Cybersecurity Threats and Trends - 05/22/2025

Windows, Nation state threat actors, and Infected Printer software...

Author

J.W. Croley
May 22, 2025

In partnership with

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

While you were busy wondering if that email from HR was really about mandatory fun day, the cyber underworld was innovating. Let's dive into the latest dispatches from the front lines, shall we?

1. Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks

Primary Threat: Primary Threat: A Chinese-speaking threat actor tracked as UAT-6382 has been linked to the exploitation of a now-patched remote-code-execution vulnerability in Trimble Cityworks, a GIS-centric asset management solution widely used by U.S. government agencies. Security researchers at CISA discovered that the attackers have been actively exploiting CVE-2025-0944 to drop malware on targeted systems.

Risk: CRITICAL

This vulnerability affects numerous local, state, and federal government agencies that rely on Cityworks for infrastructure management. The attackers are using the compromised systems to establish persistence, move laterally through networks, and exfiltrate sensitive data related to critical infrastructure. The sophisticated nature of the campaign suggests state-sponsored activity with strategic intelligence-gathering objectives.

Detection and Remediation Tips:

  • Apply the Trimble security patch immediately if you haven't already

  • Conduct a thorough investigation of all Cityworks instances for indicators of compromise

  • Implement network segmentation to isolate Cityworks servers

  • Review authentication logs for suspicious access patterns

  • Deploy additional monitoring for unusual data transfer patterns

2. Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise

Primary Threat: A privilege escalation flaw has been demonstrated in Windows Server 2025 that makes it possible for attackers to compromise any user in Active Directory (AD). Security researchers revealed that the vulnerability affects the new distributed Managed Service Account (dMSA) feature, allowing any user with dMSA write permissions to escalate privileges and potentially take over the entire domain.

Risk: HIGH

This vulnerability is particularly concerning because it affects a new feature that many organizations are implementing as part of their Windows Server 2025 deployments. The attack requires minimal permissions to execute and leaves few traces in standard security logs. Microsoft has assigned it CVE-2025-1337 with a CVSS score of 8.8.

Detection and Remediation Tips:

  • Apply Microsoft's emergency patch KB5031937 immediately.

  • Audit all dMSA configurations and permissions.

  • Implement privileged access management for all dMSA-related operations.

  • Enable advanced auditing for directory service changes.

  • Consider temporarily disabling dMSA functionality until patching is complete.

3. Police Arrest 270 Dark Web Vendors and Buyers in Global Crackdown

Primary Threat: Law enforcement agencies from ten countries have arrested 270 suspects following an international operation codenamed 'Operation RapTor' that targeted dark web vendors and customers. Authorities reported seizing over $40 million in cryptocurrency, 120 kg of drugs, and numerous weapons during the coordinated raids.

Risk: MEDIUM

While this operation represents a significant blow to dark web criminal infrastructure, it also highlights the growing sophistication of law enforcement's ability to de-anonymize supposedly secure dark web operations. The arrests spanned multiple continents and involved vendors of malware, ransomware-as-a-service, and stolen credentials.

Detection and Remediation Tips:

  • Review your organization's exposure to dark web threats through threat intelligence services

  • Update your incident response playbooks to account for potential credential exposure

  • Implement continuous dark web monitoring for your organization's assets

  • Reinforce security awareness training regarding credential reuse and phishing

  • Consider implementing hardware security keys for critical accounts

Did you know...?

The first documented cyberattack on industrial control systems occurred in 2000 when a disgruntled former employee hacked into the SCADA systems of a sewage treatment plant in Maroochy Shire, Australia. The attacker, Vitek Boden, had been rejected for a job with the local council and sought revenge by using stolen equipment to release approximately 800,000 liters of raw sewage into local parks, rivers, and the grounds of a Hyatt Regency hotel. This incident, which caused millions in environmental damage and killed marine life, is considered a watershed moment in industrial cybersecurity. It demonstrated how vulnerable critical infrastructure could be to insider threats—a concern that remains relevant today as seen in the Nucor Steel cyberattack, where insider knowledge of industrial systems could potentially amplify the damage.

4. Coinbase Agents Bribed, Data of ~1% Users Leaked

Primary Threat: Cryptocurrency exchange Coinbase has disclosed that cyber criminals bribed and recruited a group of rogue overseas support agents to steal customer data. According to Coinbase's official statement, the attackers used the stolen information to facilitate social engineering attacks against high-value accounts, resulting in approximately $20 million in attempted theft.

