Port of Seattle Notifies 90,000 Victims

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Port of Seattle notified victims, Oracle blamed hack on obsolete servers, Google and Microsoft released April patches, WK Kellogg breached, six arrested in Spain for AI-investment scam, Scattered Spider’s “King Bob” pleaded guilty, SmokeLoader users busted.

See Also: Top 10 Technical Predictions for 2025

The Port of Seattle said nearly 90,000 individuals were affected by a August 2024 ransomware attack attributed to the Rhysida group. The port authority sent out notification letters to those impacted, mostly current and former employees, contractors and parking lot customers. Exposed data includes names, birth dates, Social Security numbers, driver’s licenses, and limited medical information. Payment and passenger systems were not compromised. The port refused to pay the ransom. Around 71,000 of those affected are Washington residents.

Oracle said that a recent cyberattack stemmed from outdated, on-premises servers but insists its cloud infrastructure remains unaffected. The corporate response comes after a group tracked as UNC3944, also known as 0ktapus or Scattered Spider, claimed responsibility for breaching Oracle’s systems. Hackers said they obtained access to internal tools and customer data, while Oracle stated the compromised servers were long-retired and disconnected from its production or customer environments. Investigations are ongoing, with no evidence so far of customer impact or data compromise within Oracle Cloud.

Google’s April Android update fixed 62 flaws, including two zero-days exploited in targeted attacks. One, CVE-2024-53197, is a high-severity Linux kernel bug in the USB-audio driver used in a Cellebrite-developed exploit chain by Serbian authorities to unlock confiscated devices. The chain also used two earlier USB-related zero-day, CVE-2024-53104 and CVE-2024-50302, all discovered by Amnesty International in mid-2024. Another flaw, CVE-2024-53150, allows sensitive data access via an out-of-bounds read. Google shared fixes with OEMs in January. Pixel devices get updates immediately; others may lag.

Microsoft’s fourth patch dump of the year released updates addressing 134 vulnerabilities across its product lineup, including a zero-day flaw actively exploited in the wild. The zero-day, tracked as CVE-2025-29824, is an elevation of privilege vulnerability in the Windows Common Log File System driver that allows local attackers to gain SYSTEM-level access. Microsoft confirmed that the RansomEXX ransomware gang used this flaw to escalate privileges in attacks. While most systems received the patch, updates for Windows 10 for x64 and 32-bit systems, as well as Windows 10 LTSB 2015, are still pending.

Among the 134 bugs, 11 are classified as critical, all enabling remote code execution. Other flaws span privilege escalation, security bypass, information disclosure, denial of service and spoofing. Microsoft emphasized that updates for affected Windows 10 systems will be released soon, with notifications to follow.

Breakfast cereal giant WK Kellogg Co. disclosed a data breach exposing sensitive employee information after attackers exploited vulnerabilities in its instance of Cleo file transfer software. The breach occurred on Dec. 7, 2024, and involved unauthorized access to HR files sent via Cleo servers, the company disclosed.

Hackers exploited two Cleo flaws: CVE-2024-50623, which failed to restrict uploads and downloads despite an October patch, and CVE-2024-55956, allowing remote code execution (see: Hackers Exploiting Cleo Software Zero-Day).

Spanish authorities arrested six individuals, aged 34 to 57, in connection with a cryptocurrency investment scam that defrauded 208 victims of approximately $20.9 million. The arrests occurred in the cities of Granada and Alicante following a two-year investigation dubbed “Coinblack – Wendmine,” initiated by a victim’s complaint. During the operation, police seized 100,000 euros in cash, electronic devices, firearms and incriminating documents.

The perpetrators employed artificial intelligence to create deepfake advertisements featuring well-known public figures, luring victims into fraudulent investment schemes. They utilized algorithms to identify targets, initiating contact through romance scams or by posing as financial advisors. After persuading victims to invest, the scammers would later contact them under different pretenses, such as offering assistance in recovering lost funds, further exploiting them.

To launder the illicit proceeds, the group established multiple shell companies, with the ringleader operating under more than 50 aliases.

Noah Urban, a leading member of the Scattered Spider hacking group known as “King Bob,” pleaded guilty to federal charges tied to a string of cyberattacks on major U.S. firms. Urban admitted to conspiracy to commit wire fraud and identity theft between August 2022 and March 2023.

Tyler Robert Buchanan, a Scottish national, targeted cloud providers, telecom firms and cryptocurrency companies, stealing credentials and customer data using social engineering and SIM-swapping tactics. He was arrested in Spain in June 2024 and later extradited to the U.S.

Scattered Spider is linked to several major breaches, including attacks on MGM Resorts and Caesars Entertainment. Buchanan is scheduled for sentencing in August.

Law enforcement agencies across multiple countries detained suspected customers of the long-running SmokeLoader malware operation and seized its infrastructure. SmokeLoader, active since at least 2011, is a modular loader often used to deploy info-stealers and ransomware. Europol confirmed that 16 individuals were apprehended for using the malware to infect over 100,000 computers globally. Authorities also took down servers supporting the malware’s operation. SmokeLoader’s operators remain at large, but the takedown marks a major blow to its distribution network.

Other Stories From Last Week