In today’s cybersecurity news…
Ransomware attack knocks out Kettering Health
The Ohio-based healthcare network confirmed a recent outage was caused by a ransomware attack, impacting call centers and patient care systems. Kettering cancelled elective inpatient and outpatient procedures on May 20th, but emergency rooms and clinics could still see patients. CNN reported that the Interlock ransomware gang is named in the ransom notes on encrypted systems, but the group hasn’t listed this attack on its leak site yet. Kettering also said it recently saw a campaign of scammers calling patients and requesting credit card information, but it’s unclear if these two are related.
Lumma malware operation disrupted
Microsoft published details about how it worked with law enforcement to seize and disrupt infrastructure used by this malware-as-a-service operation. Since March 16, 2025, “Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. The company worked with ESET, CleanDNS, Bitsight, Lumen, and GMO Registry to identify and take down roughly 2,300 domains used by Lumma operators. The US Department of Justice disrupted online marketplaces selling Lumma Services, while Europol and Japan’s Cybercrime Control Center seized physical infrastructure in their jurisdictions.
Federal agencies impacted by “major lapse” at Opexus
The Thomas Bravo-owned company Opexus provides digital tools that federal government agencies use to process electronic records. According to documents seen by Bloomberg News, an insider threat attack from two employees, twin brothers Suhaib and Muneeb Akhter, improperly accessed sensitive documents and deleted over 30 databases, including those with data from the IRS and General Services Administration. The two previously pleaded guilty to wire fraud and hacking charges in 2015, involving a scheme to install a device that would give them remote access to State Department systems to create and sell fake passports and visas. When Opexus officials held a virtual human resources meeting with the brothers to terminate them after getting flagged by the FDIC for their previous exploits, they deleted and exfiltrated data while on the call and within an hour of being released.
More details on TeleMessage hack
After reviewing a cache of leaked data from Distributed Denial of Secrets, Reuters identified over 60 government users with data exposed from the recent breach at TeleMessage. This runs from disaster responders to diplomatic, White House, and Secret Service staff. The cache contained fragmentary message data for roughly a day around May 4th. Data included discussions on a US trip to Jordan and logistics for a trip to the Vatican, but nothing sensitive. Former National Security Agency cyber specialist Jake Williams told Reuters that even if the contents weren’t damaging, the wealth of exposed metadata could pose a counterintelligence risk.
(Reuters)
Huge thanks to our sponsor, Conveyor
Because “good enough” doesn’t cut it when you’re filling in questionnaires daily. Accuracy isn’t just a feature—it’s the foundation. Because we know that when AI gets it wrong, you’re stuck with more work.
If AI isn’t living up to its promise with other tools, check out Conveyor at www.conveyor.com
The international community points fingers at Russian APT
A joint cybersecurity advisory from eleven allied countries and twenty-one intelligence agencies warned that the Russian-linked APT28, aka Fancy Bear or BlueDelta, was behind a campaign of cyberattacks against logistics providers “across virtually all transportation modes: air, sea, and rail.” Attacks occurred in NATO member states, Ukraine, and international organizations. These attacks seemed focused on espionage and also attempted to access remote cameras. The campaign doesn’t show particularly novel techniques, but was widespread enough to warrant such an international warning.
Over 69,000 people impacted by Coinbase breach
In a data breach notification filed with Maine’s Attorney General, the popular cryptocurrency exchange confirmed its recent breach impacted 69,461 individuals. Data exposed includes names, dates of birth, last four social security numbers, bank identifiers, phone numbers, and email, with some customers also having government IDs and account information exposed. Coinbase has already committed to making customers whole for any lost funds, and estimates the breach cost to be between $180 and $400 million.
Probable PowerSchool hacker pleads guilty
According to court documents, 19-year-old Matthew Lane of Massachusetts signed a plea deal on charges of hacking two companies, one of them an educational technology vendor. While no specifics were named in the case, NBC’s sources say this was PowerSchool. Lane accessed the platform through stolen credentials. Court records don’t clarify if Lane was directly involved with the extortion of PowerSchool after the breach or the subsequent extortion requests to school districts earlier this month. Lane agreed not to challenge a prison sentence shorter than nine years and four months as part of the plea deal.
(NBC News)
UK NCA looking into retail attacks
According to the head of the national cybercrime unit at the UK’s National Crime Agency, Paul Foster, the NCA is considering “a range” of threat actors behind the recent retail attacks impacting the Co-op, Harrods, and Marks & Spencer. Google researchers said they suspected the attacks were linked to the group Scattered Spider. Foster said that while the group was on its radar, it would “follow the evidence” and consider a range of possibilities. In related news Marks & Spencer announced that it expects a £300 million hit to its annual operating profit as a result of the attack, with disruptions from it likely lasting until July.