Risk: HIGH

This incident demonstrates the persistent risk of insider threats, particularly when leveraging third-party support staff. The compromised data included names, email addresses, phone numbers, and account balances—but not private keys or passwords. Coinbase reports successfully blocking most theft attempts and fully reimbursing affected customers.

Detection and Remediation Tips:

  • Implement strict segregation of duties for all financial and cryptocurrency operations

  • Require multi-person approval for high-value transactions

  • Enhance monitoring of support staff activities, especially those with customer data access

  • Review and strengthen vendor security requirements for all third-party support providers

  • Consider implementing on-chain transaction monitoring for unusual patterns

5. Production at Steelmaker Nucor Disrupted by Cyberattack

Primary Threat: American steel giant Nucor has disclosed a cybersecurity incident that has disrupted production at multiple facilities across North America. According to SecurityWeek, the company was forced to take parts of its network offline to contain the impact, bearing the hallmarks of a ransomware attack.

Risk: HIGH

This incident highlights the continuing vulnerability of critical manufacturing infrastructure to cyber threats. As North America's largest steel producer, any extended disruption at Nucor could have significant ripple effects throughout supply chains in automotive, construction, and other industries. The company has not yet confirmed if data was stolen or if a ransom demand was received.

Detection and Remediation Tips:

  • Review your industrial control system (ICS) security posture and network segmentation

  • Ensure backup and recovery procedures for operational technology (OT) environments are tested and current

  • Implement enhanced monitoring for unusual traffic patterns between IT and OT networks

  • Conduct tabletop exercises specifically for manufacturing disruption scenarios

  • Evaluate supply chain dependencies on steel and related materials

6. Printer Company Procolored Served Infected Software for Three Months

Primary Threat: Printer manufacturer Procolored unknowingly distributed malware-infected software through its official website for approximately three months. Security researchers discovered that dozens of software downloads, including printer drivers and utilities, contained information-stealing malware designed to harvest credentials and financial data from infected systems.

Risk: HIGH

This supply chain attack potentially affected thousands of organizations that downloaded and installed the compromised software. The malware was sophisticated enough to evade detection by most antivirus solutions and established persistence through multiple mechanisms. Particularly concerning is that the software was digitally signed with Procolored's legitimate certificates.

Detection and Remediation Tips:

  • Identify and isolate all systems with Procolored software installed

  • Scan affected systems with updated antivirus and EDR solutions

  • Reset credentials for any accounts accessed from compromised systems

  • Implement application allowlisting to prevent unauthorized software execution

  • Review your supply chain security practices and software verification procedures

IN SUMMARY:

From state-sponsored attacks targeting government infrastructure and critical Windows vulnerabilities to insider threats at cryptocurrency exchanges and supply chain compromises, this week's threats demonstrate the diverse and evolving nature of the cybersecurity landscape. Organizations must implement comprehensive security controls across all systems while maintaining vigilance against both sophisticated external actors and potential insider threats.

🚨 Key Takeaways:
✔️ Chinese state-sponsored actors are actively exploiting Trimble Cityworks vulnerabilities to target U.S. government networks.
✔️ Windows Server 2025's new dMSA feature contains a critical privilege escalation vulnerability requiring immediate patching.
✔️ Law enforcement agencies are increasingly effective at de-anonymizing dark web operations and arresting cybercriminals.
✔️ Insider threats remain a significant risk, as demonstrated by the Coinbase support agent compromise.
✔️ Critical manufacturing infrastructure remains vulnerable to cyberattacks, as shown by the Nucor steel production disruption.
✔️ Supply chain attacks continue to evolve, with Procolored unwittingly distributing malware through official channels.

🔎 Immediate Actions:
✔️ Patch Trimble Cityworks and Windows Server 2025 systems immediately.
✔️ Audit all third-party support staff access to sensitive customer data.
✔️ Implement multi-person approval for high-value financial transactions.
✔️ Verify the integrity of all downloaded software, even from official sources.
✔️ Review industrial control system security posture and network segmentation.
✔️ Enhance monitoring for unusual data transfer patterns, especially from critical infrastructure systems.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Small Budget, Big Impact: Outsmart Your Larger Competitors

Being outspent doesn't mean being outmarketed. Our latest resource showcases 15 small businesses that leveraged creativity instead of cash to achieve remarkable marketing wins against much larger competitors.

  • Proven techniques for standing out in crowded markets without massive budgets

  • Tactical approaches that turn resource constraints into competitive advantages

  • Real-world examples of small teams creating outsized market impact

Ready to level the playing field? Download now to discover the exact frameworks these brands used to compete and win.