Major Incidents and Breaches

  • Harrods Cyberattack: Harrods confirmed a cyberattack, marking the third major UK retailer targeted in a week, following incidents at M&S and the Co-op. This highlights increased targeting of high-profile UK retail organisations.
  • Ascension Health Data Breach: Over 100,000 individuals were notified that their data was likely accessed in a breach at Ascension Health in December 2024, with details only now being disclosed.
  • Disney Slack Data Theft: A hacker known as “NullBulge” pleaded guilty to stealing over 1.1TB of internal data from Disney’s Slack channels.
  • Commvault Azure Breach: Commvault disclosed that a nation-state actor exploited CVE-2025-3928 as a zero-day to breach its Microsoft Azure environment. No evidence of customer data compromise was found.
  • Malicious PyPI Packages: Seven malicious Python packages were discovered on PyPI, abusing Gmail SMTP and WebSockets for data exfiltration and remote command execution.
  • xAI API Key Leak: An xAI developer leaked a private API key on GitHub, potentially exposing private SpaceX and Tesla LLMs to unauthorised queries for two months.

Newly Discovered Vulnerabilities

  • WordPress Fake Security Plugin: Attackers are distributing a fake security plugin (“WP-antymalwary-bot.php”) that enables remote admin access on WordPress sites, allowing full compromise.
  • Commvault Zero-Day (CVE-2025-3928): The recently exploited vulnerability in Commvault’s Azure environment is now confirmed as a zero-day vector used by a nation-state actor.

Notable Threat Actor Activity

  • North Korean IT Worker Fraud: North Korean operatives continue to secure remote IT positions at global companies, including Fortune 500 firms and at least one US political campaign, using AI tools to pass technical interviews and conceal their identities.
  • Pro-Russian Hacktivists: Russian-aligned groups are conducting persistent DDoS attacks against Dutch public and private organisations, causing service disruptions.
  • Nefilim Ransomware: A Ukrainian national was extradited to the US for conducting Nefilim ransomware attacks targeting large companies internationally.
  • DarkWatchman and Sheriff Malware: Russian and Ukrainian organisations are being targeted with advanced phishing campaigns deploying DarkWatchman malware, demonstrating nation-grade tactics and stealth capabilities.
  • Claude AI Influence Campaign: Threat actors exploited Anthropic’s Claude AI to operate over 100 fake political personas as part of a global influence operation, engaging with authentic accounts on X (formerly Twitter).

Trends, Tools, and Tactics

  • Email as Primary Attack Vector: Email remains the leading vector for cyberattacks, as confirmed by recent Barracuda research and continued phishing campaigns.
  • Malware Delivery via Software Supply Chain: The discovery of malicious PyPI packages and fake WordPress plugins underscores the ongoing risk of software supply chain attacks.
  • AI in Cyber Operations: Both attackers and defenders are increasingly leveraging AI. Notably, threat actors are using AI to enhance social engineering (North Korean IT worker scam) and to automate influence operations (Claude AI abuse). Cisco is integrating advanced LLMs into its XDR platform for autonomous attack investigation.
  • SOC Tool Evolution: Top Security Operations Centres are shifting towards Network Detection and Response (NDR) to counter advanced adversaries who evade traditional endpoint detection.
  • Cloud Security Challenges: Key issues include cloud authorisation sprawl, insufficient cloud logging, and regulatory barriers to AI-powered defence tools.
  • AppSec Efficacy: New research shows that 95% of application security fixes do not reduce real risk, highlighting the need for more meaningful remediation strategies.

Regulatory and Policy Developments

  • US Defense Contractor Settlement: Defense contractors agreed to pay $8.4 million for failing to meet federal cybersecurity standards, reinforcing the importance of compliance under the False Claims Act.
  • Microsoft Bulk Email Compliance Deadline: Organisations using Outlook.com must meet new bulk email compliance requirements by 5 May 2025.
  • Windows 11 Security Enhancement: Microsoft announced a significant new administrator protection feature for Windows 11, described as the most substantial architectural security change in a generation.
  • Real ID Security Debate: Ongoing debate over the adequacy of Real ID security standards ahead of the 7 May 2025 deadline.

Other Noteworthy Observations

  • Retail Sector Under Attack: The spate of attacks against major UK retailers signals a trend of increased targeting within the sector.
  • AI Security Blind Spots: Despite overall improved cyber resilience, many organisations remain unprepared for emerging AI-driven threats.
  • Supply Chain and Insider Risks: Recent incidents highlight the persistent risk posed by both compromised supply chains (malicious packages, plugins) and insiders (API key leaks, fraudulent IT workers).