Major Incidents and Breaches

  • LockBit Ransomware Gang Breach: The LockBit ransomware group suffered a significant breach, with its dark web affiliate panels defaced and victim negotiation data exposed via a leaked MySQL database. This incident may disrupt ongoing operations and expose sensitive data related to victims and affiliates.

  • PowerSchool Extortion Escalates: Following a December cyberattack, the PowerSchool hacker is now directly extorting individual school districts, threatening to release stolen student and teacher data if ransoms are not paid.

  • Masimo Cyberattack: Medical device manufacturer Masimo reported a cyberattack that has disrupted production and caused delays in fulfilling customer orders.

  • South African Airways Disruption: A cyberattack temporarily disrupted operational systems at South African Airways. The company is investigating potential data theft.

Newly Discovered Vulnerabilities

  • Cisco IOS XE Wireless Controller (CVE-2025-20188): Cisco patched a critical vulnerability (CVSS 10.0) in IOS XE Wireless Controller, which allowed unauthenticated remote attackers to upload arbitrary files, potentially leading to root-level exploits.

  • OttoKit WordPress Plugin (CVE-2025-27007): A critical privilege escalation flaw (CVSS 9.8) in the OttoKit WordPress plugin is under active exploitation, enabling attackers to create rogue admin accounts on over 100,000 sites.

  • SysAid IT Support Software: Four critical pre-authentication remote code execution vulnerabilities were patched in the on-premise version of SysAid, which could allow attackers to compromise affected systems.

  • Microsoft Windows Zero-Day (CVE-2025-29824): The Play ransomware group exploited a Windows Common Log File System vulnerability as a zero-day to gain SYSTEM privileges and deploy ransomware, targeting at least one US-based organization.

  • SentinelOne EDR ‘Bring Your Own Installer’ Attack: Researchers identified a new attack technique exploiting misconfigured SentinelOne EDR installations, allowing adversaries to abuse trusted installers for malicious purposes.

  • Fake Discord PyPI Package: Over 11,500 downloads of a malicious Python package masquerading as a Discord utility were recorded. The package included a remote access trojan, highlighting ongoing supply chain risks in open-source repositories.

Notable Threat Actor Activity

  • COLDRIVER (Russian APT): The Russia-linked COLDRIVER group is distributing new LOSTKEYS malware via fake CAPTCHA lures (ClickFix), as part of an espionage campaign.

  • Play Ransomware: The group leveraged a Windows zero-day exploit (CVE-2025-29824) in targeted attacks, demonstrating continued sophistication and rapid exploitation of newly discovered vulnerabilities.

  • CoGUI Phishing Platform (Chinese Threat Actors): The CoGUI phishing kit, popular among Chinese actors, sent over 580 million phishing emails between January and April 2025, targeting credentials and payment data, with notable campaigns aimed at Japanese organizations.

  • Lemon Sandstorm (Iranian APT): The group targeted operational technology in Middle Eastern critical national infrastructure, maintaining access over several years but ultimately failing to achieve their objectives.

  • LockBit Ransomware: In addition to suffering a breach, LockBit’s victim negotiation tactics and affiliate operations have been exposed, potentially impacting the group’s effectiveness.

Trends, Tools, and Tactics

  • Ransomware Evolution: Kaspersky’s report highlights that ransomware remains a major threat in 2024, with evolving tactics and increasing sophistication expected into 2025.

  • Phishing Surge: Cisco Talos reported phishing was the initial access vector in 50% of attacks in Q1 2025, underscoring the persistent risk. Notably, SSA-themed phishing campaigns are distributing the ScreenConnect remote access tool.

  • DDoS-for-Hire Market Disruption: Europol and Polish authorities dismantled six DDoS-for-hire services, arresting four administrators. These platforms facilitated thousands of attacks globally, targeting schools, government, businesses, and gaming services.

  • Credential Theft and MFA Adoption: Industry analysis continues to show a high proportion of breaches involving stolen credentials (31%), reinforcing the need for Universal 2nd Factor (U2F) and strong password policies.

Regulatory and Policy Developments

  • NSO Group Fined: The Israeli spyware vendor NSO Group was ordered by a US federal jury to pay WhatsApp over $167 million in punitive damages and $444,719 in compensatory damages for targeting 1,400 users with spyware in 2019. Meta won a related lawsuit.

  • TikTok GDPR Fine: TikTok was fined €530 million by European regulators for failing to protect EU user data from access by Chinese entities, sending a strong message regarding GDPR enforcement.

  • CISA Advisory: CISA issued a warning regarding ongoing, albeit unsophisticated, cyber threats targeting US oil and natural gas infrastructure.

  • UK Intelligence on Russian Threats: UK intelligence agencies reported a direct link between Russian cyberattacks and physical sabotage plots, highlighting the convergence of cyber and kinetic threats.

  • CBP Use of Hacked Messaging App: US Customs and Border Protection confirmed it has disabled use of TeleMessage after the app, which had not passed government risk assessment, was compromised.

Other Noteworthy Developments

  • T-Mobile Data Breach Settlement: Settlement payments are being distributed to victims of T-Mobile’s 2021 data breach, which affected 76 million customers.

  • Pentagon CIO Nominee: Kirsten Davies, a private sector CISO, has been nominated as CIO for the US Department of Defense, indicating a continued focus on cybersecurity leadership at the federal level.