#AxisOfEasy 401: New Cyber Threat Is Draining Millions From Banks And Companies In Three Countries


Weekly Axis Of Easy #401


Last Week’s Quote was: “He who has a why to live can bear almost any how,” was by Friedrich Nietzsche. No one got it.

This Week’s Quote:  “You don’t get from life what you want. You get from life what you are.”  By ???

THE RULES:  No searching up the answer, must be posted at the bottom of the blog post, in the comments section.

The Prize:  First person to post the correct answer gets their next domain or hosting renewal on us.


This is your easyDNS #AxisOfEasy Briefing for the week of May 19th, 2025 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey and Len the Lengend click here.

 


In this issue: 

  • New Cyber Threat Is Draining Millions from Banks and Companies in Three Countries
  • Flaw in Windows Server 2025 Lets Attackers Seize Active Directory Accounts
  • Leaked Addresses, Real-World Danger: Coinbase Hack Could Turn Deadly, Warns TechCrunch Founder
  • Stalker Apps Cocospy and Clones Vanish After Massive Hack Exposes Millions
  • Secret Files Reveal Group Funded by US Tax Dollars Helped Crush Right-Wing News

Elsewhere Online:

  • Malicious Ads Mimicking Kling AI Lead to Infostealer Downloads
  • Record-Breaking DDoS Attack Hits KrebsOnSecurity Originating from New IoT Botnet
  • Attack Technique Targeting Google Cloud Functions Shows Cross-Cloud Applicability
  • 4chan Back Online but Facing Lingering Issues After Major Hack
  • Critical AutomationDirect Gateway Flaw Exposes Industrial Systems to Remote Hacking

 

New Cyber Threat Is Draining Millions from Banks and Companies in Three Countries

A powerful ransomware named Nitrogen is targeting financial firms in the US, UK, and Canada. First spotted in September 2024, it encrypts files and demands huge ransom payments. Companies in tech, construction, and manufacturing have also been hit.

Cybersecurity experts warn Nitrogen is getting smarter and harder to detect. It spreads through fake ads on Google and Bing, hiding inside apps like AnyDesk and WinSCP.

Once inside, it disables antivirus tools and hides deep in systems. It even survives after restarts. “It moves fast and hits hard,” said Owais Sultan, a cybersecurity writer. Victims include SRP Federal Credit Union, Red Barrels, and Kilgore Industries.

The ransomware uses a fake system file and a tricky Windows tool to block recovery options. It also creates a special code to avoid running twice, which helps experts track it.

Security teams are now urged to block harmful files, watch for suspicious behavior, and update all systems quickly. Experts say early detection is key to staying safe.

Read: https://hackread.com/nitrogen-ransomware-targets-financial-firms-us-uk-canada/


Flaw in Windows Server 2025 Lets Attackers Seize Active Directory Accounts

Akamai’s Yuval Gordon discovered a default-config flaw in Windows Server 2025’s delegated Managed Service Accounts (dMSAs), allowing trivial Active Directory privilege escalation via inherited permissions during service account migration. The exploit, “BadSuccessor,” abuses the msDS-ManagedAccountPrecededByLink attribute to impersonate any AD user, even without using dMSAs. The Key Distribution Center (KDC) enables this by granting new accounts full legacy permissions. Microsoft labeled it “moderate severity,” declining immediate patching. Attackers need only benign OU permissions. Akamai released a PowerShell script to audit nondefault principals. Defenders should restrict dMSA creation, monitor changes, and audit authentication, configuration, and permissions to reduce domain-wide compromise risk.

Read: https://www.darkreading.com/vulnerabilities-threats/unpatched-windows-server-flaw-threatens-active-directory-users


Leaked Addresses, Real-World Danger: Coinbase Hack Could Turn Deadly, Warns TechCrunch Founder

Coinbase, the third-largest crypto exchange, confirmed a major data breach on May 15, 2025. The leak exposed home addresses of users, prompting fears for physical safety. Fewer than 1% of monthly transacting users were affected, but the consequences could be severe.
Michael Arrington, founder of TechCrunch, issued a stark warning: “This hack… will lead to people dying. It probably has already.”
Hackers bribed overseas contractors to access internal systems. Though no crypto was stolen directly, attackers obtained user data—enough to fuel scams, extortion, or even physical violence.

