Major Incidents and Breaches

• APT29 Targeting European Diplomats

  • Russian state-sponsored group APT29 has launched a phishing campaign against European diplomatic entities.
  • The campaign uses wine-tasting themed lures and deploys a new variant of WINELOADER, named GRAPELOADER, to gain initial access and maintain persistence.

• Malicious npm Packages Planting SSH Backdoors

  • Three rogue npm packages, mimicking a popular Telegram bot API library, were discovered to contain SSH backdoors and data exfiltration capabilities.
  • These packages target Linux systems and could facilitate broader supply chain attacks.

• Microsoft Entra ID Account Lockouts

Major Incidents and Breaches

• SonicWall SMA VPN Devices Under Active Attack

  • A remote code execution vulnerability in SonicWall Secure Mobile Access (SMA) appliances has been actively exploited since at least January 2025. Organisations using these devices are at heightened risk and should prioritise patching and mitigation.

• Apple Zero-Day Exploits

  • Two zero-day vulnerabilities in Apple iOS devices have been used in sophisticated attacks targeting specific individuals, indicating likely involvement of spyware or nation-state actors. Details remain limited.

• Smishing Surge Tied to Chinese Threat Actors

Major Incidents and Breaches

• Ahold Delhaize Data Breach: Food retail giant Ahold Delhaize confirmed data theft from its U.S. business systems during a November 2024 cyberattack, attributed to the INC ransomware group. The breach impacted operations at several of its 2,000 U.S. stores.
• Legends International Breach: Entertainment venue management firm Legends International disclosed a data breach from November 2024 affecting both employees and venue visitors.
• Airport Retailer Ransomware Settlement: An airport retailer agreed to a $6.9 million settlement after a ransomware attack exfiltrated personal data (including names and Social Security numbers) of approximately 76,000 current and former employees.
• Surge in SMS Phishing Scams: CTM360 reported a global spike in SMS-based reward and toll scams, notably PointyPhish and TollShark, operating via the Darcula Phishing-as-a-Service (PhaaS) platform. Over 5,000 domains are implicated in payment information theft.
• Real Cash Scam in the U.S.: A widespread scam is tricking individuals into withdrawing and transferring large sums of cash to fraudsters, resulting in significant financial losses.

Newly Discovered Vulnerabilities

• CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices:

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified a security flaw in SonicWall Secure Mobile Access (SMA) 100 Series gateways being actively exploited.

• Apple Patches Two Actively Exploited iOS Flaws:

  • Apple released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two actively exploited security flaws.

• New Windows Task Scheduler Bugs Discovered:

  • Cybersecurity researchers found four vulnerabilities in the Windows task scheduling service that could allow local attackers to escalate privileges.

• Over 16,000 Fortinet devices compromised with symlink backdoor:

• Phishing Remains Top Cyberattack in the UK:
  • Phishing was identified as the most common and disruptive cyberattack faced by UK organizations in the past year.
• North Korea Expands Fraudulent IT Worker Operations:
  • North Korea has expanded its fraudulent IT worker operations, posing a new threat.
• MITRE’s CVE Funding Expires:
  • The U.S. government’s funding for MITRE to operate and maintain the CVE program ends, raising concerns in the cybersecurity community.
• Chinese Hackers Target Linux Systems:
  • A China-linked threat actor known as UNC5174 is using SNOWLIGHT malware and the VShell tool to target Linux systems.
• Critical Apache Roller Vulnerability Discovered:
  • A critical vulnerability in Apache Roller blogging server software allows unauthorized session persistence.
• Browser Extensions Pose Security Risks:
  • Majority of browser extensions can access sensitive enterprise data, posing a risk to organizations.
• Malicious PyPI Package Targets MEXC Trading API:
  • A malicious package on PyPI targets MEXC trading API to steal credentials and redirect orders.
• Python Malware Targets Crypto Developers:
  • Python malware disguised as coding challenges targets crypto developers to deliver new stealer malware.
• Midnight Blizzard Targets Diplomatic Entities:
  • Russian state-sponsored group Midnight Blizzard deploys new GrapeLoader malware in embassy phishing attacks.
• Landmark Admin Data Breach Impact Grows:
  • Landmark Admin data breach now affects 1.6 million individuals.
• Infamous 4chan Forum Taken Down in Hack:
  • 4chan was taken offline following a major hack affecting the notorious online forum.
• Microsoft Disabling ActiveX Controls:
  • Microsoft will disable ActiveX controls in Microsoft 365 and Office 2024 applications.
• Google Implements Auto-Reboot for Android Security:
  • Google introduces auto-reboot feature on Android to enhance security.
• Max Severity Bug in Apache Roller Allows Persistent Access:
  • Adversaries could retain access to Apache Roller due to a remediated flaw.
• Bad Bots Increasingly Difficult to Detect:
  • Bad bots are evolving to mimic human behaviors, making them harder to detect.
• AI-Powered Tool Used in Phishing Attacks:
  • Threat actors leverage the legitimate presentation tool named “Gamma” in phishing attacks.
• Hertz Falls Victim to Cleo Zero-Day Attacks:
  • Cleo zero-day attacks lead to the theft of customer data from Hertz.
• Wave of Wine-Inspired Phishing Attacks Target EU Diplomats:
  • A phishing campaign targeting EU diplomats uses wine-tasting events as a lure.
• Funding Expires for Key Cyber Vulnerability Database:
  • A critical cybersecurity resource’s funding is at risk of expiring, impacting vulnerability identification and mitigation efforts.

