🚨Week 20 Debrief: Coinbase says hackers bribed staff demanding $20 million ransom, M&S to make £100m cyber claim, European Vulnerability Database goes live, Microsoft May 2025 Patch Tuesday & more.

The cyber attack on M&S began over the Easter weekend, when customers first reported issues with Click & Collect services and contactless payments in stores. While in-store services have since resumed, the online ordering services on M&S's website and app have been suspended since April 25th. There is currently no information on when online orders will resume.

M&S has confirmed that some personal customer data was stolen as a result of this attack. The data theft did not include useable payment or card details, or any account passwords.

The personal contact information confirmed to have been stolen could include:

• Name

• Date of birth

• Telephone number

• Home address

• Household information

• Email address

• Online order history

M&S stated that any card information taken would not be usable because they do not hold full card payment details on their systems.

The source indicates that the hackers behind this attack, who also recently targeted other retailers like Co-op and Harrods, used the DragonForce cyber crime service. DragonForce operates an affiliate service on the darknet and is known to use a "double extortion" method. This method involves stealing a copy of the victim's data and scrambling the original data to make it unusable. They can then demand a ransom to both unscramble the data and delete their stolen copy. If the victim doesn't pay, the criminals can potentially leak the stolen data to other cyber criminals who might attempt further attacks.

As of the time of the article, DragonForce's darknet website did not have any entries about M&S. While M&S stated there is no evidence the information has been shared yet, it is understood that hackers could still share or sell the data as part of their extortion attempts, which poses a risk of identity fraud.

M&S has emailed all website users to inform them and has reported the case to the relevant authorities. The company is working with cyber security experts to monitor developments. Customers will be prompted to reset their account passwords for extra peace of mind. M&S advises customers to be cautious of potential scam attempts via email, calls, or texts that claim to be from M&S, and reminds customers that M&S will never ask for personal account information like usernames or passwords. Cyber security experts noted that stolen personal information like this can be used to create "very convincing scams".

💻 Malware and Vulnerabilities

Microsoft's May 2025 Patch Tuesday Addresses Critical Flaws: Microsoft's May 2025 Patch Tuesday released updates for 72 security flaws. The fixes include addressing five actively exploited zero-day vulnerabilities and two publicly disclosed zero-days. Six "Critical" vulnerabilities were also patched.

• CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability: This is an elevation of privileges vulnerability that uses a "Use after free" flaw in Windows DWM, allowing an authorized attacker to gain SYSTEM privileges locally. Microsoft Threat Intelligence Center is attributed with its discovery.

• CVE-2025-32701 - Windows Common Log File System Driver Elevation of Privilege Vulnerability: Another "Use after free" elevation of privileges vulnerability, this one exists in the Windows Common Log File System Driver and can give an authorized attacker SYSTEM privileges locally. Microsoft Threat Intelligence Center is credited with its discovery.

• CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerability: Also an elevation of privileges vulnerability in the Windows Common Log File System Driver, this flaw stems from "Improper input validation" and allows an authorized attacker to elevate privileges locally. This vulnerability's discovery is attributed to Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team.

• CVE-2025-32709 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability: This vulnerability, a "Use after free" issue in the Windows Ancillary Function Driver for WinSock, allows an authorized attacker to elevate privileges locally to SYSTEM privileges. An "Anonymous" researcher disclosed this flaw.

• CVE-2025-30397 - Scripting Engine Memory Corruption Vulnerability: Described as a "Memory Corruption Vulnerability," this is a remote code execution flaw in the Microsoft Scripting Engine. An unauthorized attacker could exploit this by tricking an authenticated user into clicking a specially crafted link in Microsoft Edge or Internet Explorer. This vulnerability's discovery is attributed to the Microsoft Threat Intelligence Center.

Microsoft has not shared specific details on how these particular actively exploited flaws were used in attacks.

Hack Impacts Unofficial Signal Archiving Tool for US Officials: TeleMessage, providing an unofficial Signal archiving tool used by some US officials, including Telegram, WhatsApp, WeChat, and Signal was suspended services after a hack. The breach reportedly accessed officials' contact info, some message content, and login credentials. Screenshots shared link stolen data to entities like Customs and Border Protection and Coinbase. The hacker reportedly told 404 Media that the process to access the data was relatively easy, taking about 15-20 minutes, suggesting it wasn't much effort.

Printer Company Distributed Malware via Software Downloads: Printer company Procolored provided software downloads infected with a backdoor (XRedRAT) and a crypto stealer/file infector (SnipVex) for about six months. SnipVex is linked to about $100,000 in stolen Bitcoin. The company has removed affected downloads and is cleaning files. Users who downloaded software may be impacted.

📈 Breaches and Incidents

Pearson Suffers Cyberattack Exposing Customer Data Education giant Pearson confirmed a cyberattack that stole corporate and customer data. The breach reportedly began in January 2025 via an exposed GitLab token accessing source code and hard-coded credentials. Terabytes of data, including customer information, financials, and source code, were allegedly stolen, potentially impacting millions.

Coinbase Staff Bribed in Data Breach where hackers bribed overseas support agents to steal customer data. Affected information included sensitive details like names and masked bank information. A $20 million ransom was demanded, but Coinbase is not paying, cooperating with law enforcement, and offering a reward.

Blue Shield Exposes 4.7M Members' Data: Blue Shield of California revealed a data exposure impacting 4.7 million people. Due to Google Analytics sharing, member details like health plan info and search data were sent to Google Ads from 2021 to early 2024. While sensitive IDs weren't exposed, the insurer is notifying all potentially affected members.

Nucor Reports Cybersecurity Incident, Temporarily Halts Production: Nucor Corporation identified a cybersecurity incident involving unauthorized IT system access. Proactively, the company temporarily halted certain production operations but is now restarting them. Nucor is investigating with external experts and has notified federal law enforcement.

Nova Scotia Power Data Breach: Nova Scotia Power experienced a cyberattack, discovering intrusion on April 25, though data was accessed March 19. The breach potentially stole customer information, including names, contact details, account history, and possibly bank account numbers. The utility is notifying affected customers, investigating, and rebuilding systems. Physical power operations were not impacted.

🚨 Threat Intel & Info Sharing

Espionage Group Successfully Exploits Messaging App Zero-Day: Microsoft reports Marbled Dust, a Türkiye-affiliated espionage actor, successfully exploited a zero-day in Output Messenger. This allowed them to collect and exfiltrate sensitive user data and gain access to communications from targets, assessed as the Kurdish military in Iraq. A patch is now available.

The U.S. Department of Justice has charged 12 additional individuals in a RICO conspiracy for allegedly stealing over $263 million in cryptocurrency. The enterprise, active from late 2023 to early 2025, reportedly grew from online gaming friendships. Members used hacking, social engineering, and home break-ins to acquire funds, which they then laundered and spent on luxury items, including millions on exotic cars and nightclubs.

M&S Cyber Attack Prompts Massive £100M Insurance Claim: Retailer M&S plans to claim up to £100m from insurers Allianz and Beazley following a major cyber attack. The breach disrupted online systems for weeks and accessed some customer data, including contact details and order history (payment info was secure). This incident caused significant lost sales and impacted investor confidence.

Ransomware Hidden Inside JPG Images: A chilling new attack embeds undetectable ransomware payload within JPG images. Using a paired decoy document, this two-file method evades traditional security. Opening the image downloads and activates the ransomware, encrypting files. Experts recommend behavioral analysis tools and user training for protection.

Ransomware Gang Claims Attack on South African Airways: Ransomware gang INC has claimed responsibility for the recent cyber attack on South African Airways (SAA). While the attack temporarily disrupted systems that were later restored, an investigation is ongoing to determine the scope and if any customer data was accessed. INC suggests more data leaks may occur if demands aren't met.

⚖️ Laws, Policies and Regulations

Europe Unveils EUVD Cyber Database: The EU's ENISA launched the European Vulnerability Database (EUVD) under NIS2. This public database centralizes actionable information on cybersecurity vulnerabilities affecting ICT products and services. Aggregating data from multiple sources, it highlights critical and exploited threats to boost EU digital security.

EU Calls Out 19 Nations for Missing Cybersecurity Deadline: The European Commission sent a reasoned opinion to 19 Member States for failing to fully transpose the NIS2 Directive by the October 17, 2024 deadline. This key law aims to ensure high cybersecurity across the EU in critical sectors. Nations have two months to respond or face potential court action.

⚖️ Cybersecurity Start Ups and VCs

• Dutch VC fund TIN Capital bags an additional €15 million for their ‘European Cyber Tech Fund V’

• Osney Capital launches debut £50m fund for cyber security startups

📊 Trends, Reports, Analysis

• Commission preliminarily finds TikTok's ad repository in breach of the Digital Services Act

📅 Upcoming Events

If you would like to sponsor any of our future in person or virtual events then please email us on [email protected] 

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.