Major Incidents or Breaches

  • Chinese Threat Actor Activity:

    • Chinese-speaking group UAT-6382 exploited a now-patched remote code execution vulnerability in Trimble Cityworks to breach multiple US local government networks, deploying Cobalt Strike and VShell.
    • Chinese nexus actors exploited recently patched Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities to target government agencies and enterprises across Europe, North America, and Asia.

  • Phishing Campaign Targeting International Students:

    • The FBI reported an ongoing phishing campaign specifically targeting Middle Eastern students studying in the US, aiming to steal personal and financial information.

  • Database Exposure:

    • A database containing 184 million login credentials, including those for Apple, Google, Meta, and various government services, was discovered and subsequently taken offline.

  • Cryptocurrency Theft via Fake Apps:

    • Cybercriminals are distributing fake Ledger apps targeting macOS users to steal cryptocurrency seed phrases and digital assets.

Newly Discovered Vulnerabilities

  • GitLab Duo AI Prompt Injection:

    • Researchers identified an indirect prompt injection vulnerability in GitLab’s AI assistant, Duo, which could enable attackers to steal source code or inject malicious content via manipulated AI prompts.

  • Windows Server 2025 Active Directory Flaw:

    • A privilege escalation vulnerability in Windows Server 2025 was demonstrated, allowing attackers to compromise any Active Directory user through exploitation of delegated Manage Service Account (dMSA) permissions.

  • Versa Concerto Critical Flaws:

    • Multiple unpatched critical vulnerabilities in Versa Concerto’s network security and SD-WAN orchestration platform could allow attackers to bypass authentication, achieve remote code execution, and compromise host systems.

Notable Threat Actor Activity

  • Ransomware and Information Stealer Disruptions:
    • Law enforcement agencies (FBI, Europol, and others) disrupted the Lumma Stealer malware network linked to over 10 million infections.
    • Operation Endgame resulted in the takedown of 300 servers and 650 domains used in ransomware supply chains.
    • 270 dark web vendors and buyers were arrested during Operation RapTor, targeting illicit online marketplaces.
    • US authorities indicted Rustam Rafailevich Gallyamov, leader of the Qakbot botnet, and 16 Russians linked to DanaBot malware operations, which supported ransomware and espionage campaigns.

Trends, Tools, or Tactics of Interest

  • Cloud and SaaS Targeting:

    • CISA warned of broader attacks against SaaS applications exploiting application secrets and cloud misconfigurations, with Commvault observing increased threat activity in Microsoft Azure environments.

  • Identity Security Automation Gaps:

    • Research highlights significant automation shortcomings in identity security, with many organisations relying on manual processes that introduce risk.

  • AI Security:

    • The exploitation of AI-powered assistants (e.g., GitLab Duo) via prompt injection underscores emerging risks in integrating AI tools into development pipelines.

  • Privacy Controls:

    • Signal updated its Windows app to block Microsoft Recall from capturing screenshots of user conversations, reflecting growing privacy concerns around AI-powered desktop features.

Regulatory or Policy Developments

  • FTC Order for GoDaddy:
    • The US Federal Trade Commission finalised an order requiring GoDaddy to implement enhanced security measures for its hosting services, following multiple data breaches.

No significant aviation-related cybersecurity developments were identified in today’s reporting.