This Week in Cyber 30th May 2025

Analyst Insight

This week in cyber, we have seen multiple data breaches which are attributed to vulnerabilities within third party software shown in the LexisNexis and Adidas breaches. This reinforces how important it is for software vendors to ensure their software is secure before deploying within a live customer environment, paired with regular patches and updates. We have also seen nation state actors utilising legitimate services to conceal C2 operations and evade cybersecurity defences. Remote monitoring and management tools were also exploited by threat actors to breach a managed service provider, exploiting a chain of vulnerabilities to steal customer information.

Adidas Discloses Data Breach Linked to Service Provider Hack

Adidas disclosed a data breach after attackers compromised one of its third-party service providers, leading to the unauthorized access of customer data. The company stated it became aware of the incident after being notified by a third-party vendor, which had suffered a cyberattack.

According to Adidas, the breach involved customer data processed by the provider, though the company did not specify the exact types of information exposed. “Adidas recently became aware that an unauthorized party exploited a vulnerability in a third-party system used to process customer service requests,” the company said in its disclosure. Adidas is currently working with the provider to investigate the breach and has begun notifying affected customers.

LexisNexis Risk Solutions Discloses Data Breach Affecting 364,000 People

LexisNexis Risk Solutions (LNRS), a major data broker, informed 364,000 individuals that their personal information was compromised in a data breach that occurred in December 2024. The personal information stolen included: names, dates of birth, phone numbers, email addresses, social security numbers and driver’s licence numbers. “An unauthorized third party acquired certain LNRS data from a third-party platform used for software development. The issue did not affect LNRS’s own networks or systems,” the company said in a notification letter to impacted individuals. The company is providing affected individuals with two years of free identity protection and credit monitoring services.

DragonForce Ransomware Infects MSP After Exploiting Remote Access Tool

A managed service provider was infected with DragonForce ransomware, after the ransomware-as-a-service gang exploited the remote monitoring and management tool SimpleHelp. The threat actors infected multiple endpoints with ransomware before stealing data and performing double-extortion tactics to force the MSP to pay the ransom.

Sophos disclosed on Tuesday that the threat actors exploited a chain of SimpleHelp vulnerabilities: CVE-2024-57727, CVE-2024-57728 and CVE-2024-57726. “The attacker also used their access through the MSP remote monitoring and management tool to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.”

APT41 Malware Conceals C2 Communication with Google Calendar

Security researchers at Google discovered the notorious APT41 group leveraging Google Calendar to mask their command and control (C2) communications. By using Google Calendar, they can hide their malicious activities within legitimate web traffic, making detection significantly harder. “In late October 2024, GTIG discovered an exploited government website hosting malware being used to target multiple other government entities.” this exploit was utilized by APT41 to deliver spear phishing emails containing a link to a ZIP archive with a payload hosted on the exploited government website. Once the payload is delivered and executed, the TOUGHPROGRESS malware is deployed which utilises Google Calendar for command execution. More detailed information can be found on Google Cloud.