Read: Transforming Back Office Operations with Intelligent Automation

Cybersecurity dashboard with "Security" button on screen

The May 2025 Option One Cybersecurity Briefing

Cybersecurity News

Nation-State Actors Target ConnectWise ScreenConnect in Sophisticated Cyberattack

A critical cyberattack on ConnectWise, a leading provider of remote access software, has raised alarms across industries. According to a report by The Hacker News, the company disclosed that a nation-state actor likely breached its systems on May 28th, 2025, affecting a “very small number” of ScreenConnect customers. While details remain limited, the incident underscores the persistent risks posed by advanced adversaries targeting widely used IT infrastructure.

ConnectWise confirmed partnerships with Google Mandiant for forensic analysis and emphasized enhanced monitoring measures to prevent future breaches.

This attack follows a high-severity vulnerability (CVE-2025-3935) patched in April 2025, which allowed code injection via publicly disclosed ASP.NET machine keys. Though unconfirmed, the timing suggests potential exploitation of this flaw.

For businesses relying on third-party software such as remote management tools, this incident highlights the necessity of rigorous patch management and third-party risk assessments, particularly for software integral to IT operations.

Sophos Exposed 3AM Ransomware Group’s Novel Attack Methodology

Sophos X-Ops uncovered a sophisticated ransomware campaign in May 2025 involving the 3AM group, which leveraged virtual machines (VMs) and vishing to bypass defenses.

According to a report by Sophos News, attackers bombarded employees with emails before impersonating IT support via spoofed phone calls, tricking victims into granting remote access. Once inside, they deployed a hidden VM to evade endpoint detection and spent nine days exfiltrating data before attempting ransomware deployment.

This “email bombing” tactic, first documented by Microsoft in 2024, overwhelms targets with spam to mask malicious activity. The use of VMs highlights adversaries’ growing sophistication in circumventing traditional security tools.

Sophos advises organizations to audit remote access protocols, restrict VM permissions, and conduct simulated vishing drills to bolster employee resilience.

“Vishing attacks, such as this 3AM incident and other recent ransomware actor attacks, depend upon deception and leveraging of a targeted individual’s confusion and sense of urgency driven by events they don’t expect, such as an onslaught of unwanted emails suddenly disrupting their workday,” the report said. “Educate staff on the exact ways IT support will contact them, under what circumstances, and which tools they will use to provide remote technical support so they can recognize social engineering efforts more easily.”

Over 90% of Top Email Domains Remain Vulnerable to Spoofing Attacks

A recent study by EasyDMARC revealed that 92.3% of the world’s top 1.8 million email domains lack stringent DMARC policies, leaving them vulnerable to spoofing, Infosecurity Magazine reported. Only 7.7% have implemented “p=reject,” the gold standard for blocking fraudulent emails.

This security shortfall enables phishing campaigns to impersonate legitimate organizations, with sectors like logistics and finance at heightened risk.

“Misconfigurations, missing reporting, and passive DMARC policies are like installing a security system without ever turning it on,” said EasyDMARC CEO Gerasim Hovhannisyan. “Phishing remains one of the oldest and most effective forms of cyber-attack, and without proper enforcement, organizations are effectively handing attackers the keys to their business.”

Countries with mandated DMARC adoption, such as the U.S. and U.K., saw phishing email acceptance rates drop to 14.2% in 2025, down from 68.8% in 2023. In contrast, regions without enforcement, like the Netherlands, showed minimal improvement.

CISA and ACSC Release Joint Guidance on SIEM/SOAR Implementation

The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) issued a collaborative security framework for organizations at the end of May. The purpose of the framework is to guide organizations in streamlining the deployment of Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms, DarkReading reported

The guidance emphasizes the importance of thorough testing, cost management, and ongoing maintenance in cybersecurity. It says technology infrastructures and security tools require continuous oversight rather than a “set-and-forget” approach.

With rising infrastructure complexity and data volumes, the report highlights SIEM/SOAR’s role in addressing visibility gaps and accelerating threat detection. Critical recommendations include integrating these platforms with existing security tools and prioritizing high-value data sources to reduce alert fatigue.

This guidance arrives amid growing concerns about AI-driven attacks and nation-state threats targeting critical sectors like healthcare and finance.

“The biggest improvement [to the guidance] would be recognizing we’re now in an AI arms race in cybersecurity,” says Steve Wilson, chief AI and product officer at Exabeam. “Modern SOCs can’t rely on human triage and basic correlation rules anymore. They need more advanced techniques, not just for anomaly detection, but for automating investigations, guiding responses, and leveling the playing field against adversaries who are moving faster than ever.”

Cybersecurity Tips

Advanced Technology Leader Outlines Challenges and Best Practices for IoT Security

With over 80% of organizations now implementing IoT devices, fewer than one-third of CISOs are confident in their ability to manage related risks. Recent threats like the Murdoc Botnet exploiting AVTECH and Huawei devices demonstrate the real-world consequences of inadequate IoT security.

In a recent article in CIO Magazine, technology leader Leo Rajapakse explored some of the challenges and best practices of IoT security.

Some of the key challenges facing organizations include the following:

  • Device proliferation: Millions of IoT devices ship with minimal security controls and default credentials
  • Legacy infrastructure: Many devices lack security design and update capabilities
  • Weak authentication: Hardcoded passwords remain widespread across IoT deployments
  • Data privacy risks: Constant data collection through poorly encrypted channels
  • Fragmented standards: Unlike traditional IT, IoT lacks consistent global security frameworks
  • Supply chain vulnerabilities: Third-party components introduce upstream risks

To address these challenges, organizations must implement comprehensive defenses including zero trust architecture, end-to-end encryption, automated firmware updates, and AI-powered threat detection. Network segmentation and multi-factor authentication are also non-negotiable requirements.

Rajapakse suggests making a fundamental shift to “security-by-design” thinking rather than “bolt-on” security practices.

“The reality is that no single stakeholder—be it vendor, enterprise, or regulator—can secure the IoT landscape alone,” said Rajapakse. “Every decision made at the design table, in the boardroom, or on the assembly line has implications for global cybersecurity.”

Thanks for Reading

That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.