UK, Danish food companies disrupted by cyberattacks
DDoSecrets published a data trove from TeleMessage hack, NOLA cops engaged in massive facial recognition, Stalkerware apps go offline, Chinese tech company hit by cyberattack, UK Post Office pays postmasters for leaked data, NHS cyberattacks risked clinical harm, much more
Check out my latest piece for CSO Online on four ways to safeguard CISO communications from legal liability.
Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.
If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!
Logistics firm Peter Green Chilled, a distributor to the UK's major supermarkets including Tesco, Sainsbury's, and Aldi, said it has been subject to a ransomware attack, while Danish food giant Arla Foods said it was targeted by a cyberattack that disrupted its production operations.
The company told BBC's Wake Up to Money that its clients were "receiving regular updates" including "workarounds" on how to continue deliveries while one of its customers said thousands of their products could go to waste.
The company told customers no orders would be processed on Thursday, although any order prepared on Wednesday would be sent.
Separately, Arla Foods clarified that the attack only affected its production unit in Upahl, Germany, though it expects this will result in product delivery delays or even cancellations.
There have been no announcements about Arla on ransomware extortion portals, so the type of attack and the perpetrators remain unknown. (Tom Espiner / BBC News and Bill Toulas / Bleeping Computer)
Related: Global Food Industry News, Wake Up to Money, Computing, City AM, Metro, The Sun, The Mirror, SC Media
Distributed Denial of Secrets published 410 GB of data hacked from TeleMessage, the Israeli firm that makes modified versions of Signal, WhatsApp, Telegram, and WeChat that centrally archive messages.
Because the data is sensitive and full of PII, DDoSecrets is only sharing it with journalists and researchers.
TeleMessage became infamous after former Trump national security adviser Michael Waltz was photographed using TM SGNL, a modified version of Signal made by TeleMessage. (Micah Lee)
Related: DDoSecrets, DDoS Secrets on Telegram, Cybernews, Cyber Daily, Security Affairs, Hack Read
For two years, New Orleans police secretly relied on facial recognition technology as part of Project NOLA, a crime prevention nonprofit company that buys and manages many of the cameras, to scan city streets in search of suspects, a surveillance method without a known precedent in any major American city that may violate municipal guardrails around use of the technology.
New Orleans police used a private network of more than 200 facial recognition cameras to watch over the streets, constantly monitoring for wanted suspects and automatically pinging officers’ mobile phones through an app to convey the names and current locations of possible matches.
This move contradicts a 2022 city council ordinance, which limited police to using facial recognition only for searches of specific suspects in their investigations of violent crimes and never as a more generalized “surveillance tool” for tracking people in public places.
Anne Kirkpatrick, who heads the New Orleans Police Department, paused the program in early April after a captain identified the alerts as a potential problem during a review. In an April 8 email, Kirkpatrick told Project NOLA that the automated alerts must be turned off until she is “sure that the use of the app meets all the requirements of the law and policies.” (Douglas MacMillan and Aaron Schaffer / Washington Post)
Related: Ars Technica, Engadget, The Register, Biometric Update, Common Dreams, Hacker News (ycombinator), r/NewOrleans
Cocospy, Spyic, and Spyzie, three near-identical but differently branded stalkerware apps that allowed the person planting one of the apps on a target’s phone access to their personal data, have gone offline after having been caught spying on millions of people's phones.
Following TechCrunch reporting, the stalkerware apps stopped working, their websites disappeared, and their Amazon-hosted cloud storage was deleted. It's unclear why the apps' operations were shuttered. (Zack Whittaker / TechCrunch)
Related: Databreaches.net, Teiss
Local police said the backend system of the self-service equipment of a science and technology company based in Guangzhou, the capital of South China's Guangdong province, suffered a cyberattack, and malicious code was uploaded.
The police have initially determined that an overseas hacker organization initiated this cyberattack. The intruders infiltrated the backend systems of self-service equipment and took control of multiple online devices through lateral movement, spreading malware.
The attack caused significant losses to the company, while some users' private information is suspected to have been leaked.
Police said the attack was an organized and premeditated large-scale operation conducted by an overseas hacker organization. They noted that it bore distinct hallmarks of cyber warfare and surpassed the capability of ordinary individual hackers.
Preliminary tracing revealed that the hacker group has long been using open-source tools to scan and probe network assets of critical authorities, sensitive industries, and technology companies, while extensively searching for potential targets, according to police reports. (Xinhua)
Related: Global Times
The British Post Office has agreed on compensation for hundreds of former sub-postmasters after accidentally leaking their names and addresses on its corporate website.
The data breach was revealed in June last year when it emerged the personal details of 555 victims of the Horizon IT scandal had been published.
The company has now confirmed individual payouts of up to £5,000 with the potential for higher sums for those who want to pursue a further claim.
The Post Office has already apologised and said it was working in "full co-operation" with the Information Commissioner's Office.
The sub-postmasters' details were published in a document on its website.
At the time, then-Post Office chief executive Nick Read said the leak was a "truly terrible error".
The law firm Freeths, which acted for the 555 sub-postmasters when they sued the Post Office in a landmark High Court case in 2017, said it had secured the payouts on behalf of all those affected and their legal representatives. (Emma Simpson / BBC News)
Related: The Independent, The Guardian, Daily Mail, Bristol Live, Wales Online
According to official data obtained under freedom of information requests, two cyberattacks affecting Britain’s National Health Service (NHS) last year put patients at risk of clinical harm.
One of the two incidents is likely to be the ransomware attack on pathology services provider Synnovis, which severely disrupted care at many National Health Service (NHS) hospitals and care providers in London by delaying and cancelling operations and appointments.
Criminals similarly disrupted care in an attack on Wirral University Teaching Hospital NHS Foundation Trust, causing delays to cancer treatments as reported by The Register.
The government data records no incidents that led to excess fatalities or excess casualties, the two highest categories for NIS incidents. Two incidents, however, passed the threshold of the third category of causing potential clinical harm to more than 50 patients, with clinical harm defined as harm resulting from medical care or the lack of it. (Alexander Martin / The Record)
Hospitals tied to the technology provider Serviceaide and the debt collection giant Nationwide Recovery Services (NRS) announced breaches over the last week involving Social Security numbers, financial information, and sensitive health insurance data.
Serviceaide informed federal regulators at the Department of Health and Human Services that 483,126 people were affected by information theft during a cybersecurity incident in the fall of 2024.
An investigation revealed that hackers had access to a database organized by Serviceaide for Catholic Health, one of the largest nonprofit health providers in the US, from September 19 to November 5.
While they did not find evidence that the information was copied while the hackers were inside, the company said it is “unable to rule out this type of activity.”
Social Security numbers, dates of birth, medical record numbers, health information, prescription data, clinical information, and more were potentially taken during the incident.
Related: Serviceaide, Security Week, HIPAA Journal, SC Media, HackRead, Cybernews, SC Media
Researchers at WithSecure say that threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.
WithSecure discovered the campaign after they were brought in to investigate a ransomware attack. The researchers found that the attack started with a malicious KeePass installer promoted through Bing advertisements that promoted fake software sites.
As KeePass is open source, the threat actors altered the source code to build a trojanized version, dubbed KeeLoader, that contains all the normal password management functionality. However, it includes modifications that install a Cobalt Strike beacon and export the KeePass password database as cleartext, which is then stolen through the beacon.
WithSecure says that the Cobalt Strike watermarks used in this campaign are linked to an initial access broker (IAB) believed to have been associated with Black Basta ransomware attacks in the past.
