Cybersecurity News Roundup: May 24-30, 2025
Key Highlights
- Research indicates several major cyberattacks over the past week, including an attack on ConnectWise, potentially by a state actor.
- It seems likely that over 100,000 WordPress sites are at risk due to a critical vulnerability.
- Evidence suggests Chinese hackers are exploiting vulnerabilities in SAP and SQL Server.
- Phishing attacks targeting payroll portals via Google appear to be growing more sophisticated.
- Cybercriminals are likely targeting AI users, distributing malware.
- The U.S. has likely imposed sanctions on a Philippine digital infrastructure provider for cryptocurrency fraud.
Cybersecurity News Overview
Over the past week, from May 24 to May 30, 2025, the cybersecurity world faced several significant events, including cyberattacks, discovered vulnerabilities, and new phishing tactics. Here’s a detailed overview of key incidents, written in simple language for a broad audience.
Cyberattacks and Breaches
One of the notable events was ConnectWise’s report of a cyberattack on May 28, 2025, with suspicions of state actor involvement. The attack targeted the ScreenConnect product, and while the number of affected clients is small, it highlights the threat posed by advanced hackers. All affected clients were notified, and the investigation was conducted with Google Mandiant’s assistance.
Other examples include an Adidas data breach due to a compromised service provider and an incident with Victoria’s Secret, where their website was temporarily disabled due to a security issue. These events demonstrate how hackers can exploit third parties to access data.
Discovered Vulnerabilities
A critical vulnerability (CVE-2025-47577, CVSS 10.0) was found in the TI WooCommerce Wishlist plugin for WordPress, installed on over 100,000 sites. This vulnerability allows unauthenticated attackers to upload files, potentially leading to remote code execution (RCE). No patch is currently available, and users are advised to disable the plugin.
Additionally, a flaw in Microsoft OneDrive was identified, where a file selection error grants web applications full access to cloud storage, even when uploading a single file. This underscores the importance of reviewing app permissions.
Malware Attacks
Chinese hackers, known as Earth Lamia, are actively exploiting vulnerabilities in SAP NetWeaver (CVE-2025-31324) and other systems like SQL Server. These attacks target organizations in Brazil, India, and Southeast Asia, including the financial sector and universities. The hackers use sophisticated techniques like SQL injections and tools such as Cobalt Strike, making these attacks particularly dangerous.
Moreover, 251 IP addresses hosted on Amazon were used to scan for vulnerabilities in ColdFusion, Struts, and Elasticsearch, indicating large-scale exploitation attempts.
Phishing and Social Engineering
Phishing attacks are becoming more sophisticated. For instance, in May 2025, ReliaQuest identified a campaign where employees searching for payroll portals via Google were redirected to fake login pages mimicking Microsoft. Hosted on WordPress, these pages used compromised routers and mobile devices to steal credentials. This is not an isolated case, emphasizing the need for employee training.
Additionally, warnings were issued about fake Docusign emails leading to phishing sites and reports of counterfeit AI applications spreading ransomware, such as CyberLock, demanding 50,000 Monero.
Regulatory Actions and Industry News
On May 29, 2025, the U.S. imposed sanctions on Funnull Technology Inc. and Liu Lizhi for providing infrastructure for cryptocurrency fraud known as "pig butchering." This is part of global efforts to combat cybercrime, particularly in the virtual currency space.
Furthermore, Cerby raised $40 million to enhance identity security, and EY reported that cybersecurity adds $36 million in value per project, highlighting the growing importance of this field.
Detailed Report: Cybersecurity News Analysis for May 24-30, 2025
This section provides a comprehensive overview of cybersecurity news for the specified period, based on analysis from sources like The Hacker News, DieSec, Dev.to, Medium, and Infosecurity Magazine. The report includes all details that led to the conclusions in the previous section, aimed at professionals and readers seeking deeper insights.
Analysis Methodology
The analysis was conducted by searching for news from May 24 to May 30, 2025, using keywords such as "cybersecurity," "breaches," "vulnerabilities," and other relevant terms. Sources were selected based on their reputation in the cybersecurity field, and the information was structured into categories for clarity.
Cyberattacks and Breaches
One of the most significant events was ConnectWise’s disclosure of a cyberattack on May 28, 2025. Details include:
- Product: ScreenConnect.
- Suspected Actor: State actor, investigated by Google Mandiant.
- Affected Clients: Very small number, exact figure undisclosed.
- Notification: All clients notified.
- Related Vulnerability: CVE-2025-3935 (CVSS 8.1), patched in version 25.2.4, affects versions 25.2.3 and earlier.
- Historical Context: In early 2024, vulnerabilities CVE-2024-1708 and CVE-2024-1709 were exploited by actors from China, North Korea, and Russia.
- Current Status: Enhanced monitoring implemented, no suspicious activity observed.
- Additional: Microsoft reported active exploitation of similar techniques in February 2025 (The Hacker News).
Other incidents include:
- Adidas: Data breach due to a compromised service provider, affecting contact details but not payment data (DieSec).
- Victoria’s Secret: Website disabled due to a security issue, limiting in-store services, third-party experts involved (DieSec).
