Major Incidents or Breaches

  • UK Retail Sector Attacks: The UK’s National Cyber Security Centre (NCSC) issued new security guidance following three significant cyberattacks targeting major UK retailers.
  • TeleMessage Breach: TeleMessage, an unofficial Signal message archiving tool used by US government officials, suspended all services after a reported hack.
  • Educational Sector Disruptions (US): Multiple school districts in Georgia and a university in New Mexico experienced disruptive cyberattacks as the academic year ends.
  • Darcula Phishing Campaign: The Darcula phishing-as-a-service (PhaaS) platform stole 884,000 credit cards globally via malicious SMS campaigns.
  • Disney Data Leak: An individual pleaded guilty to stealing sensitive Disney data and falsely claiming to be a Russian hacktivist.
  • Peru Ransomware Claim: The Rhysida ransomware group claimed responsibility for an attack on the Peruvian government’s domain, though the government denies the incident.

Newly Discovered Vulnerabilities

  • Android Zero-Day: Google’s May 2025 security update addresses 46 Android vulnerabilities, including one actively exploited in the wild.
  • Apple AirPlay Zero-Click RCE: Researchers disclosed now-patched, wormable vulnerabilities in Apple’s AirPlay protocol that enabled zero-click remote code execution over public Wi-Fi.
  • Langflow Critical Flaw: A critical vulnerability in the open-source Langflow platform has been added to CISA’s Known Exploited Vulnerabilities (KEV) list following evidence of active exploitation.
  • Commvault Command Center: CVE-2025-34028, a maximum-severity flaw in Commvault Command Center, was also added to CISA’s KEV list after confirmation of in-the-wild exploitation.
  • Samsung MagicINFO CMS: The Mirai botnet is now exploiting a previously patched arbitrary file upload vulnerability (CVE-2024-7399) in Samsung MagicINFO CMS for remote code execution.
  • Kubernetes Helm Chart Risks: Microsoft warns that default configurations in Kubernetes Helm charts may expose sensitive data publicly.
  • EDR Bypass Technique: A new “Bring Your Own Installer” technique has been used to bypass SentinelOne’s tamper protection, enabling threat actors to disable endpoint detection and response (EDR) tools.

Notable Threat Actor Activity

  • Luna Moth (Silent Ransom Group): Increased callback phishing campaigns by Luna Moth targeting US legal and financial institutions, impersonating IT help desks to gain initial access.
  • Venom Spider: Arctic Wolf Labs identified a spear-phishing campaign by “Venom Spider” targeting hiring managers and recruiters by posing as job seekers.
  • Russian-Linked Hacktivism: Russian hacktivist group conducted DDoS attacks on Romanian state websites during national elections.
  • FSB Recruitment via TikTok: Ukrainian authorities detained an alleged FSB agent recruited via TikTok for military espionage.
  • Myanmar Cyber Scam Sanctions: The US sanctioned Myanmar’s Karen National Army and its leader for involvement in cyber fraud operations.

Trends, Tools, or Tactics of Interest

  • Stealth and Persistence: Notable rise in stealth tactics designed for long-term access and silent control, with attackers leveraging AI for adaptive, persistent threats.
  • Phishing-as-a-Service (PhaaS): Darcula’s large-scale SMS phishing operation underlines the growing sophistication and reach of PhaaS platforms.
  • EDR Evasion: Increasing use of advanced techniques, such as “Bring Your Own Installer,” to bypass endpoint security controls.
  • Deepfake Evolution: Research reveals deepfakes now retain biometric signals (e.g., heartbeats), presenting new challenges for detection and authentication.
  • Supply Chain Risks: Ongoing concerns about open-source software security, with warnings about persistent risks from tools like easyjson due to foreign influence and supply chain exposure.

Regulatory or Policy Developments

  • CISA KEV List Updates: Addition of Langflow and Commvault vulnerabilities to the US CISA Known Exploited Vulnerabilities catalog, increasing urgency for patching.
  • US Sanctions: Expansion of US sanctions targeting entities and individuals involved in cybercrime and cyber scam operations in Myanmar.
  • NCSC Guidance: UK’s NCSC published updated security guidance in response to recent cyberattacks on the retail sector, urging all organisations to review and strengthen their cyber defences.