Bear in the network.

A joint advisory warns of Fancy Bear targeting Western logistics and technology firms. A nonprofit hospital network in Ohio suffers a disruptive ransomware attack. The Consumer Financial Protection Bureau (CFPB) drops plans to subject data brokers to tighter regulations. KrebsOnSecurity and Google block a record breaking DDoS attack. A phishing campaign rerouted employee paychecks. Atlassian patches multiple high-severity vulnerabilities. A Wisconsin telecom provider confirms a cyberattack caused a week-long outage. VMware issues a Security Advisory addressing multiple high-risk vulnerabilities.  Prosecutors say a 19-year-old student from Massachusetts will plead guilty to hacking PowerSchool. Our guest is Rob Allen, Chief Product Officer at ThreatLocker, discussing deliberate simplicity of fundamental controls around zero trust. Oversharing your call location data. 

Today is Wednesday May 21st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A joint advisory warns of Fancy Bear targeting Western logistics and technology firms. 

A joint cybersecurity advisory from U.S. and allied agencies warns of ongoing cyber espionage by Russia’s GRU Unit 26165 (also known as APT28 or Fancy Bear) targeting Western logistics and technology firms, especially those supporting Ukraine. Active since 2022, the campaign employs tactics like password spraying, spearphishing, and exploiting vulnerabilities in Microsoft Exchange and WinRAR. Targets include transportation hubs, defense contractors, IT services, and air traffic systems across NATO countries. The GRU has also compromised IP cameras near Ukrainian borders to monitor aid deliveries. Organizations are urged to enhance monitoring, threat hunting, and network defenses against these persistent threats. 

A nonprofit hospital network in Ohio suffers a disruptive ransomware attack. 

Kettering Health, a nonprofit hospital network in Ohio, suffered a ransomware attack attributed to the Interlock group. The incident caused a system-wide technology outage, disrupting access to electronic health records and patient care systems across its 14 hospitals and over 120 outpatient facilities. All elective procedures were canceled, and the call center was rendered inaccessible. Emergency services remained operational, but ambulances were diverted to other facilities, prompting neighboring Premier Health to declare a “code yellow” due to increased patient volumes. The attackers threatened to leak stolen data unless a ransom is paid. Kettering Health is collaborating with cybersecurity experts to investigate and restore systems. Additionally, reports emerged of scammers impersonating Kettering staff to solicit payments; the organization has suspended all payment-related calls and advises patients to report suspicious contacts to law enforcement. 

The Consumer Financial Protection Bureau (CFPB) drops plans to subject data brokers to tighter regulations. 

The Consumer Financial Protection Bureau (CFPB) has dropped plans to classify certain data brokers as credit bureaus, a move that would have subjected them to tighter regulations. Proposed in December 2023, the rules aimed to curb the sale of Americans’ sensitive data by requiring accuracy, transparency, and limiting data sales to legitimate uses like credit or employment checks. But the CFPB has now deemed further rulemaking “not necessary or appropriate.” Critics warn this leaves Americans vulnerable, as brokers often collect data from apps or telcos, sometimes exposing users at protests or clinics. Several data breaches have highlighted the risks, with billions of records stolen from poorly secured brokers. While the U.S. backs off regulation, the UK is still evaluating stricter oversight. CFPB’s future remains uncertain amid political pressure.

KrebsOnSecurity and Google block a record breaking DDoS attack. 

KrebsOnSecurity was targeted on May 12 by a record-breaking DDoS attack peaking at 6.3 Tbps—ten times larger than the infamous 2016 Mirai botnet assault. The attack, mitigated by Google’s Project Shield, lasted less than a minute but marked the biggest attack Google has ever handled. Security experts link the attack to the Aisuru botnet, a network of hijacked IoT devices like routers and DVRs. Aisuru’s operators exploit weak passwords and software flaws, selling attack services on Telegram under the handle @yfork (aka “Forky”) for up to $600 per week. This botnet has been rented out since at least August 2024. Law enforcement has seized some of its related domains, but the threat remains active, with major web services still struggling to counter such powerful assaults.

A phishing campaign rerouted employee paychecks. 

A phishing campaign rerouted employee paychecks by tricking users into entering credentials on fake mobile-specific payroll sites, according to ReliaQuest. Attackers used Google ads and SEO poisoning to lure victims searching for HR portals on mobile devices. Clicking these ads led to fake Microsoft login pages designed to harvest credentials. Once compromised, attackers accessed SAP SuccessFactor accounts and changed direct deposit details, diverting paychecks to their own accounts. The attack used a proxy network of hijacked home routers to mask the attackers’ locations and evade detection. Real-time monitoring tools helped attackers act before credentials could be reset. ReliaQuest recommends using multifactor authentication, alerts for deposit changes, employee education, and proactive threat intelligence to combat these mobile-targeted phishing campaigns that bypass corporate network defenses.