Newly Discovered Vulnerabilities and Attacks:

• Gladinet’s Triofox and CentreStack are under active exploitation due to a critical RCE vulnerability, impacting seven organizations.
• ResolverRAT, a new remote access trojan, targets healthcare and pharmaceutical sectors through phishing and DLL side-loading attacks.
• Cybersecurity researchers have identified a phishing campaign using real-time checks to validate victim emails before credential theft.

Data Breaches and Security Incidents:

• Hertz Corporation confirms a data breach where customer information and driver’s licenses were stolen in Cleo zero-day data theft attacks.
• Conduent, a govtech giant, discloses client data was stolen in a January 2025 cyberattack.

Regulatory and Policy Developments:

• Ransomware Attack on DaVita:
  • Kidney dialysis firm DaVita experienced a ransomware attack over the weekend.
  • The attack encrypted parts of its network and impacted some operations.
• Phishing Campaigns with Real-Time Checks:
  • Cybersecurity researchers discovered a new credential phishing scheme using real-time checks to validate victim emails.
  • This ensures that stolen information is linked to valid online accounts.
• China Transformer Backdoor Scandal:
  • America’s critical infrastructure is facing a significant threat due to hidden backdoors in Chinese transformers installed across the nation.
• OpenAI’s Upcoming AI Models:
  • OpenAI is planning to launch new AI models including GPT-4.1, 4.1 nano, and 4.1 mini this week.
• New Windows Updates from Microsoft:
  • Microsoft released emergency updates to fix Active Directory policy issues and warned of restarts causing connectivity problems on some Windows Server 2025 domain controllers.
• Threat Actors Targeting India:
  • Threat actors linked to Pakistan have been expanding their targets in India using remote access trojans like Xeno RAT and Spark RAT.

These incidents highlight ongoing threats in the cybersecurity landscape, with ransomware attacks affecting critical services, new phishing techniques being used by threat actors, and potential vulnerabilities in infrastructure due to hidden backdoors. The release of new AI models and updates from Microsoft also emphasize the need for organizations to stay vigilant and up-to-date with security measures.

Newly Discovered Vulnerabilities and Exploits:

• Langflow AI vulnerability (CVE-2025-3248) exploited after recent release of version 1.3.0, with significant impact on security.

Phishing Attacks and Tools:

• Tycoon2FA phishing kit updated to target Microsoft 365 with improved stealth and evasion capabilities.

Supply Chain Risks:

• ‘Slopsquatting’ emerges as a new supply chain risk due to AI-generated code dependencies hallucinating non-existent package names.

Policy and Regulatory Developments:

• Department of Homeland Security email mistakenly instructs US citizens on temporary legal status to self-deport, leading to confusion and concerns.

International Cyber Threats:

• Phishing Campaign Targeting QuickBooks Users:
  • Cybercriminals are targeting QuickBooks users with phishing campaigns during tax season.
• Threat Actors Retain Access to FortiGate Devices Post-Patching:
  • Fortinet warns that threat actors can maintain read-only access to FortiGate devices even after initial access vectors are patched.
• PowerModul Implant Targeting Russian Sectors:
  • The threat actor Paper Werewolf has deployed a new implant called PowerModul to target Russian entities.
• Brute-Force Attempts Against PAN-OS GlobalProtect Gateways:
  • Palo Alto Networks has observed brute-force login attempts targeting PAN-OS GlobalProtect gateways.
• SpyNote, BadBazaar, MOONSHINE Malware Target Android and iOS Users:
  • Cybersecurity researchers have discovered malware targeting Android and iOS users through fake apps.
• Microsoft Defender to Isolate Undiscovered Endpoints:
  • Microsoft is testing a new Defender for Endpoint capability to block attacks by isolating undiscovered endpoints.
• Western Sydney University Discloses Security Breaches:
  • WSU has reported security incidents exposing personal information of community members.
• Ransomware Attack Cost IKEA Operator $23 Million:
  • Fourlis Group, the operator of IKEA stores in Eastern Europe, suffered a ransomware attack causing significant losses.
• Code of Practice for States Signed to Curb Commercial Spyware:
  • Nations are signing the Code of Practice for States to address commercial spyware threats.
• Goffee Targeting Russian Organizations with New Malware:
  • The threat actor Goffee, also known as Paper Werewolf, is targeting Russian organizations with new malware targeting flash drives.

Major Incidents and Attacks:

• GOFFEE continues to attack organizations in Russia: Kaspersky researchers analyze GOFFEE’s campaign in H2 2024, with updated infection scheme, new PowerModul implant, and switch to a binary Mythic agent.
• Russian Threat Actor Launches Spear-Phishing Campaign Against Ukrainians: The Russian threat actor Gamaredon targets Ukrainians with spear-phishing documents related to troop movements.

Vulnerabilities and Exploits:

• OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation: A high-severity security flaw impacting OttoKit has been under active exploitation within hours of public disclosure.
• Incomplete Patch in NVIDIA Toolkit Leaves CVE-2024-0132 Open to Container Escapes: Cybersecurity researchers detail an incomplete patch for a security flaw impacting the NVIDIA Container Toolkit.
• Malicious npm Package Targets Atomic Wallet, Exodus Users by Swapping Crypto Addresses: Threat actors upload malicious packages to the npm registry to tamper with legitimate libraries and execute malicious code.

Industry Developments: