Krebs on Security hit by 'test run' DDoS attack that peaked at 6.3 terabits of data per second

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

KrebsOnSecurity was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second that appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand.

The attack was ten times the size of the assault launched against the site in 2016 by the Mirai IoT botnet, which held KrebsOnSecurity offline for nearly four days. The 2016 assault was so large that Akamai, which was providing pro-bono DDoS protection for KrebsOnSecurity at the time, asked site owner Brian Krebs to leave their service because the attack was causing problems for their paying customers.

Since then, KrebsOnSecurity.com has been behind the protection of Project Shield, a free DDoS defense service that Google provides to websites offering news, human rights, and election-related content. Google Security Engineer Damian Menscher told KrebsOnSecurity the May 12 attack was the largest Google has ever handled. In terms of sheer size, it is second only to a very similar attack that Cloudflare mitigated in April.

Menscher said the botnet that launched both attacks bears the fingerprints of Aisuru, a digital siege machine that first surfaced less than a year ago. Menscher said the attack on KrebsOnSecurity lasted less than a minute, hurling large UDP data packets at random ports at approximately 585 million data packets per second.

The Aisuru botnet comprises a globally distributed collection of hacked IoT devices, including routers, digital video recorders, and other systems, that are commandeered via default passwords or software vulnerabilities.

The people behind the Aisuru botnet have been peddling access to their DDoS machine in public Telegram chat channels that multiple security firms closely monitor. In August 2024, the botnet was rented out in subscription tiers ranging from $150 per day to $600 per week, offering attacks of up to two terabits per second.

Interested parties were told to contact the Telegram handle “@yfork” to purchase a subscription. The account @yfork previously used the nickname “Forky,” an identity that has been posting to public DDoS-focused Telegram channels since 2021.

According to the FBI, Forky’s DDoS-for-hire domains have been seized in multiple law enforcement operations over the years. (Brian Krebs / Krebs on Security)

Related: The Independent, Cyber Daily

A hacker who breached the TeleMessage communications service used by former Trump national security adviser Mike Waltz earlier this month intercepted messages from a broader swathe of American officials than reported, with more than 60 unique government users of the platform appearing in leaked data provided by the nonprofit Distributed Denial of Secrets.

The trove included material from disaster responders, customs officials, several US diplomatic staffers, at least one White House staffer, and members of the Secret Service. 

Some chats did seem to concern senior government officials' travel plans. One Signal group, "POTUS | ROME-VATICAN | PRESS GC," appeared to pertain to the logistics of an event at the Vatican. Another seemed to discuss the US officials' trip to Jordan.

TeleMessage, which takes versions of popular apps and allows their messages to be archived in line with government rules, has been suspended since May 5, when it went offline "out of an abundance of caution." 

Jake Williams, a former National Security Agency cyber specialist, said that, even if the intercepted text messages were innocuous, the wealth of metadata - the who and when of the leaked conversations and chat groups - posed a counterintelligence risk. (A.J. Vicens and Raphael Satter / Reuters)

The US Justice Department announced that Matthew Lane, 19, of Worcester County, Massachusetts, agreed to plead guilty to hacking into one of the top education tech companies, PowerSchool, last year which is believed to be the largest breach of American children’s sensitive data to date, resulting in the theft of tens of millions of schoolchildren’s personal information for profit.

His plea agreement concerns the PowerSchool hack, referred to in court documents as "Victim 2," and another company. The complaint cites an unnamed co-conspirator of Lane’s and other unnamed cybercriminals who worked together to hack and extort another company.

In his agreement, Lane admitted obtaining information from a protected computer and aggravated identity theft and agreed not to challenge a prison sentence shorter than nine years and four months. The complaint says he got access simply by trying an employee’s stolen username and password combination. (Kevin Collier / NBC News)

Related: Reuters, US Department of Justice, BleepingComputer, CyberInsider, CyberScoop, CBC, NBC Boston, Cybernews, Slashdot

In presenting its annual financial results, UK retail giant Marks and Spencer expects a £300mn (around $403 million) hit to operating profits this year from a cyber attack that it blamed on “human error”, as the FTSE 100 retailer warned that disruption to its online operations would last until July.

The company said it expected to mitigate the profit impact from the attack, which has severely disrupted its operations and led to the theft of customer data, through “management of costs, insurance and other trading actions”.

