Cybersecurity Threats and Trends - 05/29/2025

Organizations must prioritize visibility into cloud service usage, implement robust authentication controls, and maintain vigilant patch management practices.

In partnership with

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

It's that time of the week again when I share the latest cybersecurity developments that have caught my attention. As usual, I've sifted through the noise to bring you six significant threats and trends that deserve your immediate attention.

Let's dive right in.

1. Microsoft OneDrive File Picker Flaw Grants Apps Full Cloud Access

Primary Threat: Researchers have discovered a critical security flaw in Microsoft's OneDrive File Picker that could allow websites to access a user's entire cloud storage when they only intended to upload a single file. The Oasis Research Team revealed that this stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted.

Risk: HIGH

What's particularly concerning is that the OAuth tokens used to authorize access are often stored insecurely in plaintext format in the browser's session storage. The problem affects several popular applications integrated with Microsoft's cloud service, including ChatGPT, Slack, Trello, and ClickUp. This vulnerability essentially undermines the fundamental principle of least privilege in cloud access controls.

Detection and Remediation Tips:

  • Review all OAuth integrations with cloud storage services in your environment

  • Implement additional monitoring for unusual access patterns to cloud storage

  • Consider temporarily disabling the option to upload files using OneDrive through OAuth

  • Educate users about the risks of granting permissions to web applications

  • Deploy cloud access security broker (CASB) solutions to monitor cloud service usage

2. MATLAB Maker MathWorks Recovering From Ransomware Attack

Primary Threat: OMathWorks, the company behind MATLAB and Simulink, confirmed that a widespread outage affecting its applications since May 18 was the result of a ransomware attack. The incident impacted multiple web and mobile applications, licensing services, downloads, online store, website, wiki, MathWorks accounts, and other services.

Risk: HIGH

With more than five million users worldwide relying on MATLAB, this attack has significant implications for scientific and engineering communities. The Massachusetts-based company has been slowly restoring services, focusing first on MATLAB Online and MATLAB Mobile. MathWorks has notified relevant authorities, but no ransomware group has publicly claimed responsibility yet.

Detection and Remediation Tips:

  • Verify that MATLAB installations are using the latest patched versions

  • Implement network monitoring for potential data exfiltration from engineering workstations

  • Review contingency plans for critical systems that depend on MATLAB functionality

  • Consider implementing application allowlisting on systems running specialized software

  • Ensure offline backups exist for critical research and engineering data

3. APT41 Malware Abuses Google Calendar for Stealthy Communication

Primary Threat: Chinese APT41 hackers have developed a new malware called 'ToughProgress' that exploits Google Calendar for command-and-control operations, effectively hiding malicious activity behind a trusted cloud service. Google's Threat Intelligence Group discovered the campaign and has since dismantled the attacker-controlled Calendar infrastructure.

Risk: HIGH

The attack begins with a malicious email containing a link to a ZIP archive hosted on a compromised government website. The archive contains a Windows LNK file disguised as a PDF, which launches a sophisticated infection chain that ultimately connects to Google Calendar to poll for commands hidden in event descriptions. With payloads never touching the disk and C2 communication happening over a legitimate cloud service, this technique significantly reduces the chances of detection by security products.

Detection and Remediation Tips:

  • Implement monitoring for unusual API calls to cloud services, especially calendar applications

  • Deploy advanced email security with sandbox detonation for suspicious attachments

  • Consider implementing browser isolation technologies for high-risk users

  • Monitor for unusual PowerShell execution chains, particularly those involving encoded commands

  • Review and restrict access to cloud services based on legitimate business needs

Did you know...?

The use of legitimate cloud services for command and control (C2) communications, like APT41's abuse of Google Calendar, has a fascinating history. This technique, known as "living off the cloud," first gained prominence around 2014 when researchers discovered malware using Twitter, GitHub, and even Instagram comments for C2. The technique works because most organizations can't block access to popular cloud services without disrupting business operations. In 2018, the HAMMERTOSS malware made headlines by using Twitter, GitHub, and cloud storage services in combination, creating a multi-stage C2 infrastructure that was extremely difficult to detect. Today, security teams face the challenge of distinguishing between legitimate API calls to cloud services and those initiated by malware, making these techniques some of the most effective for evading detection.

4. Iranian Hacker Pleads Guilty in $19 Million Robbinhood Ransomware Attack

Primary Threat: An Iranian national has pleaded guilty to participating in the Robbinhood ransomware operation that targeted Baltimore and other victims, causing approximately $19 million in damages. Sina Gholinejad (aka Sina Ghaaf), 37, faces a maximum penalty of 30 years in prison after admitting to computer fraud and abuse and conspiracy to commit wire fraud.

