Major Incidents or Breaches

• The Swedish IT systems supplier Miljödata suffered a data breach impacting 1.5 million individuals. The Swedish Authority for Privacy Protection (IMY) is investigating.
• Japanese media conglomerate Nikkei reported a data breach after its Slack platform was compromised, exposing personal data of over 17,000 employees and business partners.
• Hundreds of malicious Android apps on Google Play were downloaded over 42 million times between June 2024 and May 2025, according to Zscaler, distributing various malware strains.
• Threat actors are actively exploiting a critical vulnerability in the Post SMTP WordPress plugin (installed on 400,000+ sites) to hijack admin accounts.
• Attackers are exploiting a critical authentication bypass flaw in the JobMonster WordPress theme, allowing admin account hijacking under certain conditions.
• European authorities dismantled a cryptocurrency fraud and money laundering network responsible for defrauding victims of over €600 million, arresting nine individuals.
• U.S. prosecutors indicted three individuals for deploying BlackCat (ALPHV) ransomware against five U.S. companies between May and November 2023, resulting in network compromise and extortion.
• Transportation and logistics companies have been targeted by threat actors using sophisticated attack chains to deploy remote access tools and steal cargo.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• Hackers stole over $120 million from the Balancer DeFi crypto protocol by targeting its v2 pools.
• A major breach at the Kansas City, Kansas, Police Department exposed a list of alleged officer misconduct, including dishonesty, sexual harassment, excessive force, and false arrests.
• Everest ransomware group claimed responsibility for recent attacks, according to Check Point’s latest threat intelligence report.

Newly Discovered Vulnerabilities

• XWiki (CVE-2025-24893): Exploit attempts have been observed against XWiki’s SolrSearch component, which allows arbitrary remote code execution. A patch was released in February.
• Google Chrome: Two high-severity vulnerabilities in the V8 JavaScript engine (type confusion and inappropriate implementation) were disclosed, with Google awarding $100,000 in bug bounties.
• Microsoft WSUS: An out-of-band update to patch an actively exploited Windows Server Update Service vulnerability has disabled hotpatching on some Windows Server 2025 systems.

Notable Threat Actor Activity

Major Incidents or Breaches

• A hacker has claimed responsibility for breaching the University of Pennsylvania, stating that data on 1.2 million donors was exposed. The breach was more extensive than initially reported and follows a prior incident where the university sent out a “We got hacked” email.

Newly Discovered Vulnerabilities

• Check Point Research identified three security vulnerabilities in the Windows Graphics Device Interface (GDI) that could lead to remote code execution and memory exposure. These issues were reported to Microsoft and have been addressed.
• Increased scanning activity has been observed on TCP ports 8530 and 8531, which is likely related to the recently disclosed WSUS vulnerability CVE-2025-59287.

Notable Threat Actor Activity

Major Incidents or Breaches

• The Australian Signals Directorate (ASD) has issued a bulletin regarding ongoing attacks targeting unpatched Cisco IOS XE devices in Australia. The attacks involve a previously undocumented implant referred to as BADCANDY.

Newly Discovered Vulnerabilities

• A vulnerability in Motex Lanscope Endpoint Manager was exploited as a zero-day by the China-linked threat actor group Bronze Butler (Tick). The exploitation enabled deployment of an updated Gokcpdoor malware variant.

Notable Threat Actor Activity

Major Incidents or Breaches

• Ribbon Communications, a US telecom company, disclosed a breach attributed to suspected nation-state actors, with initial access dating back to December of the previous year. The company has not confirmed whether sensitive data was accessed.
• The University of Pennsylvania experienced a cybersecurity incident in which students and alumni received offensive emails from compromised university addresses, with threats to leak data.
• Open VSX (Eclipse Foundation) revoked a small number of leaked tokens after discovery by Wiz. The incident was contained, and the foundation downplayed the impact, stating it was not a self-replicating worm.
• Australian authorities issued warnings regarding ongoing attacks on unpatched Cisco IOS XE devices, with routers being compromised via the BadCandy webshell.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• Ribbon Communications, a major telecom services provider with clients including the US government and global telecom firms, disclosed a breach of its IT network by nation-state actors, with access dating back to December 2023.
• Conduent, a business process outsourcing (BPO) giant, confirmed a 2024 data breach impacting over 10.5 million individuals. Stolen data includes names, addresses, dates of birth, Social Security numbers, and health and insurance information. A ransomware gang has claimed responsibility.
• The Canadian Centre for Cyber Security reported that hackers tampered with industrial control systems (ICS) at a water facility and an oil and gas firm, warning of increasing hacktivist activity targeting internet-exposed ICS environments.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• A subsidiary of Japanese marketing and PR giant Dentsu (Merkle) experienced a data breach resulting in the theft of sensitive employee, client, and supplier data by unidentified threat actors.
• The Canadian Centre for Cyber Security reported that hacktivists breached multiple water and energy facilities, gaining access to and modifying industrial controls across Canada.
• A data leak exposed information about students attending Iran’s Ministry of Intelligence and Security (MOIS) training academy.
• Microsoft experienced a global DNS outage affecting Azure and Microsoft 365 services, preventing customer logins and access.
• No evidence was found of a Gmail breach; recent panic was due to circulation of old stolen credentials on the dark web.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• Dentsu Data Breach: Japanese advertising giant Dentsu disclosed a cybersecurity incident at its U.S. subsidiary Merkle, resulting in the exposure of staff and client data.
• Oracle EBS Attacks: Numerous organizations, including Schneider Electric and Emerson, have been identified as victims of attacks exploiting Oracle E-Business Suite zero-day CVE-2025-61882. Data stolen from these companies has been made available on the Cl0p ransomware leak site.
• Swedish Power Grid Incident: Hackers targeted a Swedish power grid operator, stealing information from a file transfer solution. The country’s power supply was not affected.
• 183 Million Credentials Traded: Cybercriminals are trading 183 million stolen credentials on Telegram and dark web forums, with 16.4 million email addresses not previously seen in data breaches.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• A database containing information on individuals with ‘Top Secret’ clearance who applied for jobs with US House Democrats was left openly accessible online.
• Toys “R” Us Canada suffered a data breach, as noted in recent threat intelligence reporting.

Newly Discovered Vulnerabilities

• A new vulnerability in OpenAI’s ChatGPT Atlas web browser allows attackers to inject persistent, hidden commands into the AI platform.
• QNAP warned customers of a critical ASP.NET Core vulnerability affecting its NetBak PC Agent Windows backup utility, urging immediate patching.
• A zero-day vulnerability in Google Chrome, exploited in Operation ForumTroll, was used to deliver spyware linked to Italian vendor Memento Labs (formerly IntheCyber Group/Hacking Team).
• Mass exploitation of year-old critical WordPress plugin vulnerabilities has resumed, with roughly 9 million exploit attempts observed this month.
• The US Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch a critical Windows Server Update Services (WSUS) vulnerability actively exploited in attacks.

Notable Threat Actor Activity

Major Incidents or Breaches

• Kaspersky researchers have attributed previously unidentified commercial spyware, known as Dante and developed by Memento Labs (formerly Hacking Team), to ForumTroll APT attacks. The spyware was observed in recent campaigns, indicating renewed activity from this threat actor.

Notable Threat Actor Activity

• The ForumTroll APT group has been linked to the deployment of Dante spyware in recent operations. Memento Labs, the developer behind Dante, is the rebranded entity of the defunct Hacking Team, suggesting a resurgence of the group’s offensive cyber capabilities.

Trends, Tools, or Tactics of Interest