Cybersecurity Threats and Trends - 05/20/2025

Today's cyber roundup features critical vulnerabilities, cloud security warnings, and sophisticated hacks from a competition...

Author

J.W. Croley
May 20, 2025

In partnership with

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

While you were busy debating whether to update your password from 'Password123!' to 'Password123!!' (spoiler: neither is good enough), the digital underworld has been working overtime. Let's dive into this week's cybersecurity dumpster fire, shall we?

1. RVTools Site Hack: When Your Admin Tools Become Admin Nightmares

Primary Threat: The official site for RVTools, a popular VMware environment reporting utility, has been hacked to serve a compromised installer. This isn't just any malware—it's the sophisticated Bumblebee loader, which has been linked to multiple ransomware operations. The trojanized installer has reportedly been available for download for at least two weeks, potentially compromising countless VMware environments.

The Scoop: This supply chain attack is particularly concerning because RVTools is widely trusted and used by VMware administrators worldwide. The compromised installer creates a perfect beachhead for attackers to gain initial access to virtualized environments, which often host an organization's most critical systems. It's a stark reminder that even the tools we use to secure and manage our infrastructure can become vectors for attack.

Detection and Remediation Tips:

  • Immediately identify all systems running Erlang/OTP in your environment

  • Apply the emergency patch as soon as it's available from the Erlang development team

  • Implement network-level controls to restrict SSH access to affected systems

  • Monitor for exploitation attempts, looking for unusual SSH connection patterns

2. Fake KeePass: When Your Password Manager Has Trust Issues

Primary Threat: Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months, according to BleepingComputer. The campaign ultimately leads to ESXi ransomware attacks after the attackers use the compromised systems to steal credentials and deploy Cobalt Strike beacons.

The Scoop: The irony is palpable—a tool designed to enhance security becoming the very thing that undermines it. This attack chain is particularly devious because it targets security-conscious users who are actively trying to improve their password hygiene. The attackers are effectively weaponizing good security practices against users, creating a perfect storm of compromise that eventually escalates to full-blown ransomware deployment on critical infrastructure.

Detection and Remediation Tips:

  • Verify the authenticity of password management tools by downloading only from official sources

  • Implement application control policies to prevent unauthorized executables from running

  • Deploy endpoint detection and response (EDR) solutions capable of detecting Cobalt Strike beacons

  • Segment networks to limit lateral movement from compromised endpoints to critical infrastructure

  • Consider implementing hardware security keys for authentication to critical systems

3. Pwn2Own Berlin: Where Hackers Get Paid to Break Everything

Primary Threat: White hat hackers earned a staggering $1,078,750 at Pwn2Own Berlin 2025 for demonstrating 28 previously unknown vulnerabilities, SecurityWeek reports. The competition saw successful exploits against virtual machines, browsers, servers, containers, operating systems, and—for the first time—AI systems.

The Scoop: While these vulnerabilities are now in the hands of vendors for patching, the sheer volume and diversity of successful exploits is a sobering reminder of the fragility of our digital infrastructure. Particularly concerning were the zero-days demonstrated in Firefox, which are already being exploited in the wild. The inclusion of AI systems in this year's competition also opens a new frontier of security concerns as organizations increasingly integrate these technologies into their operations.

Detection and Remediation Tips:

  • Prioritize patching systems affected by the vulnerabilities demonstrated at Pwn2Own

  • Implement browser isolation technologies to mitigate the impact of browser-based exploits

  • Consider implementing a defense-in-depth strategy that doesn't rely solely on perimeter security

  • Monitor vendor security bulletins for patches addressing these newly discovered vulnerabilities

  • Review and enhance security controls around AI systems if they're part of your environment

Did you know...?

The first documented case of ransomware dates back to 1989 with the "AIDS Trojan" (also known as the "PC Cyborg"). Created by biologist Dr. Joseph Popp, it was distributed via floppy disks labeled as "AIDS Information Introductory Diskette" to attendees of the World Health Organization's AIDS conference. After 90 reboots, the malware encrypted file names on the victim's computer and demanded a $189 payment to the "PC Cyborg Corporation" for a restoration tool. The encryption was relatively simple by today's standards—it merely renamed files using symmetric encryption—and could be reversed without paying the ransom. Popp was eventually caught but was declared mentally unfit to stand trial. This primitive attack laid the groundwork for the sophisticated ransomware ecosystem we face today, which has evolved from simple file renaming to the complex double and triple extortion tactics employed by modern ransomware gangs.

4. O2 UK Location Leak: Your Phone Calls Are Showing

Primary Threat: A flaw in O2 UK's implementation of VoLTE and WiFi Calling technologies could allow anyone to expose the general location of a person by simply calling them, as discovered by security researchers. The vulnerability leaked location data through call metadata, potentially affecting millions of users.