The cyber attack has forced the retailer to shut down its online clothing business for more than three weeks, left it unable to stock its food stores adequately, and wiped almost £750mn off its market capitalisation. M&S disclosed for the first time last week that some personal customer data had been stolen.

M&S said its decision to pause online shopping had hit online sales and trading profit for clothing and home goods in the first quarter of its new financial year. It expects disruption to continue throughout June and into July. The retailer added that food sales had also been affected by reduced availability, although the situation was improving.

The hack has incurred additional waste and logistics costs, and has wiped almost £750mn (over $1 billion) off M&S’s market capitalisation. (Laura Onita / Financial Times)

Related: London Stock Exchange, The Register, Reuters, Bloomberg, The Irish News, The Times, Telegraph, Sky News, The Grocer, Mirror, Metro.co.uk, The Irish Times, The Sun, The Standard, City A.M., BBC News, The Register, The Guardian, Reuters, Infosecurity Magazine

A ransomware attack claimed by the cybercrime gang Interlock has triggered a “system-wide technology outage” at a network of over a dozen medical centers in Ohio owned by Kettering Health, causing the cancellation of elective inpatient and outpatient procedures.

Kettering Health said in a statement that a “cyberattack” that hit Tuesday morning had created a “number of challenges” at the network’s 14 medical centers and had disrupted its call center. Emergency rooms and clinics are open and seeing patients, the statement said.

“Inpatient and outpatient procedures have been canceled for today,” Kettering Health said. “Scheduled procedures at Kettering Health medical centers will be rescheduled.” The health network said it had backup procedures in place “for these situations” to keep providing safe and quality patient care.

Behind the scenes, Kettering Health executives and information technology personnel are scrambling to contain the fallout from the hack. According to a ransom note recovered at the scene, ransomware was deployed on Kettering’s computer network.

“Your network was compromised, and we have secured your most vital files,” the ransom note says. The note threatens to leak data allegedly stolen from Kettering Health online unless the health network begins negotiating an extortion fee. (Sean Lyngaas / CNN)

Related: WDTN, Techi, Dayton Daily News, The Cyber Express, WLWT, The Enquirer, The Record, WKEF, WCPO, WHIO, Fierce Healthcare

In a major rejection of Israeli spyware maker NSO Group's entreaties, the Trump administration said it will not seek to remove the firm from a Commerce Department trade blacklist that has significantly dented the company’s financial fortunes.

According to sources, the White House is also not planning to rescind a Biden-era executive order that effectively bars the company from selling its controversial Pegasus spyware to the US government.

NSO is on a rehabilitation tour in Washington this week, hoping to be removed from the Commerce Department’s Entity List, which bars it from receiving US technology. The list is a scarlet letter in the business world because of the reputational harm it confers. Since the 2021 listing, NSO Group has faced significant financial hardship.

Company representatives visiting from Israel had hoped to meet with the White House on Monday. But when National Security Council aides found out Sunday evening that the group’s underlying goal was to be taken off the trade blacklist, they balked and canceled the meeting, according to sources. (Ellen Nakashima, Elizabeth Dwoskin, and Aaron Schaffer / Washington Post)

Kash Patel, the FBI director, has closed the Office of Internal Auditing, an internal watchdog office established in 2020 to uncover and reduce the risk of misuses of national security surveillance under Section 702 of the Foreign Intelligence Surveillance Act, or FISA.

The move is significant because it could give skeptics of the program new ammunition to argue that Congress should sharply curtail the law or even let it expire, given that a guardrail has been discarded. It also poses a crucial test for Mr. Patel, who rose in pro-Trump circles by attacking the F.B.I. over its abuses of the surveillance law but said during his confirmation hearing that he saw the program as a vital tool for gathering foreign intelligence and protecting national security. (Charlie Savage and Adam Goldman / New York Times)

Related: The Guardian, Gizmodo, The Independent

Cellular phone service provider Cellcom said a cyber incident has knocked out its cellular phone and text services since last Wednesday.

CEO Brighid Riordan says it will take the rest of the week to restore the rest of its services.

Riordan says it had protocols and plans in place in case of a cyber incident. The plan involved notifying the FBI and Wisconsin authorities and consulting cybersecurity experts outside the company. She indicated some partners were brought in from other countries and that teams are “working around the clock to bring systems safely back online.”

Riordan says the part of its network targeted by the attack is separate from customer information, and there’s no evidence that personal or financial information was affected.

