In this week’s roundup, Las Vegas police arrested a minor tied to the 2023 casino attacks, LockBit 5.0 ransomware emerged with expanded support for Windows, Linux, and ESXi, China-linked actors were caught using stealthy malware to compromise software suppliers, a Linux Kernel ksmbd flaw was found to allow remote code execution, and researchers uncovered the new YiBackdoor malware capable of command execution and data theft. Read on!
Co-op says Cyber-Attack Cost it £206m in Lost Sales A cyberattack on the Co-op in April infiltrated its IT networks, disrupted payments and stock levels across hundreds of stores, forced shutdowns and order delays, and is estimated to have cost the company over £206 million in lost sales and collateral damage to reputation.
"LockBit 5.0’s arrival underscores how ransomware groups are evolving beyond Windows and targeting Linux and ESXi environments with equal precision. The latest variant adds stealth tactics like event log wiping and in-memory execution, making detection harder and downtime more likely. For organizations running mixed infrastructures, this is another reminder that endpoint protection alone is not enough—your hypervisors and workloads need proactive runtime defenses built specifically to catch these kinds of advanced threats before they spread."
On LockBit 5.0 Ransomware Surfaces With Support for Windows, Linux, and ESXi
"Unfortunately, despite cybersecurity professionals existing in greater numbers now than ever before, software vulnerabilities show no sign of slowing down. Even open-source well reviewed code such as that produced by the developers of Linux is subject to the occasional severe vulnerability. As more humans (and AI) develop software, new flaws are introduced to IT environments. It has never been more important to protect against unknown flaws introduced by crucial software. Behavioral runtime security is one of the best ways to do that."
On Linux Kernel ksmbd Vulnerability Permits Remote Attackers to Execute Arbitrary Code
LockBit 5.0 Ransomware Surfaces With Support for Windows, Linux, and ESXi
LockBit 5.0 has emerged with full support for Windows, Linux, and ESXi platforms, introducing enhanced encryption, sophisticated evasion tactics, and cross-platform capabilities that allow attackers to compromise both virtual infrastructures and traditional systems, while also demonstrating how ransomware operators are evolving toward more flexible, resilient, and enterprise-focused attack models.
Scattered Spider and the Finance Sector: Ransomware Tactics Banks Can’t Afford to Ignore
Scattered Spider has revived its campaigns against the financial sector by targeting U.S. banks and fintechs through social engineering, identity hijacking, and VMware ESXi exploitation, exposing how gaps at the hypervisor layer enable persistent access and systemic risk, while highlighting the urgent need for runtime defenses that can detect and contain attacks.
Linux Kernel ksmbd Vulnerability Permits Remote Attackers to Execute Arbitrary Code
A newly disclosed Linux kernel vulnerability in the ksmbd subsystem, tracked as CVE-2025-38561, allows authenticated remote attackers to execute arbitrary code with full kernel privileges by exploiting a race condition in the handling of SMB2 session setup, potentially resulting in complete system compromise on affected Linux distributions.
New “YiBackdoor” Malware Lets Hackers Run Commands and Steal Data
The YiBackdoor malware, discovered in June by Zscaler ThreatLabz, enables attackers to maintain persistent access to compromised systems by executing remote commands, using advanced evasion techniques, and deploying stealthy backdoor functionality that helps it bypass many standard security defenses, ultimately giving adversaries the ability to control and exploit targeted environments with precision.
.png?upscale=true&width=1120&upscale=true&name=Copy%20of%20WTR%20Newsletter%20Email%20Header%20(6).png)