- Ivanti: Vulnerability exploited, affecting NHS data in the UK (Medium).
- Amalgamated Sugar: Leak of personal data, including Social Security numbers (Medium).
Discovered Vulnerabilities
A critical vulnerability in the TI WooCommerce Wishlist plugin for WordPress was identified on May 29, 2025:
- CVE: CVE-2025-47577, CVSS 10.0.
- Installations: Over 100,000 active.
- Type: Arbitrary file upload, potential RCE.
- Condition: Requires installed and activated WC Fields Factory plugin with integration enabled.
- Patch: None available, users advised to deactivate the plugin (The Hacker News).
- Recommendations: Developers should avoid setting 'test_type' => false when using wp_handle_upload().
Other vulnerabilities:
- Microsoft OneDrive: File selection flaw grants web apps full cloud access (The Hacker News, Dev.to, Medium).
- Craft CMS: Exploitation of CVE-2025-32432 to deploy cryptominer and proxyware (The Hacker News).
- GitLab AI: Researchers tricked AI assistant into turning secure code into malicious code, highlighting AI risks in development (Dev.to).
Malware Attacks
Chinese hackers Earth Lamia are actively exploiting vulnerabilities:
- Main Vulnerability: CVE-2025-31324 in SAP NetWeaver, critical, allows unauthenticated file uploads.
- Others: Eight vulnerabilities targeting publicly accessible servers.
- Regions: Brazil, India, Southeast Asia (since 2023).
- Sectors: Finance, logistics, online retail, IT, universities, government.
- Techniques: SQL injections, Microsoft SQL Server exploitation, use of Cobalt Strike, Supershell, Rakshasa, Stowaway, GodPotato, JuicyPotato, Fscan, Kscan, wevtutil.exe, DLL side-loading for PULSEPACK (upgraded to WebSocket C2 in March 2025).
- Additional: Attempts to deploy Mimic ransomware, unsuccessful in Indian organizations in August 2024 (The Hacker News).
Other cases:
- 251 Amazon-hosted IP addresses used to scan for vulnerabilities in ColdFusion, Struts, Elasticsearch (The Hacker News).
- Campaign with 60 npm packages stealing data, collecting network IDs, IPs, DNS, usernames, project paths (Dev.to).
- Cloned antivirus website distributing Venom RAT, StormKitty stealer, SilentTrinity (Dev.to).
- EDDIESTEALER using fake CAPTCHA to steal data (Medium).
Phishing and Social Engineering
Payroll portal phishing campaign:
- Discovered: By ReliaQuest in May 2025, targeting the manufacturing sector.
- Technique: SEO poisoning, fake login pages mimicking Microsoft, hosted on WordPress.
- Infrastructure: Compromised routers (ASUS, Pakedge), mobile networks, part of proxy botnets.
- Devices: Employee mobile devices, low corporate security visibility.
- Exfiltration: Via Pusher push notifications API.
- Previous Cases: Two similar incidents in late 2024 (DieSec, Dev.to).
Other cases:
- Fake Docusign emails leading to phishing sites, recommendations to update awareness programs (Dev.to).
- Counterfeit AI applications spreading ransomware like CyberLock ($50,000 in Monero), Lucky_Gh0$t, Numero (DieSec, Medium).
Regulatory Actions and Industry News
U.S. sanctions:
- Entity: Funnull Technology Inc., individual: Liu Lizhi (40, China, Shanghai, Ganzhou).
- Reason: Providing infrastructure for "pig butchering" cryptocurrency scams.
- Date: May 29, 2025, announced by the U.S. Treasury Department.
- Context: Billion-dollar industry linked to human trafficking, revenue growth likely due to AI (DieSec, Medium).
Industry news:
- Cerby raised $40 million for identity security (Medium).
- EY: Cybersecurity adds $36 million in value per project (Medium).
Table: Key Events by Category
| Category | Event | Date | Source |
|---|---|---|---|
| Cyberattacks | Attack on ConnectWise, possibly by a state actor | 28.05.2025 | The Hacker News |
| Vulnerabilities | Critical vulnerability in WordPress (CVE-2025-47577) | 29.05.2025 | The Hacker News |
| Malware | Exploitation of SAP and SQL Server by Chinese hackers | 30.05.2025 | The Hacker News |
| Phishing | Attack on payroll portals via SEO poisoning | May 2025 | DieSec |
| AI-Targeted Attacks | Malware distribution via fake AI applications | May 2025 | DieSec |
| Regulatory Actions | Sanctions against Funnull for cryptocurrency fraud | 29.05.2025 | DieSec |
Conclusion
This report covers a wide range of events, emphasizing the need for continuous monitoring, software updates, and employee training. All data is based on analysis of news for the specified period, sourced from leading cybersecurity platforms.
Key Citations
- China-Linked Hackers Exploit SAP and SQL Server Flaws
- Over 100000 WordPress Sites at Risk from Critical Vulnerability
- Microsoft Identifies 3000 Publicly Exposed RDP Endpoints
- Top 5 Cybersecurity News Stories May 30, 2025
- Security news weekly round-up - 30th May 2025
- Cyber Briefing: 2025.05.30
- US Sanctions Philippines Digital Infrastructure Provider