The Scoop: This isn't just a privacy issue—it's a security nightmare with real-world implications. The ability to track someone's location without their knowledge or consent could enable stalking, facilitate physical attacks, or compromise the safety of individuals in sensitive positions. While O2 has patched the vulnerability, it raises questions about how many similar flaws might exist in telecommunications infrastructure worldwide, silently leaking our location data to anyone who knows how to look.

Detection and Remediation Tips:

  • Ensure mobile devices are running the latest firmware and carrier updates

  • Consider using VPNs when connecting to WiFi networks to mask metadata

  • Be aware of which apps and services have access to location data

  • Implement security awareness training that covers physical security implications of digital vulnerabilities

  • For high-risk individuals, consider using dedicated secure communication channels

5. Skitnet: The Ransomware Gangs' New Favorite Toy

Primary Threat: Several ransomware actors are using a malware called Skitnet as part of their post-exploitation efforts to steal sensitive data and establish remote control, The Hacker News reports. The malware, written in the Nim programming language, has been sold on underground forums since April 2024 and is designed to evade detection.

The Scoop: Skitnet represents the continued evolution of the ransomware ecosystem, with threat actors increasingly adopting specialized tools for different phases of their attacks. This modular approach makes detection and attribution more difficult, as different components may be developed by different criminal groups. The use of the Nim programming language also highlights how attackers are constantly adapting to evade detection, as many security tools are less effective at analyzing code written in less common languages.

Detection and Remediation Tips:

  • Implement robust data loss prevention (DLP) controls to detect unusual data exfiltration

  • Deploy endpoint detection and response (EDR) solutions with behavioral analysis capabilities

  • Regularly back up critical data and test restoration procedures

  • Monitor for unusual network traffic patterns, particularly large outbound data transfers

  • Consider implementing network segmentation to limit lateral movement

6. UK Legal Aid Agency Breach: When Your Legal Lifeline Gets Compromised

Primary Threat: The UK Legal Aid Agency has confirmed that a "significant amount of personal data" was stolen in a recent data breach, according to BleepingComputer. The compromised information includes sensitive details of individuals who applied for legal aid through the agency's digital services.

The Scoop: This breach is particularly concerning because it affects vulnerable individuals seeking legal assistance, often in difficult circumstances. The stolen data could potentially be used for targeted phishing, identity theft, or even blackmail. It's also part of a troubling trend of cyberattacks targeting UK public sector and retail organizations, suggesting a coordinated campaign against British entities. The incident highlights the critical importance of securing systems that process sensitive personal information, especially those serving vulnerable populations.

Detection and Remediation Tips:

  • Monitor financial accounts and credit reports for signs of identity theft

  • Be vigilant for phishing attempts that leverage the stolen information

  • Implement multi-factor authentication for all accounts to prevent credential stuffing attacks

  • Consider placing a credit freeze if you believe your information may have been compromised

  • Review and enhance security controls for systems processing sensitive personal information

IN SUMMARY:

From critical infrastructure vulnerabilities and cloud security incidents to sophisticated social engineering and healthcare ransomware, today's threats demand comprehensive security controls and constant vigilance across all systems.

🚨 Key Takeaways:

✔️ Supply chain attacks continue to be a major threat, with the RVTools compromise potentially affecting countless VMware environments.
✔️ Even security tools like password managers can become attack vectors when obtained from unofficial sources.
✔️ The Pwn2Own competition revealed 28 new vulnerabilities across various technologies, including first-ever AI system exploits.
✔️ Telecommunications infrastructure vulnerabilities can leak sensitive location data, creating both privacy and physical security risks.
✔️ Ransomware operations continue to evolve, with specialized tools like Skitnet enhancing their post-exploitation capabilities.
✔️ Public sector organizations remain prime targets, as evidenced by the UK Legal Aid Agency breach affecting vulnerable individuals.

🔎 Immediate Actions:

✔️ Verify the integrity of any recently downloaded software, especially RVTools installations.
✔️ Implement strict application control policies to prevent unauthorized executables from running.
✔️ Prioritize patching systems affected by vulnerabilities demonstrated at Pwn2Own Berlin 2025.
✔️ Ensure mobile devices have the latest firmware and carrier updates to address potential location leaks.
✔️ Deploy robust data loss prevention controls to detect unusual data exfiltration attempts.
✔️ Review and enhance security for systems processing sensitive personal information, especially those serving vulnerable populations.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Not conservative. Not liberal. Just Christian.

Trust in media is at an all-time low (shocking… we know), but let’s keep “walking around completely uninformed” as a backup plan.

The Pour Over provides concise, politically neutral, and entertaining summaries of the world’s biggest news paired with reminders to stay focused on eternity.