Riordan acknowledged she underestimated how long it would take to restore services.

“While I’ve been closely involved from the very beginning, this is the first time I’m writing to you directly. That wasn’t because I didn’t want to — it was because I truly believed we’d be past this quickly. I stayed focused on the fix, confident that we’d be able to restore service fast," she said. (WBAY news staff and Samantha Cavalli / WBAY)

Related: NBC26, WAOW, Bleeping Computer, Wausau Pilot & Review, WSAW, Green Bay Press-Gazette, WHBY, WBAY, Door County Pulse, WTAQ

TechCrunch founder and venture capitalist Michael Arrington claimed that Coinbase’s recent data breach “will lead to people dying,” amid a wave of kidnapping attempts targeting high-net-worth crypto holders.

Arrington added that this should be a point of reflection for regulators to rethink the importance of know-your-customer (KYC). This process requires users to confirm their identity to a platform. He also called for prison time for executives who fail to “adequately protect” customer information. (Ryan S. Gladwin / Decrypt)

Related: TheStreet, Coinpedia Fintech News, Slashdot, NewsBytes

Korea's SK Telecom says that a recently disclosed cybersecurity incident in April occurred in 2022, ultimately exposing the USIM (universal subscriber identity module) data of 27 million subscribers.

The telco said it would soon notify 26.95 million customers that they were impacted by the malware infection that exposed their sensitive data.

The firm mentions that it identified 25 distinct malware types in 23 compromised servers, so the extent of the breach is far more extensive than initially anticipated.

Simultaneously, a joint public-private investigation team examining SK Telecom's 30,000 Linux servers released a report stating that the initial web shell infection occurred on June 15, 2022.

This means that malware went undetected in the company's systems for nearly three years, during which the attackers introduced several payloads across 23 servers. (Bill Toulas / Bleeping Computer)

Related: SK Telecom, Public Private Joint Investigation Team, Total Telecom, VoIP Review, Security Affairs

Sources say a lack of coordination and miscommunication between federal agencies and the telecommunications industry exposed critical networks to the Chinese Salt Typhoon hacking group.

Some of the largest telecom companies in the world first heard of Salt Typhoon in a Wall Street Journal article. A source said, “The engagement was not treated with the kind of respect it deserved. "

Sources say that the issues with the government’s response started long before knowledge of an incident ever occurred. 

However, the breached telecommunications companies share some blame for why things went wrong, especially because the attackers got into systems they ultimately own by exploiting basic vulnerabilities and taking advantage of slipshod security. (Tim Starks / Cyberscoop)

Researchers at Infoblox report that a threat actor tracked as 'Hazy Hawk' is hijacking forgotten DNS CNAME records pointing to abandoned cloud services, taking over trusted subdomains of governments, universities, and Fortune 500 companies to distribute scams, fake apps, and malicious ads.

A threat actor tracked as 'Hazy Hawk' is hijacking forgotten DNS CNAME records pointing to abandoned cloud services, taking over trusted subdomains of governments, universities, and Fortune 500 companies to distribute scams, fake apps, and malicious ads.

Infoblox's report says the sites are used for tech support scams, bogus antivirus alerts, fake streaming/porn sites, and phishing pages.

Users tricked into allowing browser push notifications get persistent alerts even after they leave the scam sites, which can generate significant revenue for Hazy Hawk. (Bill Toulas / Bleeping Computer)

Related: Infoblox, CSO Online, HackRead, Cyber Security News

According to Thales' 2025 Data Threat Report, around three-quarters (73%) of organizations are investing in AI-specific security tools, amid growing concern about GenAI cyber risks.

Over two-thirds have acquired such tools from their cloud providers, three in five are leveraging established security vendors, and around half are turning to new or emerging startups.

Additionally, security specifically for AI has risen to the second-highest security spending priority, behind cloud security.

Nearly 70% of IT and security professionals surveyed cited the rapidly changing GenAI ecosystem as the most concerning security risk for adopting this technology.

This changing ecosystem includes new infrastructures, SaaS services, and autonomous agents.

Other prominent security concerns related to GenAI cited by respondents are a lack of integrity (64%) and trustworthiness (57%). (James Coker / Infosecurity Magazine)

Related: Thales, Business Wire, AI News, eeNews, Cyber Daily

According to Comparitech, the Russian-based ransomware group Qilin claims to have stolen 477 GB of data from the City of Abilene, with a demanded ransom that has to be paid by May 27.