Risk: MEDIUM

According to court documents, Gholinejad and his co-conspirators infiltrated victim networks between January 2019 and March 2024, stole sensitive information, and deployed the Robbinhood ransomware. The Baltimore attack was particularly devastating, disrupting several essential city services, including online systems for processing property taxes, water bills, and parking citations. The disruption lasted for months. The attackers laundered their ill-gotten gains through cryptocurrency mixing services and chain-hopping techniques.

Detection and Remediation Tips:

  • Review incident response plans for ransomware scenarios, particularly for critical municipal services

  • Implement network segmentation to limit lateral movement in the event of a breach

  • Deploy multi-factor authentication across all remote access points

  • Ensure offline, tested backups exist for critical systems and data

  • Consider implementing zero trust architecture for critical infrastructure access

5. Cisco Fixes Critical IOS XE Flaw Letting Attackers Hijack Devices

Primary Threat: Cisco has patched a maximum severity vulnerability (CVE-2025-20188) in its IOS XE Software for Wireless LAN Controllers that scores a perfect 10.0 CVSS. The flaw involves a hard-coded JSON Web Token that allows unauthenticated remote attackers to completely take over devices.

Risk: CRITICAL

The vulnerability affects the 'Out-of-Band AP Image Download' feature, which isn't enabled by default but might be activated in large-scale enterprise deployments for faster provisioning. An attacker could exploit this by sending crafted HTTPS requests to the AP image download interface, potentially uploading files, performing path traversal, and executing arbitrary commands with root privileges. Affected devices include Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controller for Catalyst switches, and several other controller models.

Detection and Remediation Tips:

  • Apply Cisco's security updates immediately to affected devices

  • Disable the 'Out-of-Band AP Image Download' feature if not absolutely necessary

  • Implement network segmentation to isolate management interfaces from untrusted networks

  • Deploy network monitoring to detect exploitation attempts

  • Review network device configurations for unnecessary enabled features

6. 364,000 Impacted by Data Breach at LexisNexis Risk Solutions

Primary Threat: Data broker giant LexisNexis Risk Solutions is notifying more than 364,000 people that their personal information was stolen in a December 2024 data breach. The company learned of the incident on April 1, 2025, after receiving a report from an unknown third party claiming to have accessed certain information.

Risk: HIGH

The unauthorized party acquired data from a third-party platform used for software development, specifically accessing the company's GitHub account. Stolen information includes names, dates of birth, phone numbers, email addresses, Social Security numbers, and driver's license numbers. No financial or credit card information was affected. LexisNexis collects user information from public records and other sources, providing it to financial, insurance, healthcare, and government organizations to help identify risks and fraud.

Detection and Remediation Tips:

  • Monitor for potential identity theft if you've been notified of involvement in the breach

  • Review security controls for third-party development platforms and code repositories

  • Implement security scanning for code repositories to detect exposed credentials

  • Consider implementing just-in-time access for development environments

  • Review data retention policies to minimize sensitive data exposure

IN SUMMARY:

From cloud service vulnerabilities and sophisticated state-sponsored attacks to ransomware incidents and critical infrastructure flaws, this week's threats demonstrate the expanding attack surface and increasingly blurred lines between criminal and nation-state tactics.

🚨 Key Takeaways:
✔️ Microsoft's OneDrive File Picker flaw highlights the dangers of overly broad OAuth permissions and the need for careful cloud integration reviews.
✔️ The MathWorks ransomware attack demonstrates how disruption to specialized software can have widespread impacts across scientific and engineering communities.
✔️ APT41's abuse of Google Calendar for C2 communications shows how legitimate cloud services can be weaponized to evade detection.
✔️ The Robbinhood ransomware case illustrates the growing international cooperation in prosecuting cybercriminals, even those operating from sanctioned countries.
✔️ Cisco's critical IOS XE vulnerability underscores the importance of disabling unnecessary features in network infrastructure.
✔️ The LexisNexis data breach reveals how third-party development platforms can become entry points for attackers targeting sensitive personal information.

🔎 Immediate Actions:
✔️ Patch all Apple devices to the latest versions.
✔️ Review Oracle Cloud connections and implement additional security controls.
✔️ Alert users to the ClickFix social engineering tactic.
✔️ Identify and prepare to patch systems using Erlang/OTP.
✔️ Review your ransomware readiness plans, especially if you're in healthcare.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

He’s already IPO’d once – this time’s different

Spencer Rascoff grew Zillow from seed to IPO. But everyday investors couldn’t join until then, missing early gains. So he did things differently with Pacaso. They’ve made $110M+ in gross profits disrupting a $1.3T market. And after reserving the Nasdaq ticker PCSO, you can join for $2.80/share until 5/29.

This is a paid advertisement for Pacaso’s Regulation A offering. Please read the offering circular at invest.pacaso.com. Reserving a ticker symbol is not a guarantee that the company will go public. Listing on the NASDAQ is subject to approvals. Under Regulation A+, a company has the ability to change its share price by up to 20%, without requalifying the offering with the SEC.