new infostealer called Lostkeys. SonicWall is urging customers to patch three critical device vulnerabilities. Apple patches a critical remote code execution flaw. Cisco patches 35 vulnerabilities across multiple products. Iranian hackers cloned a German modeling agency’s website to spy on Iranian dissidents. Researchers bypass SentinelOne’s EDR protection. Education tech firm PowerSchool faces renewed extortion. CrowdStrike leans into AI amidst layoffs. Our guest is Caleb Barlow, CEO of Cyberbit, discussing the mixed messages of the cyber skills gaps. Honoring the legacy of Joseph Nye.

Today is May 8th, 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The LockBit ransomware gang has been hacked. 

The LockBit ransomware gang has been hacked, leading to a major leak of its internal data. On May 7, 2025, LockBit’s dark web affiliate panels were defaced with a message stating, “Don’t do crime CRIME IS BAD xoxo from Prague,” and included a link to download a MySQL database dump. The leaked database contains 20 tables, including nearly 60,000 unique Bitcoin addresses, detailed ransomware build configurations, and over 4,400 chat logs from victim negotiations between December 2024 and April 2025. This breach exposes the inner workings of LockBit’s ransomware-as-a-service operation, revealing how affiliates customized attacks and communicated with victims. The incident follows previous law enforcement actions against LockBit, including infrastructure seizures and arrests, further destabilizing the group. 

Google researchers identify a new infostealer called Lostkeys. 

Google researchers have identified a new malware called Lostkeys, used by the Russian state-backed hacking group Coldriver (aka Star Blizzard, UNC4057, Callisto). This group, known for phishing, now uses Lostkeys to steal files and system data via a fake CAPTCHA site that tricks victims into running malicious PowerShell code. Coldriver, active since 2022, targets diplomats, journalists, and NATO-linked groups. Lostkeys, like earlier malware Spica, is used in selective espionage operations tied to Russian intelligence services.

Elsewhere, scammers are spreading a new malware called Noodlophile Stealer using fake AI tools and Facebook ads. The campaign targets users with a multi-stage attack that begins on phony AI websites offering free image or video generation. Victims download a ZIP file disguised as a video editing tool, which installs malware that steals browser credentials, crypto wallets, and can deploy remote access tools like XWorm. The malware uses Telegram for data exfiltration and evades detection by running payloads in memory.

SonicWall is urging customers to patch three critical device vulnerabilities. 

SonicWall is urging customers to patch three critical vulnerabilities in its SMA 100 series devices, one of which is being actively exploited. Discovered by Rapid7, the flaws (CVE-2025-32819, -32820, and -32821) can be chained to allow remote code execution as root. Affected devices include SMA 200, 210, 400, 410, and 500v. Patches are available in firmware version 10.2.1.15-81sv or later. SonicWall advises enabling MFA, checking logs for unauthorized access, and using the web application firewall for added protection.

Apple patches a critical remote code execution flaw. 

A critical remote code execution flaw in macOS, tracked as CVE-2024-44236, allows attackers to run arbitrary code if a user opens a malicious ICC profile. Found by Trend Micro’s Zero Day Initiative, the bug stems from improper bounds checking in macOS’s sips utility. Apple patched it in Ventura 13.7.1, Sonoma 14.7.1, and Sequoia 15.1 on October 28, 2024. No active exploitation has been seen, but users should update immediately due to the risk and technical details now public.

Cisco patches 35 vulnerabilities across multiple products. 

Cisco has released patches addressing 35 vulnerabilities across multiple products, including critical flaws in IOS XE Wireless LAN Controllers and Identity Services Engine (ISE). One significant vulnerability in IOS XE Wireless Controllers allows unauthenticated attackers to upload arbitrary files via crafted HTTPS requests, potentially leading to full device compromise. In ISE, two critical API vulnerabilities (CVE-2025-20124 and CVE-2025-20125) enable remote attackers with read-only access to execute arbitrary commands and alter configurations due to insecure deserialization and improper input validation. Additionally, Cisco addressed high-severity SNMP flaws in IOS, IOS XE, and IOS XR that could cause denial-of-service conditions. Users are strongly advised to update affected systems promptly, as no workarounds are available for these vulnerabilities. 

