MSP cybersecurity news digest, May 20, 2025

Microsoft released its May Patch Tuesday updates, addressing 72 vulnerabilities, including five zero days that are actively being exploited. The update includes fixes for six critical issues — five involving remote code execution and one related to information disclosure. Categories impacted include 17 elevation of privilege flaws, 28 remote code execution bugs, and 15 information disclosure vulnerabilities.

The five exploited zero-days are CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709, and CVE-2025-30397, affecting components such as the DWM Core Library, CLFS driver, WinSock driver, and the Microsoft Scripting Engine. These vulnerabilities allow attackers to gain SYSTEM-level privileges or execute code remotely through methods like “use after free” and type confusion.

All five have been added to CISA’s Known Exploited Vulnerabilities Catalog, signaling active exploitation and heightened risk to federal systems. CISA warns these types of vulnerabilities are commonly used by threat actors as entry points or for privilege escalation. Microsoft credits both internal teams and external researchers for the discoveries but has not disclosed how the flaws were exploited in real-world attacks.

ENISA has launched the EU Vulnerability Database (EUVD) to centralize software bug disclosures across Europe, as mandated by the NIS 2 Directive.

The database will help identify gaps in existing reporting and may become more influential once the Cyber Resilience Act takes effect in September 2025, requiring vendors to report exploited bugs. Although EUVD can issue CVEs, it will also use its own ID system.

A recent example already listed in both EUVD and CISA’s Known Exploited Vulnerabilities catalog is CVE-2025-4664, a high-severity flaw in Google Chrome. The vulnerability — stemming from insufficient policy enforcement in Chrome’s Loader component — allows remote attackers to steal sensitive data, such as OAuth tokens, via crafted HTML pages. With a public exploit circulating, Google issued an emergency patch, and U.S. federal agencies are required to apply it. All organizations are strongly urged to do the same to prevent potential breaches.

Additionally, Australia’s Signals Directorate (ASD) has issued a critical alert on two chained Ivanti zero-day vulnerabilities — CVE-2025-4427 and CVE-2025-4428 — which allow remote code execution and primarily impact large enterprises and government bodies. Ivanti confirmed the bugs stem from two unnamed open-source libraries integrated into their Endpoint Manager Mobile (EPMM) platform. They are now working with the libraries’ maintainers to assess whether additional CVEs are needed. Although exploitation has so far been limited, the risk remains high — mitigation is possible through API filtering or by applying the available patches.

Threat actors are using fake AI-powered tools as bait to spread the Noodlophile malware, which steals sensitive information from victims.

Instead of traditional phishing, they create convincing AI-themed platforms promoted through legitimate-looking Facebook groups and viral social media campaigns, attracting over 62,000 views on some posts. These fake sites, like one impersonating "CapCut AI," lure users to upload images or videos and then trick them into downloading malicious ZIP files containing hidden malware. The infection chain starts with a deceptive executable that launches a loader, ultimately deploying the Python-based Noodlophile Stealer. This malware harvests browser credentials, cryptocurrency wallets, and other private data, sometimes paired with remote access trojans for deeper control.

The developer behind Noodlophile is believed to be from Vietnam, a known hub for cybercrime targeting Facebook users. This tactic of exploiting public interest in AI follows previous campaigns where attackers used AI-related themes to distribute malware on platforms like Meta’s services.

Nucor Corporation, the largest steel producer in the U.S., experienced a cybersecurity incident that forced parts of its network offline and led to containment measures. As a result, production was temporarily suspended at several locations, though the full impact on the company’s operations is still unclear. Nucor, a key supplier of reinforcing bars used in infrastructure across North America, employs over 32,000 people and reported $7.83 billion in revenue for the first quarter.

The incident was disclosed in a recent SEC filing, which confirmed unauthorized third-party access to some of Nucor’s IT systems. The company activated its incident response plan, took affected systems offline, and engaged law enforcement and cybersecurity experts for investigation. No details about the nature or date of the attack have been released, and no ransomware group has claimed responsibility so far.

In a separate case, fashion giant Dior disclosed a cybersecurity incident affecting customer data for its Fashion and Accessories division, with investigations ongoing to assess the full scope. The breach exposed personal information such as names, contact details, and purchase history, but did not include passwords or payment card data. Dior confirmed that its South Korean and Chinese customers were impacted and has begun notifying affected individuals and regulators in line with legal requirements. The company emphasized that protecting customer data is a top priority and urged customers to be cautious of phishing attempts. Legal scrutiny has emerged in South Korea due to delayed breach notifications to authorities.

Researchers have identified a new phishing campaign spreading the Horabot malware, targeting Windows users in six Latin American countries: Mexico, Guatemala, Colombia, Peru, Chile and Argentina.

These attacks use fake invoice-themed emails to trick users into opening malicious attachments, enabling the malware to steal email credentials, gather contact lists, and install banking trojans.  First documented in 2023, Horabot has been active since at least 2020 and is believed to be operated by a Brazil-based threat actor.

The malware uses various scripting languages like VBScript, AutoIt and PowerShell to perform reconnaissance, steal information, and spread further payloads. It also abuses Outlook automation to send phishing emails from infected accounts, increasing the reach of the attack. Once installed, Horabot can steal browser data, monitor user behavior and display fake login prompts to harvest sensitive credentials.