On April 18, the City was impacted by a cyberattack that caused multiple departments, including the City's public transport system, CityLink, to be taken offline.

The City of Abilene said, "We are able to acknowledge the Comparitech article dated May 19, 2025, in regards to the cyber incident and demands made by the ransomware group, Qilin. The City of Abilene has been working with cyber security professionals since the incident began on April 18th and, given their expert direction along with adherence to the City's organizational values and standards, determined the payment of any kind of ransom to criminal entities of this sort would not take place. At this time the City is still limited in its ability to comment on the incident as the investigation continues and discovery efforts follow." (Jackson Burlison & Felicity Neptune / KTXS)

Related: Comparitech, Abilene Reporter News, KTAB

The VanHelsing ransomware-as-a-service operation published the source code for its affiliate panel, data leak blog, and Windows encryptor builder after an old developer tried to sell it on the RAMP cybercrime forum.

VanHelsing is a RaaS operation launched in March 2025. It promotes the ability to target Windows, Linux, BSD, ARM, and ESXi systems.

A person using the alias 'th30c0der' attempted to sell the source code for the VanHelsing affiliate panel, data leak Tor sites, and the builders for the Windows and Linux encryptors, for $10,000.

"vanhelsing ransomware source code for sell: include TOR keys + web panel for admin + chat + file server + blog include database everything," th30c0der posted to the RAMP forum.

As first reported by Emanuele De Lucia, the VanHelsing operators decided to beat the seller to the punch, releasing the source code themselves and stating that the th30c0der is one of their old developers trying to scam people.

"Today we are announcing that we are publishing the old sources codes and will soon come back with the new and improved version of the locker(VanHelsing 2.0)," the VanHelsing operator posted to RAMP. (Lawrence Abrams / Bleeping Computer)

Related: Techzine

Microsoft’s head of security for AI, Neta Haiby, accidentally revealed confidential messages about Walmart’s use of Microsoft’s AI tools during a Build talk that protesters disrupted.

The Build Livestream was muted, and the camera pointed down, but the session resumed moments later after the protesters were escorted out. In the aftermath, Haiby accidentally switched to Microsoft Teams while sharing her screen, revealing confidential internal messages about Walmart’s upcoming use of Microsoft’s Entra and AI gateway services.

Haiby was co-hosting a Build session on best security practices for AI, alongside Sarah Bird, Microsoft’s head of responsible AI, when two former Microsoft employees disrupted the talk to protest against the company’s cloud contracts with the Israeli government. (Tom Warren / The Verge)

Related: PC Gamer

During a hearing before the Senate Committee on Homeland Security and Governmental Affairs, Homeland Security Secretary Kristi Noem again declined to provide specifics on what activities would be removed from the Cybersecurity and Infrastructure Security Agency due to the Trump administration’s proposed $491 million budget cut. 

Noem stuck to answers she has given in previous hearings and speeches, focusing on the Trump administration's efforts to remove CISA offices that focus on Russian and Chinese disinformation and misinformation campaigns.

“Getting rid of censorship, getting rid of the Ministry of Truth at CISA, the employees that were duplicative, that were fulfilling roles that wasn't related to cybersecurity was something that we addressed, I would say, under the President's budget,” Noem told committee ranking member Gary Peters (D-MI).

Noem’s response mirrors the brief note on CISA in the White House budget request for fiscal 2026, which similarly references removing “duplicative” offices and programs that the Trump administration believes already exist in other state and federal offices.

The rest of the budget note focuses on the Trump administration effort to remove CISA’s role in stopping foreign disinformation campaigns, arguing that these “programs and offices were used as a hub in the Censorship Industrial Complex to violate the First Amendment, target Americans for protected speech, and target the President.” (Jonathan Greig / The Record)

Related: GovInfoSecurity

Best Thing of the Day: Future-Proofing Windows

Microsoft is updating Windows 11 with new NIST encryption algorithms that can withstand future attacks from quantum computers.

Bonus Best Thing of the Day: Always Better to Be .Gov

Less than two months after suffering a ransomware attack on its servers, the Cobb County government in Georgia said it will be transitioning from cobbcounty.org to cobbcounty.gov, reducing the risk of fraud and phishing attacks.

Worst Thing of the Day: Time to Switch to DuckDuckGo

Google is introducing a new AI mode that more firmly embeds chatbot capabilities into its search engine,

Closing Thought