Major Incidents or Breaches

  • Cellcom Cyberattack: Wisconsin-based mobile carrier Cellcom confirmed a cyberattack caused widespread service outages beginning 14 May 2025.
  • SK Telecom Data Breach: SK Telecom disclosed a malware breach lasting three years (since 2022), exposing USIM data of 27 million subscribers.
  • RVTools Supply Chain Attack: The official website for RVTools, a VMware management utility, was compromised in a supply chain attack. Trojanized installers delivered the Bumblebee malware loader.
  • PowerSchool Extortion: A 19-year-old has pleaded guilty to a cyberattack on PowerSchool, involving extortion and exposure of student data.
  • KrebsOnSecurity DDoS Attack: KrebsOnSecurity experienced a near-record DDoS attack peaking at 6.3 Tbps.

Newly Discovered Vulnerabilities

  • WordPress ‘Motors’ Theme: A critical privilege escalation vulnerability allows unauthenticated attackers to take over admin accounts on sites using the premium Motors theme.
  • Virgin Media O2 Location Leak: A security flaw in Virgin Media O2’s mobile network could allow attackers to pinpoint call recipient locations within 100 square meters.
  • AWS Default IAM Roles: Researchers identified risky default IAM roles in AWS that can enable lateral movement and cross-service exploitation if misconfigured.

Notable Threat Actor Activity

  • Hazy Hawk: This group has been actively hijacking abandoned cloud resources (e.g., S3 buckets, Azure endpoints) via DNS misconfigurations and CNAME hijacking, targeting high-profile organizations including the US CDC, to deliver malware and conduct scams.
  • Scattered Spider: The group continues to target large retailers, shifting focus from UK to US organizations, leveraging IT help desk social engineering for initial access.
  • SideWinder APT: Targeted ministries in Sri Lanka, Bangladesh, and Pakistan using spear phishing, exploiting old Microsoft Office vulnerabilities, and deploying custom malware.
  • UnsolicitedBooker (China-aligned): Deployed the new MarsSnake backdoor in a multi-year campaign against a Saudi Arabian organization.
  • RedisRaider: A new Go-based cryptojacking campaign targets publicly accessible Redis servers to deploy XMRig miners.
  • VanHelsing Ransomware: The ransomware builder, affiliate panel, and data leak blog source code were leaked online, increasing the risk of further ransomware proliferation.
  • Fake Chrome Extensions: Over 100 malicious Chrome extensions have been discovered since February 2024, used to hijack browser sessions, steal credentials, and inject ads.

Trends, Tools, and Tactics

  • Service Desk Social Engineering: Attackers are increasingly targeting IT service desks with social engineering to bypass security controls (e.g., password resets, disabling MFA).
  • Novel Phishing Techniques: Recent phishing campaigns combine AES encryption with malicious npm packages to evade detection.
  • Supply Chain Threats: The RVTools incident highlights ongoing risks in software supply chains, with attackers distributing malware via compromised legitimate utilities.
  • Rise in Asia-based APTs: China and North Korea-aligned groups now account for over half of global APT attacks, with expanding international focus.
  • Exposure Management Enhancements: Tenable has added third-party connectors (AWS, Microsoft, competitors) to its platform for improved attack surface visibility.
  • Security Key Solutions: Yubico has expanded its YubiKey-as-a-Service globally, supporting hardware-based authentication in 175 countries.
  • AI Security Impacts: Increased adoption of AI agents is driving both new security opportunities and challenges, with most security leaders anticipating compliance and threat management implications.

Regulatory or Policy Developments

  • Genetic Data Privacy Concerns: Regeneron’s planned acquisition of 23andMe raises privacy concerns due to the lack of comprehensive federal regulation on genetic information transfers.