Atlassian patches multiple high-severity vulnerabilities. 

Atlassian’s May 2025 Security Bulletin reveals eight high-severity vulnerabilities impacting several Data Center and Server products. These flaws—found through bug bounties, testing, and library scans—could lead to denial-of-service (DoS) attacks and privilege escalation if left unpatched. Notably, Bamboo and Confluence Data Center are exposed to CVE-2025-31650, a tomcat-coyote bug causing memory leaks and crashes from malformed HTTP/2 headers. Confluence also faces CVE-2024-47072, a stack overflow risk via the XStream library. Fisheye/Crucible 4.9.0 is vulnerable to a DoS flaw in json-smart (CVE-2024-57699), while Jira Software and Service Management are at risk from Netty’s SslHandler bug (CVE-2025-24970). Additionally, a privilege escalation issue (CVE-2025-22157) threatens Jira products, enabling attackers to gain unauthorized access. Users are urged to patch immediately to secure enterprise environments.

A Wisconsin telecom provider confirms a cyberattack caused a week-long outage.  

Wisconsin telecom provider Cellcom confirmed a cyberattack caused a week-long outage affecting voice and text services in Wisconsin and Upper Michigan. While some services have been restored, full recovery is expected by week’s end. CEO Brighid Riordan assured customers the company had protocols in place and is working with cybersecurity experts and authorities to resolve the incident. Cellcom stated no sensitive customer data appears compromised, as the breach impacted a network segment without personal information. Though the company has not disclosed the attack type, the scope suggests ransomware may be involved—though no group has claimed responsibility. Cellcom emphasized its cautious, deliberate approach to recovery and pledged to provide updates on restoration efforts and the ongoing investigation.

VMware issues a Security Advisory addressing multiple high-risk vulnerabilities.  

VMware has issued Security Advisory VMSA-2025-0010, urging immediate action on multiple high-risk vulnerabilities across its virtualization products. Top priority is a critical vCenter Server flaw (CVE-2025-41225, CVSS 8.8) that allows authenticated attackers to execute arbitrary commands and take control of the host. Admin interfaces should be restricted to trusted networks. Other notable flaws affect VMware Cloud Foundation, including a directory traversal issue (CVE-2025-41229) and information disclosure risks (CVE-2025-41230), both exploitable via simple network access to port 443. Additional vulnerabilities impact ESXi, Workstation, and Fusion, including denial-of-service bugs and a cross-site scripting flaw. VMware has released patches for all affected systems and recommends organizations review and apply updates promptly to minimize risk of exploitation.

Prosecutors say a 19-year-old student from Massachusetts will plead guilty to hacking PowerSchool. 

Matthew Lane, a 19-year-old student from Massachusetts, will plead guilty to hacking PowerSchool, a major education software firm serving over 60 million students. Lane used stolen credentials from a contractor to access PowerSchool systems, stealing sensitive data on students and teachers. He then issued a ransom demand in December, threatening to leak the data unless paid nearly $2.9 million in Bitcoin. PowerSchool confirmed it paid, though the amount remains undisclosed. Lane, linked to the ShinyHunters hacking group, is also accused of trying to extort a telecom company. He will plead guilty to charges including unauthorized access to protected computers and aggravated identity theft. Federal prosecutors called it a significant win in what may be the largest breach of U.S. schoolchildren’s data to date.

Oversharing your call location data. 

And finally, security researcher and O2 customer Daniel Williams uncovered a glaring privacy leak in O2 UK’s 4G Calling system. For context, O2 is one of the UK’s largest mobile carriers—part of the Virgin Media O2 group—serving millions of customers across the country. And apparently, it’s been serving up more than just phone service.

While poking around VoLTE (Voice over LTE) call data using a rooted Pixel 8 and some digital elbow grease, Williams found that O2’s IMS (IP Multimedia Subsystem) implementation was a little too chatty. Calls were accompanied by SIP messages containing not just debug logs but also both parties’ IMSIs, IMEIs, and cell tower IDs. In short: every call was a potential geolocation treasure map.

Williams concluded that O2’s IMS implementation poses a significant privacy risk, as it exposes sensitive metadata during every 4G or WiFi call. This data can be exploited to geolocate call recipients with surprising accuracy, even when they’re abroad or not currently connected to the network. The researcher emphasized that this vulnerability affects all O2 customers using IMS-based calling and cannot be mitigated by users themselves, as disabling 4G Calling does not stop the data from being shared. He called on O2 to remove these unnecessary SIP headers and debug messages from call signaling, and criticized the company for lacking a clear path to responsibly disclose such findings.

O2 have since resolved the issue. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.