Iranian hackers cloned a German modeling agency’s website to spy on Iranian dissidents. 

Iranian state-linked hackers, tied to APT35 (Charming Kitten), cloned a German modeling agency’s website to spy on Iranian dissidents. The fake site, discovered in May 2025, mimics Hamburg’s Mega Model Agency and features a fake model profile with a dormant “private album” link—likely a phishing lure. Obfuscated JavaScript collects detailed visitor data, including browser and device fingerprints, IP addresses, and plugin info. The data is sent to a disguised analytics endpoint, aiding in stealthy surveillance and future targeted cyberattacks.

Researchers bypass SentinelOne’s EDR protection. 

Researchers at Aon’s Stroz Friedberg discovered a technique called “Bring Your Own Installer” that can bypass SentinelOne’s EDR protection. By exploiting the upgrade/downgrade process of the SentinelOne agent, attackers can briefly disable its defenses, leaving endpoints exposed. One threat actor used this method to gain admin access and deploy Babuk ransomware. SentinelOne responded with mitigations, including enabling Local Upgrade Authorization by default. While no current EDRs are confirmed vulnerable when properly configured, other vendors were privately notified of the risk.

Education tech firm PowerSchool faces renewed extortion. 

Despite paying a ransom after a December 2024 breach, education tech firm PowerSchool now faces renewed extortion as the hacker targets individual school districts with stolen data. The breach affected over 60 million students and 9 million teachers. PowerSchool had believed the incident was contained after the hacker shared a deletion video. However, recent threats prove otherwise. At least four school boards have been contacted, and the reused data matches that from the initial attack. PowerSchool has alerted law enforcement and is assisting affected districts.

CrowdStrike leans into AI amidst layoffs. 

CrowdStrike is laying off about 500 employees—5% of its workforce—in a move aimed at boosting efficiency. CEO George Kurtz framed the decision around the growing role of AI, which he says will streamline operations and fuel growth toward $10 billion in annual revenue. While the company highlights AI as a “force multiplier,” its own regulatory filings caution about AI’s risks, including potential errors and legal liabilities. Despite increasing revenue, CrowdStrike posted a $92.3 million loss in its latest quarter. The layoffs are a harsh blow to affected employees, and the company acknowledged the pain caused. Layoff-related costs are expected to total up to $53 million. CrowdStrike joins other tech firms turning to automation while cutting staff amid economic uncertainty.

Coming up next, I speak with Cyberbit’s CEO, and OG friend of the podcast, Caleb Barlow about the mixed messages of the cyber skills gaps. We’ll be right back

 

Welcome back

Honoring the legacy of Joseph Nye. 

And finally, we pause to remember Joseph Nye, who passed away on May 6 at the age of 88, leaving behind a profound legacy in international relations and cybersecurity. Renowned for coining the term “soft power,” Nye’s insights into the dynamics of global influence reshaped diplomatic strategies worldwide.   

Beyond his theoretical contributions, Nye was instrumental in integrating cybersecurity into the realm of international policy. As a founding member of the Global Commission on the Stability of Cyberspace, he championed the development of norms to govern state behavior in cyberspace, emphasizing the importance of protecting civilian infrastructure from cyber threats.  

Nye’s tenure as Dean of Harvard’s Kennedy School from 1995 to 2004 was marked by his commitment to preparing future leaders for the complexities of the digital age. He fostered interdisciplinary approaches, blending political science with emerging technological considerations, ensuring that the next generation of policymakers was equipped to navigate the challenges of cybersecurity and digital diplomacy.  

His dedication to public service, including roles as Assistant Secretary of Defense for International Security Affairs and Chair of the National Intelligence Council, underscored his belief in bridging academic theory with practical policy solutions.  

Joseph Nye’s vision and leadership have indelibly shaped our understanding of power, diplomacy, and the critical importance of cybersecurity in maintaining global stability. His contributions continue to inspire and guide scholars and practitioners in the ever-evolving landscape of international relations. 

To all who knew and loved him, may his memory be a blessing. 

 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.