Port of Seattle Informs 90,000 Affected Individuals

Each week, Information Security Media Group compiles reports on cybersecurity incidents and breaches from around the globe. Recent highlights include the Port of Seattle notifying victims, Oracle attributing a hack to outdated servers, Google and Microsoft releasing April security patches, a breach at WK Kellogg, arrests in Spain over an AI-driven investment scam, a guilty plea from Scattered Spider’s “King Bob,” and crackdown on SmokeLoader users.

See Also: Top 10 Technical Predictions for 2025

The Port of Seattle has revealed that nearly 90,000 individuals were impacted by a ransomware attack carried out in August 2024, attributed to the Rhysida group. Notification letters were sent to a primarily affected demographic consisting of current and former employees, contractors, and customers of parking facilities. The compromised data includes sensitive personal details such as names, birth dates, Social Security numbers, driver’s licenses, and limited medical information. Notably, payment and passenger systems remained secure, and the port authority opted not to comply with ransom demands. Approximately 71,000 of the affected individuals reside in Washington State, raising concerns about the broader implications of ransomware attacks on public infrastructure.

Oracle has responded to allegations of a security breach, asserting that the recent cyber incident originated from obsolete, on-premises servers, while maintaining that its cloud environment has not been affected. This response follows claims from the hacker group UNC3944, also known as 0ktapus or Scattered Spider, which stated they had infiltrated Oracle’s systems. According to Oracle, the involved servers had already been retired and disconnected from operational environments, and investigations are still in progress. To date, no evidence has emerged indicating customer data exposure or compromise within its cloud services.

The April update from Google for Android addressed 62 vulnerabilities, including two critical zero-days identified as being exploited in targeted attacks. One high-severity issue, recognized as CVE-2024-53197, pertains to a Linux kernel flaw within the USB-audio driver, used by Serbian authorities via a Cellebrite-developed toolchain for device unlocks. This exploit chain also incorporated two previous USB-related vulnerabilities. A second flaw, CVE-2024-53150, enables unauthorized data access via an out-of-bounds read. Google provided patches to its OEM partners in January, with direct updates anticipated for Pixel devices first and other devices to follow.

In its fourth patch release of the year, Microsoft addressed 134 security vulnerabilities across its products, including a zero-day flaw that has been actively exploited. The zero-day, labeled CVE-2025-29824, allows local attackers to escalate privileges through a weakness in the Windows Common Log File System driver. Microsoft confirmed that the RansomEXX ransomware group has utilized this vulnerability for privilege escalation during their attacks. Although most systems successfully received the update, patches for specific Windows 10 versions remain pending. Additionally, 11 of the fixed vulnerabilities have been categorized as critical, enabling potential remote code execution, along with a spectrum of other threats including privilege escalation and security bypass.

WK Kellogg Co. has confirmed a data breach that exposed sensitive employee information after vulnerabilities were exploited in its Cleo file transfer software on December 7, 2024. Attackers reportedly gained unauthorized access to HR files transmitted via Cleo servers, raising alarms about secured data transmission channels. The breach exploited two known flaws, including CVE-2024-50623 and CVE-2024-55956, both of which allowed attackers a pathway into sensitive data.

In an extensive operation, Spanish law enforcement officials arrested six suspects in connection with a cryptocurrency investment scam that defrauded over 200 victims for approximately $20.9 million. The arrests took place following a two-year investigation initiated by a victim’s complaint, resulting in the seizure of cash, electronic devices, firearms, and incriminating documents. The fraudulent scheme utilized artificial intelligence to generate deepfake advertisements featuring prominent public figures, enticing victims to invest under false premises.

Noah Urban, known as “King Bob,” a significant player in the Scattered Spider hacking group, has pleaded guilty to federal charges concerning a series of cyberattacks targeting several high-profile U.S. companies. Urban confessed to conspiracy to commit wire fraud and identity theft between August 2022 and March 2023. He was involved in campaigns against cloud service providers, telecom companies, and cryptocurrency firms, exploiting social engineering techniques and SIM-swapping methods to steal user credentials and sensitive data. Following his arrest in Spain in June 2024, he has since been extradited to the U.S. The group has been associated with multiple breaches, including attacks against MGM Resorts and Caesars Entertainment. Urban’s sentencing is scheduled for August.

Law enforcement agencies across several countries have taken action against users of SmokeLoader, a long-standing malware operation, resulting in numerous arrests and the seizure of its infrastructure. Active since at least 2011, SmokeLoader serves as a modular loader commonly used to deploy information stealers and ransomware. Europol has confirmed the apprehension of 16 individuals involved in the operation that infected over 100,000 computers worldwide. The disruption of the infrastructure supporting SmokeLoader signals a significant blow to the malware’s distribution network, although its operators have not yet been apprehended.

Additional Insights from Last Week