Major Incidents or Breaches

  • Coinbase Data Breach and Extortion Attempt

    • Coinbase disclosed a data breach affecting approximately 1% of its users after cybercriminals bribed customer support agents. Attackers accessed sensitive customer information, including government IDs, and attempted to extort $20 million. The extortion attempt failed, but the incident highlights ongoing risks to cryptocurrency platforms from both insider and external threats.

  • Nova Scotia Power Data Breach

    • Nova Scotia Power confirmed a cyberattack resulting in the theft of sensitive customer data. The breach was discovered last month and underscores the persistent targeting of critical infrastructure and utility providers.

Newly Discovered Vulnerabilities

  • SAP NetWeaver (CVE-2025-31324)

    • A critical vulnerability in SAP NetWeaver is being actively exploited by multiple threat actors, including ransomware groups BianLian and RansomExx. The flaw allows remote code execution and has led to a surge in attacks against unpatched systems. Immediate patching is strongly advised.

  • Samsung MagicINFO 9 Server (CVE-2025-4632)

    • Samsung patched a critical vulnerability (CVSS 9.8) in MagicINFO 9 Server that was actively exploited to deploy Mirai botnet variants. Organizations using this software should update immediately.

  • Google Chrome High-Severity Flaw

    • Google released emergency updates addressing a high-severity Chrome vulnerability that has a public exploit and is being used in the wild for cross-origin data leaks via the Loader Referrer Policy. All users are advised to update promptly.

  • Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Flaws

    • Ivanti confirmed exploitation in the wild of zero-day vulnerabilities in EPMM, affecting a limited number of customers. The flaws stem from open source library issues and are being used in chained attacks.

Notable Threat Actor Activity

  • APT28 (Russia-Linked) Webmail Attacks

    • APT28 has been attributed to campaigns exploiting zero-day and XSS vulnerabilities in webmail platforms including Roundcube, Horde, MDaemon, and Zimbra, targeting government webmail servers for cyber espionage.

  • Scattered Spider Tactics Expand to US

    • Threat actors using Scattered Spider tactics, previously active against UK retail chains, are now targeting US retailers, indicating a geographic expansion of this threat.

  • Ransomware Groups Targeting SAP NetWeaver

    • Ransomware gangs have joined ongoing exploitation of the SAP NetWeaver vulnerability, increasing the risk to enterprises running unpatched systems.

  • Malicious npm Package with Advanced Evasion

    • A malicious npm package, “os-info-checker-es6,” was discovered using Unicode steganography to hide malicious code and leveraging Google Calendar as a command-and-control dropper. This represents an evolution in open-source supply chain attack techniques.

Trends, Tools, and Tactics of Interest

  • Industrial Automation Threat Trends

    • Kaspersky ICS CERT reported an increase in targeted attacks against industrial automation systems in Q1 2025, with a focus on OT network vulnerabilities and continued lag in critical infrastructure security.

  • Ransomware Evolution

    • Ransomware actors are increasingly exploiting legitimate IT tools and backup/BCDR weaknesses, underscoring the need for robust, regularly tested recovery capabilities.

  • New Tool: Tor Oniux

    • Tor released Oniux, a command-line utility enabling any Linux application to route traffic through the Tor network, enhancing anonymization options for users and potentially threat actors.

  • Zero-Day Exploits at Pwn2Own

    • Security researchers demonstrated successful zero-day exploits against Windows 11, Red Hat Linux, Docker Desktop, and Oracle VirtualBox at Pwn2Own Berlin 2025, earning $260,000 in awards and highlighting the ongoing risks from undisclosed vulnerabilities in widely used platforms.

  • Increased SonicWall CVE-2021-20016 Scanning

    • There has been a tenfold increase in scanning activity for SonicWall vulnerabilities, particularly CVE-2021-20016, over the past two weeks.

Regulatory or Policy Developments

  • Meta Faces Legal Threat Over EU AI Data Use

    • Austrian privacy group noyb has issued Meta a cease-and-desist letter, threatening a class action lawsuit if Meta proceeds with plans to train AI models on EU user data without explicit consent, raising significant data privacy and regulatory concerns.

  • Google Chrome Security Policy Update

    • Google is implementing a policy to block Chrome from running with admin privileges on Windows, aiming to reduce the attack surface for privilege escalation and improve browser security.

  • Telegram Purges Crypto-Scam Networks

    • Telegram banned thousands of accounts involved in crypto-scam money laundering, including the shutdown of Haowang Guarantee, the internet’s largest black market for illicit transactions, following media investigation and pressure. This marks a significant disruption to cybercriminal infrastructure.