A Cobalt Strike watermark is a unique identifier embedded into a beacon tied to the license used to generate the payload. (Lawrence Abrams / Bleeping Computer)
Related: WithSecure, Techzine
A flaw discovered by security researcher Daniel Williams in O2 UK's implementation of VoLTE and WiFi Calling technologies that could allow anyone to expose the general location of a person and other identifiers by calling the target has been fixed.
The flaw likely existed on O2 UK's network since February 2023.
In March 2017, the firm launched its IP Multimedia Subsystem (IMS) service, "4G Calling," for better audio quality and line reliability during calls.
However, as Williams discovered while analyzing the traffic during such a call, the signalling messages (SIP Headers) exchanged between the communicating parties are far too verbose and revealing, including IMSI, IMEI, and cell location data.
Williams says that he contacted O2 UK multiple times on March 26 and 27, 2025, to report his findings, but he received no answers.
Finally, he got direct confirmation from O2 UK that the issue had been fixed, which was confirmed through testing. (Bill Toulas / Bleeping Computer)
Related: Mast Database, The Register
The Pwn2Own Berlin 2025 hacking competition has concluded, with security researchers earning $1,078,750 after exploiting 29 zero-day vulnerabilities and encountering some bug collisions.
After exploiting 20 zero-day vulnerabilities on the first day, competitors collected $260,000 in cash awards and another $435,000 on the second day. On the third day of Pwn2Own, they collected another $383,750 for eight more zero-days.
After these vulnerabilities are demoed during Pwn2Own events, vendors have 90 days to release security updates before TrendMicro's Zero Day Initiative publicly discloses them. (Sergiu Gatlan / Bleeping Computer)
Related: Zero Day Initiative, Security Week, Vietnamnet, Heise Online, CSO Online
According to a source, the US Justice Department, including those in the department’s criminal division in Washington, has opened a probe into a recent breach at the leading cryptocurrency exchange Coinbase.
Coinbase brought the incident to the attention of authorities, and the company itself is not under DOJ investigation, said Paul Grewal, the company’s chief legal officer.
“We have notified and are working with the DOJ and other US and international law enforcement agencies and welcome law enforcement’s pursuit of criminal charges against these bad actors,” Grewal said. UK and Irish data regulators said they are “assessing” the situation after receiving reports from Coinbase. (Chris Strohm and Jeff Stone / Bloomberg)
Related: Reuters, Benzinga, Cryptopolitan, Decrypt, Watcher Guru, PYMNTS.com, NewsBTC, CryptoSlate, Bitcoin News, The Block, Cointelegraphhttps://siliconangle.com/2025/05/19/microsoft-expands-ai-platform-security-new-identity-protection-threat-alerts-data-governance/
Microsoft unveiled a significant expansion of its artificial intelligence security and governance offerings, with new capabilities to secure the emerging “agentic workforce,” a world where AI agents and humans collaborate.
Announced at the annual Build developer conference, Microsoft is expanding Entra, Defender, and Purview, embedding them directly into Azure AI Foundry and Copilot Studio to help organizations secure AI apps and agents across the entire development lifecycle.
The expanded capabilities collectively seek to address a growing issue in AI development: securing systems from prompt injection, data leakage, and identity sprawl while ensuring compliance with various regulations.
The launch of Entra Agent ID is the leading announcement. This new centralized solution is designed to manage the identities of AI agents built in Copilot Studio and Azure AI Foundry. Each agent is automatically assigned a secure, trackable identity in Microsoft Entra, giving security teams visibility and governance over nonhuman actors in the enterprise. (Duncan Riley / Silicon Angle)
Related: Microsoft Tech Community, Microsoft Tech Community, PCMag, Microsoft Security Blog, Channel Futures, Microsoft Tech Community
Researchers at ESET report that the sophisticated Chinese advanced persistent threat (APT) group Mustang Panda has intensified its espionage campaigns across Europe, primarily targeting governmental institutions and maritime transportation companies.