With Bitcoin trading above $100,000, wealthy holders are clear targets. Recent violent incidents include kidnappings and torture in Europe aimed at forcing crypto transfers.

Ronghui Gu, co-founder of CertiK, urged platforms to adopt “layered defense” systems, saying social engineering now poses a bigger risk than technical flaws.

The breach reveals a troubling gap in crypto security—where human error, not code, opens the door to real-world harm.

Read: https://www.zerohedge.com/crypto/coinbase-data-leak-could-put-users-physical-danger-techcrunch-founder

Stalker Apps Cocospy and Clones Vanish After Massive Hack Exposes Millions

On May 19, 2025, three stalkerware apps—Cocospy, Spyic, and Spyzie—suddenly went offline. These apps, often hidden on phones, were used to secretly spy on people’s messages, photos, and locations without their consent.

A February report revealed a huge flaw that let anyone access private data from any device running these apps. Security researcher Troy Hunt said the breach exposed 3.2 million email addresses of users who planted the spyware.

Soon after, the apps stopped working. Their websites vanished. Their Amazon cloud storage was wiped. The operators didn’t respond to questions, but this shutdown follows a familiar pattern—spyware makers often disappear after a breach to avoid legal trouble.
Zack Whittaker from TechCrunch reported this is the latest in a long line of exposed spyware operations. “At least 25 stalkerware apps have been breached since 2017,” he wrote.

Even though the apps are now down, users are urged to check their phones and delete any spyware hiding under the name System Service.

Read: https://techcrunch.com/2025/05/19/cocospy-stalkerware-apps-go-offline-after-data-breach/


Secret Files Reveal Group Funded by US Tax Dollars Helped Crush Right-Wing News

On May 21, 2025, new documents showed that the UK-based Global Disinformation Index (GDI) used US government-linked funding to target American media. The group quietly pressured advertisers to cut off right-leaning news sites. This happened while funders like the National Endowment for Democracy (NED) denied any domestic involvement.

Reports obtained by Protect the Public’s Trust show GDI bragged about pulling ad money from about 1,200 outlets. That move cost them an estimated $100 million in just 15 months.

One report highlighted their focus on “measuring the demonetization achieved.” GDI’s blacklist, the Dynamic Exclusion List, flagged conservative sites like The Federalist, Newsmax, and The Blaze. At the same time, it ranked NPR and The New York Times as “minimum-risk.”

GDI co-founder Dr. Danny Rogers even pointed to falling engagement with Donald Trump as a win. The group praised its role in pushing major platforms to silence certain views, calling it proof of “broader success.”

Read: https://reclaimthenet.org/global-disinformation-index-us-media-censorship-revealed


Elsewhere online: 

Malicious Ads Mimicking Kling AI Lead to Infostealer Downloads
Read: https://www.darkreading.com/threat-intelligence/fake-kling-ai-malvertisements-lure-victims

Record-Breaking DDoS Attack Hits KrebsOnSecurity Originating from New IoT Botnet
Read: https://hackread.com/krebsonsecurity-6-3-tbps-ddos-attack-aisuru-botnet/

Attack Technique Targeting Google Cloud Functions Shows Cross-Cloud Applicability
Read: https://www.infosecurity-magazine.com/news/flaw-google-cloud-security-concerns/

4chan Back Online but Facing Lingering Issues After Major Hack
Read: https://latesthackingnews.com/2025/04/30/4chan-is-back-online-after-cyberattack-but-with-issues/

Critical AutomationDirect Gateway Flaw Exposes Industrial Systems to Remote Hacking
Read: https://www.securityweek.com/critical-flaw-allows-remote-hacking-of-automationdirect-industrial-gateway/

If you missed the previous issues, they can be read online here:

Leave a Reply

Your email address will not be published. Required fields are marked *