The group has been leveraging Korplug loaders and malicious USB drives as primary attack vectors, demonstrating a persistent and evolving threat to organizations across multiple countries, including Norway, the Netherlands, the UK, Bulgaria, Greece, Denmark, Poland, and Hungary.
The attackers have shown remarkable adaptability, continuously experimenting with various implementations of Korplug malware loaders based on different programming languages and file formats.
This technical versatility allows them to evade detection while maintaining persistence in compromised environments. (Tushar Subhra Dutta / Cyber Security News)
Related: ESET, We Live Security, GBHackers
More than 100 organizations are raising alarms about a provision in the House’s sweeping tax and spending cuts package, Donald Trump's so-called "big beautiful bill," that would hamstring the regulation of artificial intelligence systems.
The bill contains a rule that, if passed, would prohibit states from enforcing “any law or regulation regulating artificial intelligence models, artificial intelligence systems, or automated decision systems” for 10 years.
With AI rapidly advancing and extending into more areas of life, such as personal communications, health care, hiring, and policing, the organizations said that blocking states from enforcing even their own laws related to the technology could harm users and society. They laid out their concerns in a letter sent Monday to members of Congress, including House Speaker Mike Johnson and House Democratic Leader Hakeem Jeffries.
The 141 signatories on the letter include academic institutions such as Cornell University and Georgetown Law’s Center on Privacy and Technology, and advocacy groups such as the Southern Poverty Law Center and the Economic Policy Institute. Employee coalitions such as Amazon Employees for Climate Justice and the Alphabet Workers Union, the labor group representing workers at Google’s parent company, also signed the letter, underscoring how widely held concerns about the future of AI development are. (Clare Duffy / CNN)
Related: Business Insider, Default, StateScoop, ABC News, Hacker News (ycombinator), r/law
Regeneron Pharmaceuticals will buy the beleaguered genetic testing company 23andMe, in a $256 million deal that sparks concerns about sensitive customer data, even as Regeneron has pledged to comply with 23andMe’s existing privacy policy.
The pharmaceutical company said it is buying 23andMe’s Total Health and Research Services business, its Personal Genome Service, its “biobank,” and related assets.
Under the terms of the deal, 23andMe will continue offering genome testing for consumers who remain interested in submitting their genetic information.
In recent weeks, privacy advocates, lawmakers, and the Federal Trade Commission have expressed alarm that a buyer might not adhere to 23andMe’s existing privacy policies. These policies do not allow genetic information to be shared with insurers, employers, public databases, or law enforcement without a court order, search warrant, or subpoena.
The existing privacy policy also allows consumers to delete their genetic data whenever they choose to. (Suzanne Smalley / The Record)
Related: Wall Street Journal, Ars Technica, 404 Media, TechCrunch, Silicon Republic, Regeneron Pharmaceuticals Inc., Agence France-Presse, Infosecurity, New York Times, Tech Funding News, The Cyber Express, Reuters, MarketWatch, The Information, TheStreet, HIT Consultant, MedCity News, Information Age, Tech in Asia, Mashable, Futurism, KTVU-TV, ZDNET, PCMag, Financial Times, Axios
Incident response platform provider BreachRX announced it had raised $15M in a Series A venture funding round.
Ballistic Ventures led the round with participation from SYN Ventures, Overline, and Silver Buckshot Ventures. (Duncan Riley / Silicon Angle)
Related: Security Week, Business Wire, MSSP Alert, FinSMEs
Best Thing of the Day: An Agency That Dodged the DOGE Bullet
The Government Accountability Office, a legislative branch agency, blocked an attempt by Elon Musk’s DOGE to install a team at the congressional watchdog.
Worst Thing of the Day: A Wolf in Sheep's Clothing
Donald Trump signed into law legislation nicknamed the Take It Down Act, which requires platforms to remove nonconsensual instances of “intimate visual depiction” within 48 hours of receiving a request, but in reality, will allow bad actors to weaponize the policy to force tech companies to censor online content unjustly.
Closing Thought
